I have the latest version of Modsecurity (as of March 25th 2019) installed on my server. I am using OWASP rulesets along with fail2ban on Linux.
I know it is designed to block hacking attempts. Should I assume that people who are not attempting to hack my server, but simply may have infected computers are detected the same as hackers and hacker bots etc?
What happens is that certain people try to connect to my computer and tell me they cannot. So I look in the logs and sure enough, Modsecurity detected either an SQL injection attack from their IP or some other severe level attack.
So, to several of them I suggested they run an updated boot time scan of their computer and sure enough, they found lots of malware and viruses and were able to connect after clearing them with no further issues.
So, now I'm trying to confirm that when my forum members try to connect to my server and modsecurity reports a lot of nefarious activity from their verified IP address, that it is because their computer has viruses or malware on it that is being payloaded onto their connection to my server.
I need to be confident that I am telling them the correct thing if I suggest to them that they need to check their own computer for malware or viruses.
I can't see any other explanation. Can someone confirm this is probably what's happening since some of those members are quite sure (even without checking) that their computers are not infected with any malware or viruses.
And if that's the case, then I need to find out why modsecurity is saying otherwise because it is blocking my forum members.