Skip to main content

Mod_security is not blocking

Comments

14 comments

  • quietFinn

    "Rule 949110 is where the accumulated anomaly score is checked against a threshold, and requests are rejected accordingly. When you disable rule 949110, you are *removing* that logic. All the rules are still being processed, but nothing will ever reject a malicious request."

    1
  • sierrablue

    Your "ModSecurity Configuration" seems to be correct.

    But do check in "ConfigServer ModSecurity Control - cmc v3.03" (first setting) whether the setting is "On" or "Off"   ("You can completely disable ModSecurity on the server by setting this to Off and clicking the Select button:")

    That's in WHM->Plugins->ConfigServer Modsec Control...

    0
  • Unnamed User

    Hi sierrablue,

    In WHM > Home > Plugins > ConfigServer ModSecurity Control 
    is set to ON. I have changed to OFF and ON again, but it still doesnt work the blocking.

    I am trying for example 

    https://www.mysite.com/?../../../../etc/passwd

    and I see it in the log of 
    "Displaying logs from /etc/apache2/logs/modsec_audit.log"

    But it doesnt block me

    Another idea?
    Thanks,

    Francisco

    0
  • cPRex Jurassic Moderator

    When you say it's not "blocking" can you be more specific about what you expect to happen versus what is happening?  Are you getting a 403 error when you visit that URL?

    0
  • Unnamed User

    Hi! Thanks for your reply.

    When I enter to any page to test it, it just let me see the page

    For example if I enter to a website hosted there

    https://www.alipso.com/?../../../../etc/passwd
    it shows me the page instead of a 403 error.


    If I enter to the logs inside WHM > Plugins > "ConfigServer ModSecurity Control" > "LOGS" I see my access.

    Thanks,

     

    0
  • cPRex Jurassic Moderator

    Thanks for the additional details.  When you say "it shows me the page" what page exactly is that?  I doubt your sites have a page named passwd, so is it possibly redirecting to something else, and that is causing ModSecurity to not log things properly?  I'd at least expect a 404 from the URL you provided.

    0
  • sierrablue

    This particular Modsecurity OWASP rules will do 301 to root page. So it works as it should. If they wouldn't, you'd get 404 or it would show https://www.alipso.com/?../../../../etc/passwd if existed.

    0
  • cPRex Jurassic Moderator

    Got it - we'd likely need to see a ticket about why that isn't properly functioning then, as everything seems to be configured normally.

    0
  • Unnamed User

    OK! I have opened a ticket!

    Thanks,

    Francisco

    0
  • cPRex Jurassic Moderator

    Can you post the ticket number here so I can follow along?

    0
  • Unnamed User

    Hi!!

    yes :)

     #95171187

    0
  • cPRex Jurassic Moderator

    Thanks for that - I'm following along with that ticket now!

    0
  • cPRex Jurassic Moderator

    It seems there were rules whitelisted on the server that was keeping ModSecurity from working properly, and you confirmed after adjusting those that things are working well.  Let us know if you need anything else!

    0
  • Unnamed User

    Hi!

    Yes, finally it could fe fixed with the help of Cpanel support team.

    For anyone that ever has this problem: the modsecurity rule 949110 should not be deactivated because it is used to block certain atacks with 403 error. Now I am using it only for specific Wordpress pages and not whitelisting it  globally in mod_security 

    Thanks,

    Francisco

    0

Please sign in to leave a comment.