ModSecurity supplies an array of request and response filtering rules and other security features to the Apache HTTP Server. ModSecurity is an open source web application layer firewall.
Questions tagged [mod-security]
334 questions
0
votes
1 answer
mod_security with OWASP CRS: Custom rule for whitelisting googlebot
I am about to use OWASP CRS rules with mod_security on my WHM/cPanel enabled CentOS server (with apache). But I fear that accidentally Googlebot may be blocked by one rule or the other. After enabling OWASP CRS, If I add the below custom rule…
Kannan
- 101
- 2
0
votes
1 answer
Is it okay to use core ruleset v3.3 on modsecurity v2.9
I am just a beginner in the field of security. I have installed ModSecurity v2.9 on my server using this link. But GitHub repository for the core rule set in the link was outdated, so later I removed the ruleset with the official ruleset. Is it okay…
0
votes
2 answers
How do I restrict a specific client, based on their host name, with ModSecurity SecRule?
I am trying to restrict specific hosts (e.g. AWS) from accessing my webserver. I tried different variations of these but it doesn't work.
# Block AWS
SecRule REQUEST_HEADERS:Host ".*\.amazonaws\.com.*" \
"msg:'AWS…
David
- 81
- 1
- 7
0
votes
1 answer
OWASP-CSR on ATS
I have some Apache Traffic Servers that use in CDN platform. Is it possible to configure OWASP-CSR on Apache Traffic Server? If yes, how can I implement it?
Samira Rahighi
0
votes
1 answer
Cannot find rule ID to whitelist an IP in ModSecurity
I have a local IP that was apparently banned. I would like to whitelist it. The subnet is already in my /etc/modsecurity/modsecurity.conf file:
SecRule REMOTE_ADDR "@ipMatch 192.168.0.0/19" "id:20190108,phase:2,pass,nolog,allow,ctl:ruleEngine=Off"
I…
DevOpsSauce
- 288
- 4
- 13
0
votes
1 answer
My centOS 7 minimal font screwed up when trying to tail modsecurity audit log
My font display was completely normal. But right after i cat or tail /var/log/modsec_audit.log, my font becomes like this. Any solution?
Image link:
https://i.stack.imgur.com/XkIyj.png
newbie01
- 1
0
votes
1 answer
Which actions are retained on SecRuleUpdateActionById changes from the original rule?
So, SecruleUpdateActionById
requires relisting action flags. At least that's my reading of "actions that can appear only once are overwritten".
Which is fairly obvious for most of them, but less so for ctl: or specialty parameters.
I'm currently…
mario
- 125
- 12
0
votes
0 answers
Compile ModSecurity 3.3 with YAJL
anyone could help? I'm stucked on this.
I already compiled ModSecurity 3.3 on this machine (followed these instructions). Now I'm trying to compile with YAJL (Yet Another JSON Library) to be able to log in JSON format.
I installed yajl and…
Filipe
- 1
0
votes
1 answer
apache server responding 403 to some clients, for a wordpress site
I rented a barebone server, installed Centos 7, then centos web panel, with server set to apache only, using apache 2.4.4x and php 7.
I set up a wordpress site on one of the vhost, after editing for a while, while I tried to view the site on my…
Jimmy Chi Kin Chau
- 13
- 5
0
votes
1 answer
REQUEST_URI exact match modsecurity
I need deny a portion of an url with modsecurity , example:
index.php?page_num=users
I have implemented this rule:
SecRule REQUEST_URI "/index\.php\?page_num=users" "id:10000100,phase:1,t:lowercase,deny,msg:'UsersDeny'"
It works for the URI…
Vic
- 1
0
votes
1 answer
Why don't the CRS rules in ModSecurity block all threats?
I'm in the process of configuring the new Ngnix v1.18.0 server together with ModSecurity-nginx v1.0.1. I've added OWASP CRS 3.3.0 rules to the configuration. Unfortunately, I can't clearly tell if the rules are working. While reading blogs and…
nsog8sm43x
- 1
- 1
0
votes
1 answer
How to automatically block with MODSEC or CSF an IP Address when it tries to access a URL
We have in our server logs every day continuos bot trying to access the below for example:
Requests with error response codes
404 Not Found
/favicon.ico: 3 Time(s)
/3ckkB-ZOp30: 2 Time(s)
/adminer-3.7.1.php: 2 Time(s)
/eGfLqNJOuqgur2f: 2…
Devteam9200
- 1
- 1
0
votes
1 answer
modsecurity3: replace rule with a custom one for a specific URI
In a crs 3.2 there is a rule with ID=941320 which prevents CKEditor to work within drupal.
CKEditor is a wysiwyg that produces html and attempts to upload it to server. Modsecurity 3 with crs blocks such a request then.
To mitigate false positives I…
mprzyc
- 1
0
votes
1 answer
ModSecurity won't apply rules - no error log entries
I have a fresh installation of CentOS 8. I installed Apache 2.4.37 from the repo. Then installed the latest ModSecurity:
dnf install mod_security -y
Checked the installation
dnf info mod_security
Result:
Name : mod_security
Version :…
MarkHelms
- 171
- 5
- 15
0
votes
0 answers
WAF(modsecurity) / Plesk IP Banned, is it Googlebot? Is it a false positive? Is it a malicious IP?
I was alerted by my Plesk server that an IP Address had been banned. Normally I don't check banned IPs, but this one happened to coincide with our site going down for 1 minute at the same time.
Banned the following ip addresses on Mon Jul 27…
Maurice
- 141
- 1
- 4