do you recommend any waf rule for your server ?

tyuuu

• October 11, 2022 07:45

Hi, do you recommend any waf rule for your server ? thanks

• 

  GOT

  • October 11, 2022 12:47

  We usually use the Comodo WAF ruleset:

  0
• 

  tyuuu

  • October 12, 2022 07:27

  Hi, is Comodo WAF syill maintained well ? i make searching and it seems no maintained for long time ? because i hope a rule suit with less positive negative . and Imunify360 can not only use waf feature. thanks

  0
• 

  cPRex Jurassic Moderator

  • October 12, 2022 16:11

  The last rules update was from November 2020:

  0
• 

  ciao70

  • October 12, 2022 16:39

  I can recommend OWASP ModSecurity Core Rule Set (CRS)

  0
• 

  tyuuu

  • October 13, 2022 03:15

  Hi, does OWASP ModSecurity Core Rule Set (CRS) have many positive negative for wordpress or other cms ? thanks

  0
• 

  ciao70

  • October 13, 2022 16:24

  Hi, You can try it so you see how it works. :) You have the option in case of problems to exclude Worpress rules for example

  0
• 

  ITHKBO

  • October 14, 2022 10:56

  Hi, does OWASP ModSecurity Core Rule Set (CRS) have many positive negative for wordpress or other cms ? thanks

  
  We disable the following rules for Wordpress CMS because of numerous false positives 949110 General post update issues in conjunction with WP Bakery 941160 General post update issues in conjunction with WP Bakery 941100 General post update issues in conjunction with WP Bakery 980130 Issue with Duplicator backups causing invalid request when downloading files We haven't had to disable any other for 500+ CMS clients in 6 or so years Be sure to check however if you have any of these showing up as false positive on your end.

  0
• 

  tyuuu

  • October 15, 2022 09:26

  Hi, i try to install OWASP and connect with ip,the log shows 920350,and i find alot connection with the log,is it normal ? thanks

  0
• 

  cPRex Jurassic Moderator

  • October 17, 2022 14:18

  It could be normal for your system. Do you also have mod_security installed? If so, that could be related:

  0
• 

  tyuuu

  • October 17, 2022 14:51

  It could be normal for your system. Do you also have mod_security installed? If so, that could be related:

  0
• 

  cPRex Jurassic Moderator

  • October 17, 2022 14:56

  Can you post the specific error that rule is triggering so we can see that?

  0
• 

  tyuuu

  • October 17, 2022 15:03

  Hi, it is "920350: Host header is a numeric IP address" with following Request: GET /favicon.ico Action Description: Access denied with code 200 (phase 2). Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true. Request: GET /img-sys/powered_by_cpanel.svg Action Description: Access denied with code 200 (phase 2). Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true. Request: GET /img-sys/server_misconfigured.png Action Description: Access denied with code 200 (phase 2). Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true. Request: GET /img-sys/error-bg-left.png Action Description: Access denied with code 200 (phase 2). Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true. Request: GET /img-sys/server_moved.png Action Description: Access denied with code 200 (phase 2). Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true. Request: GET /img-sys/IP_changed.png Action Description: Access denied with code 200 (phase 2). Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true. Request: GET /cgi-sys/defaultwebpage.cgi Action Description: Access denied with code 200 (phase 2). Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true. Request: GET /favicon.ico Action Description: Access denied with code 200 (phase 2). Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true. Request: GET / Action Description: Access denied with code 200 (phase 2). Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true. Request: GET /cgi-sys/defaultwebpage.cgi Action Description: Access denied with code 200 (phase 2). Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true. Request: GET /cgi-sys/defaultwebpage.cgi Action Description: Access denied with code 200 (phase 2). Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true. Request: GET / Action Description: Access denied with code 200 (phase 2). Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true. thanks

  0
• 

  ciao70

  • October 17, 2022 15:33

  Hi, It is the function of the rule 920350 that signals if you connect to the IP SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \ "id:920350,\ phase:2,\ block,\ t:none,\ msg:'Host header is a numeric IP address',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ ver:'OWASP_CRS/3.3.2',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"

  0
• 

  cPRex Jurassic Moderator

  • October 17, 2022 15:38

  Thanks for the details - it's probably best to just whitelist/remove that rule as you'll get many false positives.

  0
• 

  ciao70

  • October 17, 2022 15:59

  We perform a 301 redirect to the domain The IP shouldn't be used I guess

  0
• 

  tyuuu

  • October 17, 2022 16:01

  Hi, i know whitelist/remove that rule will solve my personal issue,but i wonder if some important attack will not be blocked ?

  0
• 

  tyuuu

  • October 17, 2022 16:02

  We perform a 301 redirect to the domain The IP shouldn't be used I guess

  
  Hi, do you mean redirect all ip access to hostname ? because it is shared hosting server.

  0
• 

  ciao70

  • October 17, 2022 16:05

  Ah OK. We have a dedicated Server If that's a problem for you in case you can disable that rule

  0

Please sign in to leave a comment.