Author Topic: mod_security with Comodo WAF locks out everbody  (Read 4119 times)

0 Members and 3 Guests are viewing this topic.

Offline
**
mod_security with Comodo WAF locks out everbody
« on: January 09, 2024, 03:22:57 PM »
That happened before some minutes. At every CWP PRO where I user mod_security with Comodo WAF then every site blocks every user.

So I modified it in order to fix. What do you suggest?
You may use our FREE SMTP Newsletter APP at https://www.emailbat.com

Offline
*****
Re: mod_security with Comodo WAF locks out everbody
« Reply #1 on: January 09, 2024, 10:30:32 PM »
I am using the Comodo ruleset -- no lockouts here. Are you sure it's not overly aggressive LFD settings?

Offline
**
Re: mod_security with Comodo WAF locks out everbody
« Reply #2 on: January 10, 2024, 07:16:30 AM »
Before about 18 hours, at EVERY CWP PRO server I manage, the Comodo rules in mod_security locked out everyone. I just changed that and mod_security worked properly again.

I can not find what happened.
You may use our FREE SMTP Newsletter APP at https://www.emailbat.com

Offline
***
Re: mod_security with Comodo WAF locks out everbody
« Reply #3 on: January 12, 2024, 01:43:17 AM »
That happened before some minutes. At every CWP PRO where I user mod_security with Comodo WAF then every site blocks every user.

So I modified it in order to fix. What do you suggest?

Are you using WordPress, with WooCommerce plugin.?!

WooCommerce was updated, and have a new cookies scheme that conflicts with Comodo WAF.
If so, try to downgrade WooCommerce to the old working version.

Regards,
Netino

Offline
**
Re: mod_security with Comodo WAF locks out everbody
« Reply #4 on: January 12, 2024, 07:08:49 AM »
It happened to every single html webiste. Even one index.html static website, at the second click sent Forbiden.
You may use our FREE SMTP Newsletter APP at https://www.emailbat.com

Offline
***
Re: mod_security with Comodo WAF locks out everbody
« Reply #5 on: January 13, 2024, 02:55:12 AM »
It happened to every single html webiste. Even one index.html static website, at the second click sent Forbiden.

Have you tried checking the file '/usr/local/apache/logs/modsec_audit.log', searching for what reason your sites are being blocked?

Offline
**
Re: mod_security with Comodo WAF locks out everbody
« Reply #6 on: January 13, 2024, 01:17:37 PM »
I did not have the time. I just checked more than 10 CWP PRO servers and changed the mo_security NOT to work with Comodo WAF.
You may use our FREE SMTP Newsletter APP at https://www.emailbat.com

Offline
*****
Re: mod_security with Comodo WAF locks out everbody
« Reply #7 on: January 13, 2024, 06:29:43 PM »
OWASP has more false positives than Comodo.

Offline
**
Re: mod_security with Comodo WAF locks out everbody
« Reply #8 on: January 15, 2024, 06:12:40 AM »
I do not think that it was false positives. It probably was some misconfiguration after updates. It happened the same hour at every CWP PRO account.
You may use our FREE SMTP Newsletter APP at https://www.emailbat.com

Offline
*****
Re: mod_security with Comodo WAF locks out everbody
« Reply #9 on: January 15, 2024, 07:40:55 PM »
That is odd.

We use the Comodo ruleset on all of our servers, and have no reports of any problems.

But have had false positives with OWASP.

Offline
*
Re: mod_security with Comodo WAF locks out everbody
« Reply #10 on: January 16, 2024, 05:34:40 PM »
I can confirm this, wooCommerce version 8.5.1 conflicts with the latest Comodo WAF rules. As soon as wooCommerce gets updated to this version, site dies. Temporary solution is to disable mod_security on the account/domain in question.

Offline
*****
Re: mod_security with Comodo WAF locks out everbody
« Reply #11 on: January 16, 2024, 05:46:31 PM »
I would never recommend disabling Mod_Security.
Most of the attacks against our servers are WordPress attacks.

Has anyone tried cPGuard (use Malware.Expert rule set)with wooCommerce?

Offline
*****
Re: mod_security with Comodo WAF locks out everbody
« Reply #12 on: January 16, 2024, 06:23:36 PM »
Looks like wooCommerce is blaming Comodo and not something with their 8.5.1 update.
https://developer.woo.com/2024/01/16/woocommerce-8-5-1-issues-with-web-application-firewalls-modsecurity/

But since everything was working OK, I would say it is more of a problem with 8.5.1.

They do offer this as a solution also:

"If the above doesn’t work for you, disable the Order Attribution feature to prevent future users from seeing the 403 errors by going to WooCommerce > Settings > Advanced > Features and toggling the Order Attribution feature off."

Offline
*
Re: mod_security with Comodo WAF locks out everbody
« Reply #13 on: January 16, 2024, 06:28:59 PM »
"If the above doesn’t work for you, disable the Order Attribution feature to prevent future users from seeing the 403 errors by going to WooCommerce > Settings > Advanced > Features and toggling the Order Attribution feature off."

That did not seem to help, still getting 403 Forbidden error.

Offline
**
Re: mod_security with Comodo WAF locks out everbody
« Reply #14 on: January 16, 2024, 06:33:22 PM »
... Temporary solution is to disable mod_security on the account/domain in question.

No, I just switched to OSWAP rules until fix that. No need to disable mod_security.
You may use our FREE SMTP Newsletter APP at https://www.emailbat.com