In our latest version I’ve removed comodo rules and just OWASP. Can you remove these and use owasp ?
@usmannasir, This is how mod_security rules looks now after removing Comodo part. Does this looks OK?
modsecurity off
modsecurity_rules '
SecDebugLogLevel 9
SecDebugLog /usr/local/lsws/logs/modsec.log
SecAuditEngine on
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABCDEFGHI
SecAuditLogType Serial
SecAuditLog /usr/local/lsws/logs/auditmodsec.log
SecRuleEngine On'
modsecurity_rules_file /usr/local/lsws/conf/modsec/rules.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/owasp-master.conf
Just a question of curiosity: You’ve said in the latest version, you’ve removed Comodo rules. I am using the latest version of CyberPanel already than wondering why and how the Comodo rules were there? The answer to this will help someone as well.
@usmannasir, Since I removed Comodo rules, I’ve tried to verify OWASP by visiting “Give yourself a better website » MY DOMAIN AND 1=1” which redirected me to “http://my-domain.com” rather than showing 403 page. Isn’t this unexpected?
Then I disabled OWASP ModSecurity Core Rules under CyberPanel and kept Comodo rules enabled under OLS WebAdmin → Server Configuration → Modules → mod_security as I don’t see Comodo Rules Pack under CyberPanel. Now when I visit “Give yourself a better website » MY DOMAIN AND 1=1”, it shows 403 page as expected.
So I guess OWASP isn’t working but Comodo does the job. What’s your thoughts?
Ref. Screenshots:
If there is an cache hit, rules don’t trigger, so was that the case?
Yes, it might be possible. It now works with OWASP rules activated only as mentioned here. Shall I keep mod_security setup this way and continue?
Yes and mod_security wont trigger on static pages and when there is cache hit.
Perfect!
So to summarise, it was Comodo rules added under OLS WebAdmin → Server Configuration → Modules → mod_security that were causing the issue I’ve mentioned. Correct?
** Setting CloudFlare wasn’t required, but let’s keep it as it is with Attack Mode enabled.
I have similar issue every morning. No pages loads. Cyberpanel is working. Today i noticed on server ip there was emty dirrecory listed in browser. Restart, helps. In error logs found many comodo warnings.
i am behind google firewall. Everything what i could is blocked. Mysql and other access is restricted to my local ip. I setup server on GCC a week ago from GCC image.
@turalisur Yes, I am getting cache hit (after a fix and during the issue time). If your issue is different than mine, I recommend you start your own thread.
@migors Did you go through the whole thread and try all the possible solutions discussed here in-between me and @usmannasir1?
I did but I am not so skiled. I used to use isp manager for 7 years and do everything in files not comand line. So for me it will be not so easy.