In our latest version I’ve removed comodo rules and just OWASP. Can you remove these and use owasp ?
@usmannasir, This is how mod_security rules looks now after removing Comodo part. Does this looks OK?
modsecurity off modsecurity_rules ' SecDebugLogLevel 9 SecDebugLog /usr/local/lsws/logs/modsec.log SecAuditEngine on SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecAuditLogParts ABCDEFGHI SecAuditLogType Serial SecAuditLog /usr/local/lsws/logs/auditmodsec.log SecRuleEngine On' modsecurity_rules_file /usr/local/lsws/conf/modsec/rules.conf modsecurity_rules_file /usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/owasp-master.conf
Just a question of curiosity: You’ve said in the latest version, you’ve removed Comodo rules. I am using the latest version of CyberPanel already than wondering why and how the Comodo rules were there? The answer to this will help someone as well.
@usmannasir, Since I removed Comodo rules, I’ve tried to verify OWASP by visiting “http://my-domain.com/?a=b AND 1=1” which redirected me to “http://my-domain.com” rather than showing 403 page. Isn’t this unexpected?
Then I disabled OWASP ModSecurity Core Rules under CyberPanel and kept Comodo rules enabled under OLS WebAdmin → Server Configuration → Modules → mod_security as I don’t see Comodo Rules Pack under CyberPanel. Now when I visit “http://my-domain.com/?a=b AND 1=1”, it shows 403 page as expected.
So I guess OWASP isn’t working but Comodo does the job. What’s your thoughts?
If there is an cache hit, rules don’t trigger, so was that the case?
Yes, it might be possible. It now works with OWASP rules activated only as mentioned here. Shall I keep mod_security setup this way and continue?
Yes and mod_security wont trigger on static pages and when there is cache hit.
So to summarise, it was Comodo rules added under OLS WebAdmin → Server Configuration → Modules → mod_security that were causing the issue I’ve mentioned. Correct?
** Setting CloudFlare wasn’t required, but let’s keep it as it is with Attack Mode enabled.
I have similar issue every morning. No pages loads. Cyberpanel is working. Today i noticed on server ip there was emty dirrecory listed in browser. Restart, helps. In error logs found many comodo warnings.
i am behind google firewall. Everything what i could is blocked. Mysql and other access is restricted to my local ip. I setup server on GCC a week ago from GCC image.
@turalisur Yes, I am getting cache hit (after a fix and during the issue time). If your issue is different than mine, I recommend you start your own thread.
I did but I am not so skiled. I used to use isp manager for 7 years and do everything in files not comand line. So for me it will be not so easy.