ModSecurity Tools showing server ip as source ip

Intekhab

• September 01, 2022 12:39

I am running Apache behind Nginx. Over the ModSecurity tools page under the "source" column it's only the main IP address of the server. What do I need to do to get the actual attacker IP?

• 

  cPRex Jurassic Moderator

  • September 01, 2022 17:42

  Hey there! Can you ensure you have mod_remoteip installed on the server? More details on that can be found here:

  0
• 

  Intekhab

  • September 01, 2022 18:12

  I had ea-apache24-mod_remoteip installed. But over /etc/apache2/conf.modules.d/370_mod_remoteip.conf I only had RemoteIPHeader CF-Connecting-IP block. So I added RemoteIPHeader X-Forwarded-For RemoteIPTrustedProxy server-main-public-ip After the CF-Connecting-IP block. Should that be okay? I had %h replaced with %a over one log but not the other. I have now fixed the other one. Restarted Apache. I have not got any new hit to mod sec yet. So I'll check the hit list later. Thanks for your quick support! Btw, I was expecting installing cpanel official nginx will auto take care of the proxy logging issue.

  0
• 

  cPRex Jurassic Moderator

  • September 01, 2022 19:01

  Btw, I was expecting installing cpanel official nginx will auto take care of the proxy logging issue.

  
  It should - when you install Nginx through the cPanel tools, we do also install mod_remoteip. That is noted here:

  0
• 

  Intekhab

  • September 02, 2022 13:35

  It's still showing the main server IP. I created a ticket #94481151

  0
• 

  cPRex Jurassic Moderator

  • September 02, 2022 14:33

  Thanks for that - I'm following along with that ticket on my end.

  0
• 

  cPRex Jurassic Moderator

  • September 09, 2022 13:35

  After much digging, our team found that unique requests coming into the server are working properly, but that the site is making many requests to itself, causing confusion in the logs.

  0
• 

  Pietro Leone

  • March 02, 2024 17:54

  hello,

  i have this problem , there is something we can do ?

  esample (apache logs)

  IP.VISITOR - - [02/Mar/2024:17:53:46 +0100] "GET /rivivi-il-festival-gallery-edizione-2023/_max6881/ HTTP/1.1" 403 166194 "-" "Mozilla/5.0 (compatible; Bytespider; spider-feedback@bytedance.com) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.0.0 Safari/537.36"
  IP.VISITOR - - [02/Mar/2024:17:53:51 +0100] "GET /wp-content/plugins/instagram-feed/img/sbi-sprite.png HTTP/1.1" 404 162170 "https://www.dominio.org/wp-content/plugins/instagram-feed/css/sbi-styles.min.css?ver=6.2.7" "Mozilla/5.0 (compatible; Bytespider; spider-feedback@bytedance.com) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.0.0 Safari/537.36"
  IP.VISITOR - - [02/Mar/2024:17:53:52 +0100] "GET /wp-content/uploads/2016/06/logo-footer.png HTTP/1.1" 404 162170 "https://www.dominio.org/rivivi-il-festival-gallery-edizione-2023/_max6881/" "Mozilla/5.0 (compatible; Bytespider; spider-feedback@bytedance.com) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.0.0 Safari/537.36"
  IP.VISITOR - - [02/Mar/2024:17:53:52 +0100] "GET /wp-content/uploads/2020/07/label-ita.png HTTP/1.1" 404 162170 "https://www.dominio.org/rivivi-il-festival-gallery-edizione-2023/_max6881/" "Mozilla/5.0 (compatible; Bytespider; spider-feedback@bytedance.com) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.0.0 Safari/537.36"
  IP.VISITOR - - [02/Mar/2024:17:53:52 +0100] "GET /wp-content/uploads/2020/07/label-eng.png HTTP/1.1" 404 162170 "https://www.dominio.org/rivivi-il-festival-gallery-edizione-2023/_max6881/" "Mozilla/5.0 (compatible; Bytespider; spider-feedback@bytedance.com) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.0.0 Safari/537.36"
  IP.VISITOR - - [02/Mar/2024:17:53:52 +0100] "GET /wp-content/plugins/instagram-feed/img/placeholder.png HTTP/1.1" 404 162170 "https://www.dominio.org/rivivi-il-festival-gallery-edizione-2023/_max6881/" "Mozilla/5.0 (compatible; Bytespider; spider-feedback@bytedance.com) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.0.0 Safari/537.36"

   

  in modsec tools i have source IP ip from my server .. and also is not IP of account but is another additional IP.....

   

  2024-03-02 17:53:53    www.dominio.org    SOURCE:MYIP        404    
   777777: Spiderbot blocked Hide
  Request:    GET /wp-content/uploads/2020/07/label-ita.png
  Action Description:    Access denied with code 403 (phase 1).
  Justification:    Pattern match "(?:MJ12bot|AhrefsBot!BLEXBot|feed|Barkrowler|DotBot|urllib|YandexMetrika|Lightspeed)" at REQUEST_HEADERS:user-agent.

  it is my custom rule but this problem is all rules...

   

  (yes i have mod_remoteip)

  thanks

   

  0
• 

  cPRex Jurassic Moderator

  • March 04, 2024 16:29

  I'm not completely sure what problem you're seeing - that just looks like normal traffic to me.  Are you saying the wrong IP address is showing up in that log file?

  0
• 

  Pietro Leone

  • March 05, 2024 19:30

  modsec tools in source column show the ip of my server....

  but  the connection is made by a web visitor with visitor ip .

  thanks

  0
• 

  cPRex Jurassic Moderator

  • March 05, 2024 19:34

  I'm not sure what could be causing that issue based on the description.  Could you submit a ticket to our team so we can take a look?

  0

Please sign in to leave a comment.