ModSecurity show server ip as source instead of attacker ip
Hi
i upgrade php to 5.5 and after upgrade i found that mod security show the server ip as source of attack instead of attacker ip as before upgrade !!
as a result csf firewall is not blocking subsequent attacks
and also cxs is not blocking ip after malicious file upload and there is no upload ip address shown at all !!
what is wrong ?
how to make mod security shows the attacker ip instead of server ip?
thanks in advance.
-
Hello, Are you running another web server on top of Apache like Nginx as a proxy? 0 -
yes there is nginx as a proxy 0 -
CXS file upload scanning is VERY picky, and if anything is wrong with configuration it simply allows the file. This is my line in /etc/cxs/cxscgi.sh (only ONE line should be uncommented): /usr/sbin/cxs --quiet --cgi -Q /home/quarantine --qoptions Mv --logfile /var/log/cxs.log --smtp --mail root "$1"
You must make the quarantine using CSX command line utilities. If not the permissions may be wrong resulting in every file being approved :/cxs -Q /home/quarantine -qcreate
Then simply make sure this is still in your configuration for Apache/modsecurity:SecRule "FILES_TMPNAMES" "@inspectFile /etc/cxs/cxscgi.sh"\ "log,auditlog,deny,severity:2,id:'1010101'"
Restart apache and you should be good (well, for upload scanning at least)0 -
i reinstall nginx and now mod security catches that attacker ip :) but i dont know why it was the problem actually !! any idea why nginx was the problem ? thanks in advance. 0 -
Maybe you didn't have mod_rpaf installed on the previous install, hard to say. 0 -
Hello :) It's difficult to pinpoint any specific reason why it works after reinstalling Nginx. Keep in mind that Nginx, though widely utilized, is not supported by cPanel. Thank you. 0
Please sign in to leave a comment.
Comments
6 comments