Skip to main content

cPanel ModSecurity False Positives & Missing Data...

RyanR
Hi, My server runs the following ModSecurity Rules:
  • Imunify360 LiteSpeed Rule Set (Minimized ModSec Ruleset)
  • COMODO ModSecurity LiteSpeed Rule Set
I had to disable the following rule set because it was causing a LOT off false positives within our WordPress websites, to the extent that we couldn't publish any pages
  • OWASP ModSecurity Core Rule Set V3.0
  • I'd like to be able to re-enable the above ruleset if I could get those false positives fixed with the providers.
I've also had to disable all of the following rules globally:
  • 17350
  • 210380
  • 210492
  • 25178
  • 28292
  • 60050
  • 62100
Most of those were because whenever we published pages with Elementor it was throwing 403 errors... One particular site required the following rules to be disabled because it too was throwing 403 errors when editing pages, this time though it wasn't using Elementor.
  • 941100
  • 941160
How should I report these false positives, and to who? We'd like to get them resolved so we can have the protection of those rules. -------------------------------------------------- All of those above false positives threw up notifications from within /usr/local/apache/logs/modsec_audit.log, however most of them did NOT throw up notifications from within the ModSecurity" Tools "Hits List" page... which made them rather annoying to find and fix. They do however appear in ConfigServer's Security & Firewall plugin, which was better but not perfect. How can I make ModSecurity Tools "Hits List" show all of the notifications? Regards ~ Ryan

Comments

7 comments

Date Votes
  • cPDavidL
    Hello Ryan, Ruleset publishers will have contact instructions for issues with false positives. For Imunify360 rules, contact Imunify360 support There should not be a situation in which the hits are not listed in the UI. Please use the link in my signature to open a ticket with our staff, so we can investigate that condition further.
    0
  • RyanR
    Hi, Did you check your link regarding Comodo? It's for their standalone WAF, not the integrated rulesets within WHM/cPanel. I can't find a report location online without posting to their forums and I would rather not post the contents publically Thanks
    0
  • cPRex Jurassic Moderator
    @RyanR - could you make a ticket with our team so we can check that?
    0
  • RyanR
    @RyanR - could you make a ticket with our team so we can check that?

    Hi Rex, I did submit a ticket and I'm still trying to recreate it because I can't get it to happen again -_-
    0
  • cPRex Jurassic Moderator
    Just like when you take a car to the mechanic............... If you could post the ticket number here I can follow along and make sure this thread stays updated.
    0
  • RyanR
    Just like when you take a car to the mechanic............... If you could post the ticket number here I can follow along and make sure this thread stays updated.

    1. Ticket ID: 94321305 2. Did You/David have a link/resource for submitting to Comodo? I still haven't found one. 3. As for the ModSecurity log issue, it was happening to nearly every single 403 false positive and I was having to search the logs with grep until I found ModSecurity ModSecurity had it's own log reader... I wonder if one of the updates since has fixed it for me.
    0
  • cPRex Jurassic Moderator
    Thanks for providing that ticket number - I'm following along there in case that has any more updates in the future. I'm not seeing a specific point of contact for a ModSec issue on their end when I looked just now. However, they do have a thread here that they are actively monitoring that has been open for several years:
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post