mod_security with Comodo WAF locks out everbody

That happened before some minutes. At every CWP PRO where I user mod_security with Comodo WAF then every site blocks every user.

So I modified it in order to fix. What do you suggest?

I am using the Comodo ruleset -- no lockouts here. Are you sure it's not overly aggressive LFD settings?

Before about 18 hours, at EVERY CWP PRO server I manage, the Comodo rules in mod_security locked out everyone. I just changed that and mod_security worked properly again.

I can not find what happened.

That happened before some minutes. At every CWP PRO where I user mod_security with Comodo WAF then every site blocks every user.

So I modified it in order to fix. What do you suggest?

Are you using WordPress, with WooCommerce plugin.?!

WooCommerce was updated, and have a new cookies scheme that conflicts with Comodo WAF.
If so, try to downgrade WooCommerce to the old working version.

Regards,
Netino

It happened to every single html webiste. Even one index.html static website, at the second click sent Forbiden.

It happened to every single html webiste. Even one index.html static website, at the second click sent Forbiden.

Have you tried checking the file '/usr/local/apache/logs/modsec_audit.log', searching for what reason your sites are being blocked?

I did not have the time. I just checked more than 10 CWP PRO servers and changed the mo_security NOT to work with Comodo WAF.

OWASP has more false positives than Comodo.

I do not think that it was false positives. It probably was some misconfiguration after updates. It happened the same hour at every CWP PRO account.

That is odd.

We use the Comodo ruleset on all of our servers, and have no reports of any problems.

But have had false positives with OWASP.

I can confirm this, wooCommerce version 8.5.1 conflicts with the latest Comodo WAF rules. As soon as wooCommerce gets updated to this version, site dies. Temporary solution is to disable mod_security on the account/domain in question.

I would never recommend disabling Mod_Security.
Most of the attacks against our servers are WordPress attacks.

Has anyone tried cPGuard (use Malware.Expert rule set)with wooCommerce?

Looks like wooCommerce is blaming Comodo and not something with their 8.5.1 update.
https://developer.woo.com/2024/01/16/woocommerce-8-5-1-issues-with-web-application-firewalls-modsecurity/

But since everything was working OK, I would say it is more of a problem with 8.5.1.

They do offer this as a solution also:

"If the above doesn’t work for you, disable the Order Attribution feature to prevent future users from seeing the 403 errors by going to WooCommerce > Settings > Advanced > Features and toggling the Order Attribution feature off."

"If the above doesn’t work for you, disable the Order Attribution feature to prevent future users from seeing the 403 errors by going to WooCommerce > Settings > Advanced > Features and toggling the Order Attribution feature off."

That did not seem to help, still getting 403 Forbidden error.

... Temporary solution is to disable mod_security on the account/domain in question.

No, I just switched to OSWAP rules until fix that. No need to disable mod_security.