Control Web Panel

WebPanel => CentOS-WebPanel GUI => Topic started by: iraqiboy90 on January 11, 2022, 03:34:32 PM

Title: Mod_Security's Security incidents wrong IP
Post by: iraqiboy90 on January 11, 2022, 03:34:32 PM

The Security Incidents tab in Security Center that shows what Mod_Security has blocked is showing server IP as an offender for some specific types of attacks even though the IP is something else.

(https://i.gyazo.com/313418ab6a503f9d477f1a79a03355ce.png)

Here's the audit log showing something else:

(https://i.gyazo.com/ed8d4568ab663a701259b5ed2af38192.png)

I'm running Cloudflare -> Nginx -> Varnish -> Apache (with mod_cloudflare)

Title: Re: Mod_Security's Security incidents wrong IP
Post by: Netino on January 12, 2022, 12:01:30 AM

This is a ModSecurity issue, and it will not be fixed in 2.x versions.
Check:
https://github.com/SpiderLabs/ModSecurity/issues/811 (https://github.com/SpiderLabs/ModSecurity/issues/811)

Regards,
Netino

Title: Re: Mod_Security's Security incidents wrong IP
Post by: iraqiboy90 on January 15, 2022, 11:43:18 AM

Quote from: Netino on January 12, 2022, 12:01:30 AM

This is a ModSecurity issue, and it will not be fixed in 2.x versions.
Check:
https://github.com/SpiderLabs/ModSecurity/issues/811 (https://github.com/SpiderLabs/ModSecurity/issues/811)

Regards,
Netino

have you tried installing v3?

Title: Re: Mod_Security's Security incidents wrong IP
Post by: Netino on January 15, 2022, 10:43:38 PM

Quote from: iraqiboy90 on January 15, 2022, 11:43:18 AM

(...)
have you tried installing v3?

No. I'm using Comodo rules, and don't know if they are compatible.
https://github.com/SpiderLabs/ModSecurity/issues/1962 (https://github.com/SpiderLabs/ModSecurity/issues/1962)