I’m running CP on Ubuntu 20.04 to host WordPress sites via OLS. I have ModSecurity as server firewall with the Comodo rules set. ModSec + Comodo are generally doing a good job, but I am seeing isolated false positives in WooCommerce and Rank Math, when attempting to save plugin settings changes.
Here’s a log entry (URL modified to ‘WPsite.com’):
2022-02-20 17:36:43.456240 [INFO]  [220.127.116.11:41364#WPsite.com] [Module:mod_security]Log Message: [client 18.104.22.168] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator
Eq' with parameter 0’ against variable
MULTIPART_UNMATCHED_BOUNDARY' (Value: 2’ ) [file “/usr/local/lsws/conf/modsec/comodo/modsecurity.conf”] [line “68”] [id “200004”] [rev “”] [msg “Multipart parser detected a possible unmatched boundary.”] [data “”] [severity “0”] [ver “”] [maturity “0”] [accuracy “0”] [hostname “WPsite.com”] [uri “/wp-admin/admin.php”] [unique_id “1645378603”] [ref “v4081,1”]
Rule 200004 in comodo/modsecurity.conf is triggering the 403, so I tried to deactivate it with this line in WPsite’s .htaccess:
However nothing’s changed, so I’m wondering if this Apache fix isn’t being read by OLS, and maybe I need to input the line using CP’s Rewrite Rules?
I haven’t seen a lot of discussion online about using ModSecurity with CP and OLS, so I thought I’d post this to find out if other WP admins are using ModSec and running into false positives (403) when changing their plugins settings in the backend?
Thanks for any thoughts …
Go cyberpanel and see error logs or server logs (I dont remenber which one) look what rule number blocking and then go security|modsecurity rule packs| configure and disable that rule
You have to check logs found exact file and then also the exact rule and remove it. as ModSecurity rules are not compatible always.
Thank you for your replies. I’ve continued to work toward removing a single Comodo rule. Here’s a quick update, and my question:
I’ve tested and can confirm that you are both correct - disabling a Comodo file immediately stops my false positives.
However, there are lots of rules in each one of those files. So disabling an entire file effectively removes lots of rules. It’s overkill.
From the logs, I know the rule that I want to remove. I’ve tried this code in both the site’s .htaccess file and CP’s Websites → Manage → Rewrite Rules page, like this:
< IfModule mod_security.c >
< /IfModule >
I also tried to whitelist my own IP, like this (x’s = my IP address):
SetEnvIfNoCase REMOTE_ADDR ^xxx.xxx.xxx.xxx$ MODSEC_ENABLE=Off
But these lines of code in .htaccess / Rewrite Rules don’t seem to change anything.
I’m thinking that either I am misunderstanding what OLS will process in .htaccess, or maybe there is a setting in WebAdmin that I need to adjust to get OLS to process these instructions?
My question is, am I going about this the right way (via .htaccess / CP Rewrite Rules)? There is plenty of documentation out there for disabling a ModSec rule under CentOS / Apache. I’m sure there must be a way to do this under Ubuntu / OLS, but I seem to be missing it. Maybe it’s just a small syntax difference between Apache and OLS instructions?
Thanks, again, for any suggestions …