Comodo Mod_security - LiteSpeed Cache 403

Dears,

I’ve enabled Comodo because we have been experiencing attacks to

  • xmlrpc.php
  • admin-ajax.php

resulting in a 100% CPU usage for long periods, even though we used Cloudflare and Wordfence plugin.

Comodo Rules worked excellent, mitigating the attack impact. But I’ve one single problem that I don’t know how to whitelist.

The Comodo rule 00_Init_Initialization.conf that is the one that protects us from the attacks, does not allow me to save any Page Optimization configuration on LiteSpeed Cache (but other configs like Cache no problem). When disables no problem saving configs in th plugin but attacks increase.

How could I create a whitelist rule for LiteSpeed Cache?

2020-11-08 17:30:58.196176 [INFO] [162.158.225.172:36942#chilevapo.cl] [Module:Mod_Security] ModSecurity: Warning. Matched “Operator Contains' with parameter wp-admin/admin.php’ against variable REQUEST_URI' (Value: /wp-admin/admin.php?page=litespeed-page_optm’ ) [file “/usr/local/lsws/conf/modsec/comodo/25_Apps_WPPlugin.conf”] [line “234”] [id “221450”] [rev “1”] [msg “COMODO WAF: SQL injection vulnerability in the WP Rss Poster plugin 1.0.0 for WordPress (CVE-2014-4938)||www.chilevapo.cl|F|2”] [data “”] [severity “2”] [ver “”] [maturity “0”] [accuracy “0”] [hostname “www.chilevapo.cl”] [uri “/wp-admin/admin.php”] [unique_id “160485665829.811499”] [ref “o1,18v5,44”]
2020-11-08 17:30:58.203185 [INFO] [162.158.225.172:36942#chilevapo.cl] [Module:Mod_Security] ModSecurity: Warning. Matched “Operator Rx' with parameter [\[\]\x22’,()\.]{10}$|(?:union\s+all\s+select\s+(?:(?:null|\d+),?)+|order\s+by\s+\d{1,4}|(?:and|or)\s+\d{4}=\d{4}|waitfor\s+delay\s+’\d+:\d+:\d+’|(?:select|and|or)\s+(?:(?:pg_)?sleep\(\d+\)|\d+\s*=\s* (397 characters omitted)’ against variable ARGS:media-placeholder_resp_svg' (Value: <svg xmlns=“SVG namespace” width=”{width}” height="{height}" viewBox="0 0 {width} {heig (60 characters omitted)’ ) [file “/usr/local/lsws/conf/modsec/comodo/21_SQL_SQLi.conf”] [line “116”] [id “218500”] [rev “7”] [msg “COMODO WAF: SQLmap attack detected||www.chilevapo.cl|F|2”] [data “Matched Data: get found within REQUEST_FILENAME: /wp-admin/admin.php”] [severity “2”] [ver “”] [maturity “0”] [accuracy “0”] [hostname “www.chilevapo.cl”] [uri “/wp-admin/admin.php”] [unique_id “160485665829.811499”] [ref “v5,19o148,12v6334,160t:urlDecodeUni,t:lowercase”]
2020-11-08 17:30:58.203252 [INFO] [162.158.225.172:36942#chilevapo.cl] [Module:Mod_Security]Intervention status code triggered: 403

I have same problem any solution so far?

Same here.

This solve it: [Tutorial] How To Manually Update Comodo ModSecurity Rules For CyberPanel — CyberPanel - WebHosting Control Panel for OpenLiteSpeed