Mod_security is not blocking
Hi, I have a server with WHM and MOD SECURITY installed. "ConfigServer ModSecurity Control - cmc v3.03"
We discovered that Mod_security is not blocking, is just saving the data.
root@server:~# grep ' ModSecurity: Access denied' /usr/local/apache/logs/modsec_audit.log | wc -l
0
root@server:~# grep ' ModSecurity: Warning' /usr/local/apache/logs/error_log | wc -l
126525
Which could be the cause?
In Home > Security Center > ModSecurity™ Configuration > Configure Global Directives
I have Connections Engine PROCESS THE RULES
Rules Engine: Process the rules.
And in Home > Security Center > ModSecurity™ Vendors > Manage Vendors
I have:
ConfigServer ON
OWASP CRS v3.x for ModSec 2.9 (via pkg) ON
Thanks,
Francisco
-
"Rule 949110 is where the accumulated anomaly score is checked against a threshold, and requests are rejected accordingly. When you disable rule 949110, you are *removing* that logic. All the rules are still being processed, but nothing will ever reject a malicious request."
1 -
Your "ModSecurity Configuration" seems to be correct.
But do check in "ConfigServer ModSecurity Control - cmc v3.03" (first setting) whether the setting is "On" or "Off" ("You can completely disable ModSecurity on the server by setting this to Off and clicking the Select button:")
That's in WHM->Plugins->ConfigServer Modsec Control...
0 -
Hi sierrablue,
In WHM > Home > Plugins > ConfigServer ModSecurity Control
is set to ON. I have changed to OFF and ON again, but it still doesnt work the blocking.I am trying for example
https://www.mysite.com/?../../../../etc/passwdand I see it in the log of
"Displaying logs from /etc/apache2/logs/modsec_audit.log"But it doesnt block me
Another idea?
Thanks,Francisco
0 -
When you say it's not "blocking" can you be more specific about what you expect to happen versus what is happening? Are you getting a 403 error when you visit that URL?
0 -
Hi! Thanks for your reply.
When I enter to any page to test it, it just let me see the page
For example if I enter to a website hosted there
https://www.alipso.com/?../../../../etc/passwd
it shows me the page instead of a 403 error.If I enter to the logs inside WHM > Plugins > "ConfigServer ModSecurity Control" > "LOGS" I see my access.
Thanks,0 -
Thanks for the additional details. When you say "it shows me the page" what page exactly is that? I doubt your sites have a page named passwd, so is it possibly redirecting to something else, and that is causing ModSecurity to not log things properly? I'd at least expect a 404 from the URL you provided.
0 -
This particular Modsecurity OWASP rules will do 301 to root page. So it works as it should. If they wouldn't, you'd get 404 or it would show https://www.alipso.com/?../../../../etc/passwd if existed.
0 -
Got it - we'd likely need to see a ticket about why that isn't properly functioning then, as everything seems to be configured normally.
0 -
OK! I have opened a ticket!
Thanks,
Francisco
0 -
Can you post the ticket number here so I can follow along?
0 -
Hi!!
yes :)
#951711870 -
Thanks for that - I'm following along with that ticket now!
0 -
It seems there were rules whitelisted on the server that was keeping ModSecurity from working properly, and you confirmed after adjusting those that things are working well. Let us know if you need anything else!
0 -
Hi!
Yes, finally it could fe fixed with the help of Cpanel support team.For anyone that ever has this problem: the modsecurity rule 949110 should not be deactivated because it is used to block certain atacks with 403 error. Now I am using it only for specific Wordpress pages and not whitelisting it globally in mod_security
Thanks,
Francisco
0
Please sign in to leave a comment.
Comments
14 comments