High CPU and Server Crash everyday

In our latest version I’ve removed comodo rules and just OWASP. Can you remove these and use owasp ?

@usmannasir, This is how mod_security rules looks now after removing Comodo part. Does this looks OK?

modsecurity  off
modsecurity_rules '
SecDebugLogLevel 9
SecDebugLog /usr/local/lsws/logs/modsec.log
SecAuditEngine on
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABCDEFGHI
SecAuditLogType Serial
SecAuditLog /usr/local/lsws/logs/auditmodsec.log
SecRuleEngine On'
modsecurity_rules_file /usr/local/lsws/conf/modsec/rules.conf

modsecurity_rules_file /usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/owasp-master.conf

Just a question of curiosity: You’ve said in the latest version, you’ve removed Comodo rules. I am using the latest version of CyberPanel already than wondering why and how the Comodo rules were there? The answer to this will help someone as well.

@usmannasir, Since I removed Comodo rules, I’ve tried to verify OWASP by visiting http://my-domain.com/?a=b AND 1=1” which redirected me to http://my-domain.com rather than showing 403 page. Isn’t this unexpected?

Then I disabled OWASP ModSecurity Core Rules under CyberPanel and kept Comodo rules enabled under OLS WebAdmin → Server Configuration → Modules → mod_security as I don’t see Comodo Rules Pack under CyberPanel. Now when I visit http://my-domain.com/?a=b AND 1=1”, it shows 403 page as expected.

So I guess OWASP isn’t working but Comodo does the job. What’s your thoughts?

Ref. Screenshots:

  1. MODSECURITY RULES PACKAGES UNDER CYBERPANEL :link:

  2. Rules under OLS WebAdmin → Server Configuration → Modules → mod_security :link:

If there is an cache hit, rules don’t trigger, so was that the case?

Yes, it might be possible. It now works with OWASP rules activated only as mentioned here. Shall I keep mod_security setup this way and continue?

Yes and mod_security wont trigger on static pages and when there is cache hit.

Perfect!

So to summarise, it was Comodo rules added under OLS WebAdmin → Server Configuration → Modules → mod_security that were causing the issue I’ve mentioned. Correct?

** Setting CloudFlare wasn’t required, but let’s keep it as it is with Attack Mode enabled.

Are you getting cache hit for your website? . .

I have similar issue every morning. No pages loads. Cyberpanel is working. Today i noticed on server ip there was emty dirrecory listed in browser. Restart, helps. In error logs found many comodo warnings.
i am behind google firewall. Everything what i could is blocked. Mysql and other access is restricted to my local ip. I setup server on GCC a week ago from GCC image.

@turalisur Yes, I am getting cache hit (after a fix and during the issue time). If your issue is different than mine, I recommend you start your own thread.

@migors Did you go through the whole thread and try all the possible solutions discussed here in-between me and @usmannasir1?

I did but I am not so skiled. I used to use isp manager for 7 years and do everything in files not comand line. So for me it will be not so easy.