Logs

needsomehelp · April 9, 2015, 4:14pm

Hi could someone please tell me wear i find the logs for blocked I.Ps please. I have some customers getting blocked on there own site and need to know why.

akabakov · April 10, 2015, 7:23am

Hi,
usually these logs are modsec_audit.log and web-server error.log

needsomehelp · April 10, 2015, 8:03am

I see in modsec_debug.log a lot of Access denied with code 403 and some customers get blocked when they click publish on there blogs,
how would i stop this from blocking them please.

akabakov · April 10, 2015, 3:53pm

you can just exclude the blocking rules.

oleg.tsygany · April 11, 2015, 10:54am

Here you can find more detailed instructions:

https://help.comodo.com/topic-212-1-514-5928-.html

needsomehelp · April 11, 2015, 10:56am

Hi thanks for the replies how do i exclude some of the rules please.

brijendrasial · April 11, 2015, 8:49pm

Better dont use xss rules. All those rules are unreliable and for smooth functioning you should disable whole xss group.

needsomehelp · April 11, 2015, 9:17pm

Hi is that really best i have 96 of them active ?

brijendrasial · April 12, 2015, 4:01pm

Mostly XSS rules are responsible for these false positive. In your issue also its because of XSS.

oleg.tsygany · April 12, 2015, 4:15pm

Hi

You can exclude rules through CWAF plugin (‘Catalog’ tab, turn desired rules/groups off),
or through command line interface by running cwaf-cli.pl, located in scripts directory:

Usage: ./cwaf-cli.pl [arguments]

Arguments:
-h, --help         - this help message
-l, --domain_list  - show list of domains
-f, --force_domain - apply domain even if it not found

 Exclude rules:
  -d, --domain - set domain for exclude operation (global exclude list if not specified)
  -xa, --exclude_add [rule_ID1 rule_ID2...] - add rules to exclude list
  -xd, --exclude_del [rule_ID1 rule_ID2...] - remove rules from exclude list
  -xl, --exclude_list  - show list of excluded rules

…

If you use cPanel Vendor: Modsecurity Tools - Rules List - Search (ruleId) - Disable button.

Regards, Oleg

needsomehelp · April 12, 2015, 4:52pm

Ok thanks i will disable all 96 XSS rules on the plugin

needsomehelp · April 16, 2015, 9:07am

Hi still get some customers who run forums getting this message below and i have disabled XSS rules

Several people have said they can get on the main page but can’t get
anywhere after that, they get a 403 or 404 error.

TDmitry · April 16, 2015, 10:50am

What did your logs said?

needsomehelp · April 16, 2015, 11:08am

Hi do you mean the logs in modsec_debug.log

brijendrasial · April 16, 2015, 2:46pm

U need to look for path

https://documentation.cpanel.net/display/EA/Apache+Module:+ModSecurity

/usr/local/apache/logs/modsec_audit.log

needsomehelp · April 16, 2015, 2:49pm

Thanks downloading it now the file is 1.5Gb in size

brijendrasial · April 16, 2015, 3:19pm

There is no need to download. Something like “cat /usr/local/apache/logs/modsec_audit.log | grep username-of-account” can show you info. You can change command as per your need.

You can also use GUI provided in your WHM. Search for ModSecurity™ Tools and check inside

needsomehelp · April 16, 2015, 3:55pm

Hi so i just login via ssh and use cat /usr/local/apache/logs/modsec_audit.log | grep with any of the user names ?

brijendrasial · April 24, 2015, 7:13am

You can use something like:

perl -ne ‘BEGIN { $/=“-Z–\n”; } print if /Forbidden/;’ /usr/local/apache/logs/modsec_audit.log

This will search for all forbidden error. Replace forbidden with IP address if you know client IP.