Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
1
CSF Firewall / csf: v14.24, do I need to update it?
« on: September 02, 2025, 08:14:08 AM »
Hi,
I am currently using csf: v14.24, do I need to update it?
These days I received the following message in my email:
Subject: Cron <root@hosting> /usr/sbin/csf -u
Message: Oops: Unable to download: Can't connect to download2.configserver.com:443 (Connection refused)
What should I do?
Thanks in advance!
BR
Venty
I am currently using csf: v14.24, do I need to update it?
These days I received the following message in my email:
Subject: Cron <root@hosting> /usr/sbin/csf -u
Message: Oops: Unable to download: Can't connect to download2.configserver.com:443 (Connection refused)
What should I do?
Thanks in advance!
BR
Venty
2
Mod_Security / Re: OWASP CRS v4.15.0 Just Release
« on: September 01, 2025, 05:49:54 PM »If you're calling it with an "Include" line as with Starburst's configuration, it will be utilized by Mod Security. But the GUI in CWP will be editing a different file:
/usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf
So you may want to Include that one specifically/additionally as well.
I didn't understand it... "Include" - in which file?
3
Mod_Security / Re: OWASP CRS v4.15.0 Just Release
« on: September 01, 2025, 04:58:11 PM »Someone has to include 2 very critical details on these guides:
1) the CWP admin dashboard "Global Disabled Rules" file is NOT the same with the one that our customized mod_security is currently using.
No edit on that file will work. The user has to add/remove rules on the new global_disabled.conf under the newly created folder.
--------------------------------------------------------------------------
I hope this helps.
Hi,
for me the file global_disabled_rules.conf is in the folder:
usr/local/apache/ modsecurity-rules/custom-rules/before
and it also doesn't work?
4
DKIM / DKIM is marked yellow "INVALID"...
« on: August 12, 2025, 06:41:46 AM »
Please help, I have a CWP server (AL 9.6) installed, with one user who manages several domains...
I have followed all the instructions given here for setting up DKIM, all domains have a DKIM record, but when I go to the Email - DKIM Manager menu in the list where the domains are selected in the DKIM records column, all are marked green, only the domain that is associated with the user is marked yellow "INVALID"...
This domain is with the Internet provider where the server is located, in the DNS he has set a DKIM record, which I have also set in the domain settings, the two match - checked, all mail services have been restarted, but again the mark for this domain is yellow "INVALID"...
I also tested with a mail checker, for all other domains DKIM works and is recognized, for this domain it is again unrecognized...
Please advise, what should I check or do?
BR
Venty
I have followed all the instructions given here for setting up DKIM, all domains have a DKIM record, but when I go to the Email - DKIM Manager menu in the list where the domains are selected in the DKIM records column, all are marked green, only the domain that is associated with the user is marked yellow "INVALID"...
This domain is with the Internet provider where the server is located, in the DNS he has set a DKIM record, which I have also set in the domain settings, the two match - checked, all mail services have been restarted, but again the mark for this domain is yellow "INVALID"...
I also tested with a mail checker, for all other domains DKIM works and is recognized, for this domain it is again unrecognized...
Please advise, what should I check or do?
BR
Venty
5
Mod_Security / Re: WordPress or WooCommerce, have a conflict with the OWASP CRS v4.16.0
« on: July 25, 2025, 08:27:48 AM »There is more than 1 global_disabled_rules.conf file in the mix.
It depends how you set your modsec up (eg: which one is it pointed to).
Hi,
I basically use the following recommendations from @Starburst:
https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/recommended-ruleset-paths-running-cwp-and-apache-on-almalinux-8-9/
https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/update-owasp-crs-ruleset-to-4-16-0-running-cwp-and-apache-on-almalinux-8-9/
https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/update-modsecurity-to-2-9-11-running-cwp-and-apache-on-almalinux-8-9/
Again, according to his instructions, I placed the global_disabled_rules.conf file in a "before" folder and supposedly I have an entry for the folder to read *.conf
└── custom-rules
├── startup
├── before
└── after
How can I check if this is happening and the global_disabled_rules.conf file is being read from there?
BR
Venty
6
Mod_Security / Re: WordPress or WooCommerce, have a conflict with the OWASP CRS v4.16.0
« on: July 24, 2025, 08:31:07 AM »
Hi,
When I put the following rules 941100, 949110, 980170 and 932235 in the file global_disabled_rules.conf, which is located in the folder /usr/local/apache/modsecurity-rules/custom-rules/before/ they are not removed ...
When I add the same rules via CWP UI / Security/Mod Security / Domains tab / Edit rules on required domain... then they are removed and the administrative panel of the site, which is on the WordPress works...
Why does this happen, isn't the file global_disabled_rules.conf for disabling the rules for all domains?
BR
Venty
When I put the following rules 941100, 949110, 980170 and 932235 in the file global_disabled_rules.conf, which is located in the folder /usr/local/apache/modsecurity-rules/custom-rules/before/ they are not removed ...
When I add the same rules via CWP UI / Security/Mod Security / Domains tab / Edit rules on required domain... then they are removed and the administrative panel of the site, which is on the WordPress works...
Why does this happen, isn't the file global_disabled_rules.conf for disabling the rules for all domains?
BR
Venty
7
Mod_Security / Re: WordPress or WooCommerce, have a conflict with the OWASP CRS v4.16.0
« on: July 23, 2025, 08:33:21 PM »I'm wondering if this isn't a plugin conflict wit the OWASP rules.
We run WordPress, and haven't had any problems mentioned.
Hi,
I think it's exactly like that, but not from a plugin, but rather from the theme...
I tested from different IPs, but the result I see in the error logs is the same - the same rule IDs that block several PHP files related to the AVIA editor that the theme uses...
In addition, I received messages that the IP I was using was blocked - Blocked: Permanent Block [LF_MODSEC] (IP match in csf.allow, block may not work)...
1. Now, I read that the rules starting with 980 and 949 should not be excluded entirely, maybe there is an option to set mod_security not to block the AVIA editor files and IPs?
2. IP match in csf.allow, but I assume this does not prevent me from setting rules for this IP so that it is not blocked?
BR
Venty
8
Mod_Security / Re: WordPress or WooCommerce, have a conflict with the OWASP CRS v4.16.0
« on: July 23, 2025, 02:09:18 PM »
Hi,
I checked the error logs again, tested with ОWASP CRS version 4.15.0 and ОWASP CRS version 4.16.0, mod_security version 2.9.11 and again found that rules with identifiers 980170, 949110, 930130 and 932235 are the ones that block.
- ОWASP CRS version 4.15.0 blocks stop work in the WordPress panel and theme settings...
- OWASP CRS version 4.16.0 - error 403...
When disabling mod_security - everything works normally...
I set them in global_disabled_rules.conf, but again the services are blocked...
I also noticed that the rule with ID 980170 appears very often in the error logs...
1. What should I do in this case?
2. Is it correct to enter the rule with ID 980170 in global_disabled_rules.conf ?
3. How can I reliably verify that global_disabled_rules.conf is working?
BR
Venty
I checked the error logs again, tested with ОWASP CRS version 4.15.0 and ОWASP CRS version 4.16.0, mod_security version 2.9.11 and again found that rules with identifiers 980170, 949110, 930130 and 932235 are the ones that block.
- ОWASP CRS version 4.15.0 blocks stop work in the WordPress panel and theme settings...
- OWASP CRS version 4.16.0 - error 403...
When disabling mod_security - everything works normally...
I set them in global_disabled_rules.conf, but again the services are blocked...
I also noticed that the rule with ID 980170 appears very often in the error logs...
1. What should I do in this case?
2. Is it correct to enter the rule with ID 980170 in global_disabled_rules.conf ?
3. How can I reliably verify that global_disabled_rules.conf is working?
BR
Venty
9
PHP / Re: Difference in the php views...
« on: July 16, 2025, 09:12:06 AM »The main php version from the CLI that you have set used by PHP Switcher is called for php info on your first case. The display is typical for a 7.x version -- CWP renders it using their stylesheet so it matches the rest of the panel. But if you have an 8.x or later, it will call the normal php.info and display it in that space.Hi,
Thank you very much for the answer, but I updated it to a higher version of PHP - 8.1.32, and the display is the same...
I found that when I select menu PHP Settings/PHP info in the error logs, I have the following entries:
[Wed Jul 16 09:24:02.156951 2025] [security2:error] [pid 57264:tid 57296] [client 80.100.247.29:57842] ModSecurity: Warning. Unconditional match in SecAction. [file "/usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-4.15.0/rules/RESPONSE-980-CORRELATION.conf"] [line "98"] [id "980170"] [msg "Anomaly Scores: (Inbound Scores: blocking=8, detection=8, per_pl=8-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=0, PHPI=5, HTTP=0, SESS=0, COMBINED_SCORE=8)"] [ver "OWASP_CRS/4.15.0"] [tag "reporting"] [tag "OWASP_CRS"] [hostname "80.100.247.29"] [uri "/phpinfo.php"] [unique_id "aHdFgh8PEqQ3cHJu45Rg6gAAAIM"]
[Wed Jul 16 09:24:02.156739 2025] [security2:error] [pid 57264:tid 57296] [client 80.100.247.29:57842] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file "/usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-4.15.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "233"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score:
"] [ver "OWASP_CRS/4.15.0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "80.100.247.29"] [uri "/phpinfo.php"] [unique_id "aHdFgh8PEqQ3cHJu45Rg6gAAAIM"][Wed Jul 16 09:24:02.156378 2025] [security2:error] [pid 57264:tid 57296] [client 80.100.247.29:57842] ModSecurity: Warning. Matched phrase "phpinfo" at REQUEST_FILENAME. [file "/usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-4.15.0/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "339"] [id "933150"] [msg "PHP Injection Attack: High-Risk PHP Function Name Found"] [data "Matched Data: phpinfo found within REQUEST_FILENAME: /phpinfo.php"] [severity "CRITICAL"] [ver "OWASP_CRS/4.15.0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/ATTACK-PHP"] [tag "capec/1000/152/242"] [hostname "80.100.247.29"] [uri "/phpinfo.php"] [unique_id "aHdFgh8PEqQ3cHJu45Rg6gAAAIM"]
[Wed Jul 16 09:24:02.155614 2025] [security2:error] [pid 57264:tid 57296] [client 80.100.247.29:57842] ModSecurity: Warning. Pattern match "(?:^([\\\\d.]+|\\\\[[\\\\da-f:]+\\\\]|[\\\\da-f:]+)(:[\\\\d]+)?$)" at REQUEST_HEADERS:Host. [file "/usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-4.15.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "730"] [id "920350"] [msg "Host header is a numeric IP address"] [data "78.108.247.29"] [severity "WARNING"] [ver "OWASP_CRS/4.15.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL-ENFORCEMENT"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "80.100.247.29"] [uri "/phpinfo.php"] [unique_id "aHdFgh8PEqQ3cHJu45Rg6gAAAIM"]
I added the IDs to global_disabled_rules.conf, but when I select menu PHP Settings/PHP info, the display is the same and the entries appear again...
What should I do?
BR
Venty
10
Suggestions / Re: :):):) Comodo WAF rules update required :):):)
« on: July 14, 2025, 02:36:59 PM »That line shouldn't be missing, it part of the default install for CSF/LFD.
It's default setting is usually MODSEC = "5"
Hi,
the closest line in my csf.conf is:
https://prnt.sc/Vfk78oC82e3H
BR
Venty
11
Mod_Security / Re: WordPress or WooCommerce, have a conflict with the OWASP CRS v4.16.0
« on: July 14, 2025, 02:28:17 PM »Look in the logs, and it will show you what rule blocked it.
In you global_disabled_rules.conf, you should have these:Code: [Select]## Removed rules for CWP ##
SecRuleRemoveById 960017
SecRuleRemoveById 960015
SecRuleRemoveById 960009
#######################################################
## Removed Rules for WordPress and phpMyAdmin ##
#######################################################
## Removed rules for Wordpress ##
SecRuleRemoveById 981242
SecRuleRemoveById 981246
SecRuleRemoveById 981243
SecRuleRemoveById 959073
SecRuleRemoveById 958030
# Needed for WordPress Cloudflare Plugin
SecRuleRemoveById 911100
## Removed rules for webftp_simple ##
SecRuleRemoveById 950922
SecRuleRemoveById 981000
SecRuleRemoveById 950109
## Removed rules for phpMyAdmin ##
SecRuleRemoveById 981205
SecRuleRemoveById 970901
SecRuleRemoveById 960904
SecRuleRemoveById 960915
SecRuleRemoveById 981318
SecRuleRemoveById 981320
SecRuleRemoveById 981240
Hi,
When I have rules version version 4.16.0, rules with ids 980170, 949110, 930130 are the ones that block, I set them in global_disabled_rules.conf, but again I can't access and install WordPress...
When I revert the rules to version 4.15.0 , things work....
and finally, the blocking seems to be not just for WordPress...
BR
Venty
12
Mod_Security / Re: WordPress or WooCommerce, have a conflict with the OWASP CRS v4.16.0
« on: July 14, 2025, 12:30:36 PM »Hi,...I return OWASP CRS version 4.15.0, everything works - WordPress etc., I return OWASP CRS version 4.16.0 - error 403...
Does WordPress or WooCommerce, the latest versions, have a conflict with the OWASP CRS v4.16.0 rules?
Do I need to set additional rules in the global_disabled_rules.conf file?
thanks in advance!
BR
Venty
13
Mod_Security / WordPress or WooCommerce, have a conflict with the OWASP CRS v4.16.0
« on: July 14, 2025, 09:51:02 AM »
Hi,
Does WordPress or WooCommerce, the latest versions, have a conflict with the OWASP CRS v4.16.0 rules?
Do I need to set additional rules in the global_disabled_rules.conf file?
thanks in advance!
BR
Venty
Does WordPress or WooCommerce, the latest versions, have a conflict with the OWASP CRS v4.16.0 rules?
Do I need to set additional rules in the global_disabled_rules.conf file?
thanks in advance!
BR
Venty
14
Mod_Security / Re: OWASP CRS v4.15.0 Just Release
« on: July 14, 2025, 09:19:21 AM »
Hi,
Many thanks to Starburst...., but should I merge the two in the rbl.conf file
https://prnt.sc/9Tp9vbYKVfdk
BR
Venty
Many thanks to Starburst...., but should I merge the two in the rbl.conf file
https://prnt.sc/9Tp9vbYKVfdk
BR
Venty
15
Suggestions / Re: :):):) Comodo WAF rules update required :):):)
« on: July 14, 2025, 08:49:24 AM »i switched back to OWASP latest rules but they are not blocking malicious attempts . i can see in logs its detecting but attempt is not blocked
on the other hand comodo waf rules keeps blocking everythingbefore last update everything was fine and comodo waf rules were the best
Change these lines in csf.confCode: [Select]MODSEC = "2"Code: [Select]MODSEC_LOG = "/usr/local/apache/logs/error_log /usr/local/apache/domlogs/*rror.log"Yes, there is a space between those 2 paths, it's kinda hard to see.
Hi,
In my file csf.conf this line "MODSECi" s missing:
Code: [Select]
MODSEC = "2" What should I do, what does it do and how is this value 2 determined?
BR
Venty
