Comodo Mod_security - LiteSpeed Cache 403 — CyberPanel - WebHosting Control Panel for OpenLiteSpeed

Comodo Mod_security - LiteSpeed Cache 403

edited November 8 in General Discussion

I've enabled Comodo because we have been experiencing attacks to

- xmlrpc.php
- admin-ajax.php

resulting in a 100% CPU usage for long periods, even though we used Cloudflare and Wordfence plugin.

Comodo Rules worked excellent, mitigating the attack impact. But I've one single problem that I don't know how to whitelist.

The Comodo rule 00_Init_Initialization.conf that is the one that protects us from the attacks, does not allow me to save any Page Optimization configuration on LiteSpeed Cache (but other configs like Cache no problem). When disables no problem saving configs in th plugin but attacks increase.

How could I create a whitelist rule for LiteSpeed Cache?

2020-11-08 17:30:58.196176 [INFO] [] [Module:Mod_Security] ModSecurity: Warning. Matched "Operator `Contains' with parameter `wp-admin/admin.php' against variable `REQUEST_URI' (Value: `/wp-admin/admin.php?page=litespeed-page_optm' ) [file "/usr/local/lsws/conf/modsec/comodo/25_Apps_WPPlugin.conf"] [line "234"] [id "221450"] [rev "1"] [msg "COMODO WAF: SQL injection vulnerability in the WP Rss Poster plugin 1.0.0 for WordPress (CVE-2014-4938)|||F|2"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname ""] [uri "/wp-admin/admin.php"] [unique_id "160485665829.811499"] [ref "o1,18v5,44"]
2020-11-08 17:30:58.203185 [INFO] [] [Module:Mod_Security] ModSecurity: Warning. Matched "Operator `Rx' with parameter `[\[\]\x22',()\.]{10}$|(?:union\s+all\s+select\s+(?:(?:null|\d+),?)+|order\s+by\s+\d{1,4}|(?:and|or)\s+\d{4}=\d{4}|waitfor\s+delay\s+'\d+:\d+:\d+'|(?:select|and|or)\s+(?:(?:pg_)?sleep\(\d+\)|\d+\s*=\s* (397 characters omitted)' against variable `ARGS:media-placeholder_resp_svg' (Value: `<svg xmlns="" width="{width}" height="{height}" viewBox="0 0 {width} {heig (60 characters omitted)' ) [file "/usr/local/lsws/conf/modsec/comodo/21_SQL_SQLi.conf"] [line "116"] [id "218500"] [rev "7"] [msg "COMODO WAF: SQLmap attack detected|||F|2"] [data "Matched Data: get found within REQUEST_FILENAME: /wp-admin/admin.php"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname ""] [uri "/wp-admin/admin.php"] [unique_id "160485665829.811499"] [ref "v5,19o148,12v6334,160t:urlDecodeUni,t:lowercase"]
2020-11-08 17:30:58.203252 [INFO] [] [Module:Mod_Security]Intervention status code triggered: 403


Sign In or Register to comment.
CyberPanel Discord

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!