Post a log line of your ModSecurity error_log for me to check it, thanks.
Sergio
Blocking Wordpress Login and xmlprc attacks with LFD
Re: Blocking Wordpress Login and xmlprc attacks with LFD
This is the exact rule I want it to fire on.
Code: Select all
Thu Oct 03 13:30:22.623029 2024] [security2:error] [pid 646349:tid 646389] [client ***.***.***.***:60072] [client ***.***.***.***] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\b(close|keep-alive),[\\\\t\\\\n\\\\r ]{0,1}(close|keep-alive)\\\\b" at REQUEST_HEADERS:Connection. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"] [line "70"] [id "210350"] [rev "1"] [msg "COMODO WAF: Multiple/Conflicting Connection Header Data Found||www.********.com|F|4"] [data "keep-alive, close"] [severity "WARNING"] [tag "CWAF"] [tag "Protocol"] [hostname "www.******.com"] [uri "/***/***/*****/****/styles.min.css"] [unique_id "Zv7ivsvjZEQ4Az_IRxul6wAAAc0"]
Re: Blocking Wordpress Login and xmlprc attacks with LFD
Here is the new rule:
Sergio
Code: Select all
# BLOCKING ModSec Rules attacks
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[\S+:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(210280|210350|210380|210481|210492|210710|210730|210831|210921)"\]/i)) {
return ("mod_security attack id $2",$1,"SecmasRules_ModSec","1","1");
}