csf.conf has the following:
LF_MODSEC = "5"
LF_MODSEC_PERM = "1"
MODSEC_LOG = "/usr/local/lsws/logs/error.log
I even tried...
MODSEC_LOG = "/usr/local/lsws/logs/modsec_audit.log"
The error.log shows this...
Code: Select all
2020-06-07 13:20:34.473462 [INFO] [108.162.220.89:20120#danielsblog.org] [Module:Mod_Security] ModSecurity: Warning. Matched "Operator `Contains' with parameter `cpanel' against variable `REQUEST_URI' (Value: `/?a=../../etc/passwd' ) [file "/usr/local/lsws/modsec/comodo/02_Global_Generic.conf"] [line "74"] [id "211190"] [rev "9"] [msg "COMODO WAF: Remote File Access Attempt||www.danielsblog.org|F|2"] [data "Matched Data: 174.244.80.206 found within REQUEST_FILENAME: /"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "www.danielsblog.org"] [uri "/"] [unique_id "159155403427.436882"] [ref "v4,1o5,5v8,16t:cmdLinev4,20"]
2020-06-07 13:20:34.473510 [INFO] [108.162.220.89:20120#danielsblog.org] [Module:Mod_Security] ModSecurity: Warning. Matched "Operator `Contains' with parameter `cpanel' against variable `REQUEST_URI' (Value: `/?a=../../etc/passwd' ) [file "/usr/local/lsws/modsec/comodo/02_Global_Generic.conf"] [line "74"] [id "211190"] [rev "9"] [msg "COMODO WAF: Remote File Access Attempt||www.danielsblog.org|F|2"] [data "Matched Data: 174.244.80.206 found within REQUEST_FILENAME: /"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "www.danielsblog.org"] [uri "/"] [unique_id "159155403427.436882"] [ref "v4,1o5,5v8,16t:cmdLinev4,20"]
2020-06-07 13:20:34.473559 [INFO] [108.162.220.89:20120#danielsblog.org] [Module:Mod_Security]Intervention status code triggered: 403
2020-06-07 13:20:34.473576 [INFO] [108.162.220.89:20120#danielsblog.org] [Module:Mod_Security]Log Message: [client 174.244.80.206] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Contains' with parameter `cpanel' against variable `REQUEST_URI' (Value: `/?a=../../etc/passwd' ) [file "/usr/local/lsws/modsec/comodo/02_Global_Generic.conf"] [line "74"] [id "211190"] [rev "9"] [msg "COMODO WAF: Remote File Access Attempt||www.danielsblog.org|F|2"] [data "Matched Data: 174.244.80.206 found within REQUEST_FILENAME: /"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "CWAF"] [tag "Generic"] [hostname "www.danielsblog.org"] [uri "/"] [unique_id "159155403427.436882"] [ref "v4,1o5,5v8,16t:cmdLinev4,20"]
Code: Select all
---5Iq8Szbw---A--
[07/Jun/2020:13:21:28 -0500] 159155408883.519983 174.244.80.206 55734 www.danielsblog.org 443
---5Iq8Szbw---B--
GET /?a=../../etc/passwd HTTP/1.1
Cdn-Loop: cloudflare
Cf-Connecting-Ip: 174.244.80.206
Cf-Request-Id: 03319d363900000ec2103d7200000001
x-forwarded-for: 174.244.80.206
cache-control: no-cache
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cf-Ray: 59fc649d2fca0ec2-DFW
pragma: no-cache
host: www.danielsblog.org
Cf-Ipcountry: US
user-agent: Mozilla/5.0 (iPhone; CPU OS 13_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/26.0 Mobile/15E148 Safari/605.1.15
Cf-Origin-Https: on
X-Forwarded-Proto: https
cookie: wphc_seen=1; _ga=GA1.2.900538470.1560083748; __cfduid=de3e89cd17350eddbac5deef44f75c5001564151543
accept-language: en-us
Cf-Visitor: {"scheme":"https"}
---5Iq8Szbw---F--
HTTP/1.1 403
Content-Type: text/html
Cache-Control: private, no-cache, max-age=0
Pragma: no-cache
---5Iq8Szbw---H--
ModSecurity: Warning. Matched "Operator `Contains' with parameter `cpanel' against variable `REQUEST_URI' (Value: `/?a=../../etc/passwd' ) [file "/usr/local/lsws/modsec/comodo/02_Global_Generic.conf"] [line "74"] [id "211190"] [rev "9"] [msg "COMODO WAF: Remote File Access Attempt||www.danielsblog.org|F|2"] [data "Matched Data: 174.244.80.206 found within REQUEST_FILENAME: /"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "www.danielsblog.org"] [uri "/"] [unique_id "159155408883.519983"] [ref "v4,1o5,5v8,16t:cmdLinev4,20"]
ModSecurity: Warning. Matched "Operator `Contains' with parameter `cpanel' against variable `REQUEST_URI' (Value: `/?a=../../etc/passwd' ) [file "/usr/local/lsws/modsec/comodo/02_Global_Generic.conf"] [line "74"] [id "211190"] [rev "9"] [msg "COMODO WAF: Remote File Access Attempt||www.danielsblog.org|F|2"] [data "Matched Data: 174.244.80.206 found within REQUEST_FILENAME: /"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "www.danielsblog.org"] [uri "/"] [unique_id "159155408883.519983"] [ref "v4,1o5,5v8,16t:cmdLinev4,20"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Contains' with parameter `cpanel' against variable `REQUEST_URI' (Value: `/?a=../../etc/passwd' ) [file "/usr/local/lsws/modsec/comodo/02_Global_Generic.conf"] [line "74"] [id "211190"] [rev "9"] [msg "COMODO WAF: Remote File Access Attempt||www.danielsblog.org|F|2"] [data "Matched Data: 174.244.80.206 found within REQUEST_FILENAME: /"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "CWAF"] [tag "Generic"] [hostname "www.danielsblog.org"] [uri "/"] [unique_id "159155408883.519983"] [ref "v4,1o5,5v8,16t:cmdLinev4,20"]
---5Iq8Szbw---Z--
I have similar setup on cPanel servers with Litespeed Enterprise and they all work. Anyone have any idea why this wont work?