comodo waf plugin and modsecurity

aros

Verified User
Joined
Jan 12, 2017
Messages
28
Hi,
Thanks to comodo waf plugin, it was installed easy

cd /usr/local/directadmin/custombuild
./build update
./build set modsecurity yes
./build set modsecurity_ruleset comodo
./build modsecurity
./build modsecurity_rules
./build rewrite_confs

now, we have some problem with partial uploading pictures to one website hosted on server which solved when we set off the "Request Body Access" in security engine tab of plug-in.
also we had a table deletion form a database after installing and running comodo waf (not sure be related to comodo waf !)

what is preferred "comodo waf " configuration for website hosting servers ?

CentOS 7.6
php 7.2
php 5.6


Regards
 
Hi,
Thanks to comodo waf plugin, it was installed easy

cd /usr/local/directadmin/custombuild
./build update
./build set modsecurity yes
./build set modsecurity_ruleset comodo
./build modsecurity
./build modsecurity_rules
./build rewrite_confs

now, we have some problem with partial uploading pictures to one website hosted on server which solved when we set off the "Request Body Access" in security engine tab of plug-in.
also we had a table deletion form a database after installing and running comodo waf (not sure be related to comodo waf !)

what is preferred "comodo waf " configuration for website hosting servers ?

CentOS 7.6
php 7.2
php 5.6


Regards

edit the modsec conf and change the Request Body Access and empty request body to desire number, and restart apache/nginx
 
open directadmin webinterface.
Click: 'Comodo WAF 2.24.4' link
click: 'UserData' tab
In formfield 'custom rules' add the the following:
SecRequestBodyNoFilesLimit 131072000

thats 10 times the default limit.
if still not enough increase even more.

(its recommended to edit this stuff not directly in the files themselfs on the server but through the webinterface because directadmin might overwrite custom edits when rebuilding/updating new versions.... overwriting your custom settings if not made through webinterface)
 
Last edited:
wen i use this comands i have only comodo rules right?
What is the modecurity_rules?
What is the best Comodo rules or owasp for nginx_apache ?
 
CSF doesnt ban the ip and i use lf_modsec to ban but nothing.

The modsecurity is working ok.

Wen i test
Code:
https://www.domain.com/?q="><script>alert(1)</script>
406 - error
Not Acceptable
An appropriate representation of the requested resource could not be found on this server.
 
open directadmin webinterface.
Click: 'Comodo WAF 2.24.4' link
click: 'UserData' tab
In formfield 'custom rules' add the the following:
SecRequestBodyNoFilesLimit 131072000

thats 10 times the default limit.
if still not enough increase even more.

(its recommended to edit this stuff not directly in the files themselfs on the server but through the webinterface because directadmin might overwrite custom edits when rebuilding/updating new versions.... overwriting your custom settings if not made through webinterface)
Thanks
Any other useful "custom rules" which usually added there?
 
open directadmin webinterface.
Click: 'Comodo WAF 2.24.4' link
click: 'UserData' tab
In formfield 'custom rules' add the the following:
SecRequestBodyNoFilesLimit 131072000

thats 10 times the default limit.
if still not enough increase even more.

(its recommended to edit this stuff not directly in the files themselfs on the server but through the webinterface because directadmin might overwrite custom edits when rebuilding/updating new versions.... overwriting your custom settings if not made through webinterface)


Thanks a lot. You saved me!
 
Last edited:
Thanks
Any other useful "custom rules" which usually added there?

if you have rules that generate false positives you can exlude that rule in the same userdata field:

Code:
SecRuleRemoveById xxxxxx

if you have fail2ban configured to read the modsecurity logs to ban repeat offenders make sure to unban the wrongly banned ip numbers. (ip numbers that were falsely added by a modsec rule need to be unbanned, just excluding the rule does not unban them)

to see the banned ip's per jail:
Code:
ipset list

to uban an ip:
Code:
fail2ban-client unban xxx.xxx.xxx.xxx
 
Comodo Waf Plugin Installation complete after open gui in admin panel getting error
cp: cannot stat '/etc/nginx/nginx-modsecurity.conf': No such file or directory
chown: cannot access '/usr/local/cwaf/conf/modsec2_plugin.conf': No such file or directory
can't read config /usr/local/cwaf/conf/modsec2_plugin.conf at /usr/local/cwaf/modules/CPAN/lib/Comodo/CWAF/ModSecurity.pm line 75.
Compilation failed in require at /usr/local/directadmin/plugins/comodo_waf/admin/index.pl line 13.
BEGIN failed--compilation aborted at /usr/local/directadmin/plugins/comodo_waf/admin/index.pl line 13.
 
CSF doesnt ban the ip and i use lf_modsec to ban but nothing.

The modsecurity is working ok.

Wen i test
Code:
https://www.domain.com/?q="><script>alert(1)</script>
406 - error
Not Acceptable
An appropriate representation of the requested resource could not be found on this server.


Now CSF its working with owasp, maybe some update from CSF or owasp, but now is banning the ips ;)


IP: xxxxxx
Failures: 5 (mod_security)
Interval: 3600 seconds
Blocked: Permanent Block [LF_MODSEC]

Log entries:

[Wed Jan 06 15:00:35.889112 2021] [:error] [pid 2147:tid 139674525648640] [client xxxxxxxx] [client xxxxxxx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/modsecurity.d/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "xxxxxxx"] [severity "WARNING"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "xxxxxx"] [uri "/"] [unique_id "X-XQk1VwIpFeV0RSZ@0qPwAAAX0"]
 
Comodo Waf Plugin Installation complete after open gui in admin panel getting error
cp: cannot stat '/etc/nginx/nginx-modsecurity.conf': No such file or directory
chown: cannot access '/usr/local/cwaf/conf/modsec2_plugin.conf': No such file or directory
can't read config /usr/local/cwaf/conf/modsec2_plugin.conf at /usr/local/cwaf/modules/CPAN/lib/Comodo/CWAF/ModSecurity.pm line 75.
Compilation failed in require at /usr/local/directadmin/plugins/comodo_waf/admin/index.pl line 13.
BEGIN failed--compilation aborted at /usr/local/directadmin/plugins/comodo_waf/admin/index.pl line 13.
I also have this error.
Any advice?
 
I get these errors when trying to enable Modsecurity with Comodo Rules (2.24.5 installed by Directadmin CustomBuild 2) and OpenLiteSpeed:

cp: cannot stat '/etc/nginx/nginx-modsecurity.conf': No such file or directory
chown: cannot access '/usr/local/cwaf/conf/modsec2_plugin.conf': No such file or directory
can't read config /usr/local/cwaf/conf/modsec2_plugin.conf at /usr/local/cwaf/modules/CPAN/lib/Comodo/CWAF/ModSecurity.pm line 75.
Compilation failed in require at /usr/local/directadmin/plugins/comodo_waf/admin/index.pl line 13.
BEGIN failed--compilation aborted at /usr/local/directadmin/plugins/comodo_waf/admin/index.pl line 13.

This article says that OpenLiteSpeed is not compatible with Comodo Rules 2, only with version 3.0

How can we fix this is DA and CustonBuild?
 
Is there an answer to this one? I have the same error using OpenLiteSpeed.
 
Back
Top