Hello,
After activating your mod_security (WAF), apache is going crazy. 2 https showing 300% cpu load. What can I do to fix this? In the DA error_log are no errors found…
Maybe this is causing it?
[Wed Oct 14 21:18:32.026852 2015] [:error] [pid 356129:tid 140654745143040] [client 86.84.217.58] ModSecurity: Access denied with code 403 (phase 2). String match within “.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/” at TX:extension. [file “/usr/local/cwaf/rules/10_HTTP_HTTP.conf”] [line “27”] [id “210730”] [msg “COMODO WAF: URL file extension is restricted by policy”] [data “.dat”] [severity “CRITICAL”] [hostname “wpad.domain.nl”] [uri “/wpad.dat”] [unique_id “Vh6qiLkMDRQABW8h1kcAAADT”]
[Wed Oct 14 21:18:49.437345 2015] [:error] [pid 356083:tid 140654923470592] [client 86.84.217.58] ModSecurity: Access denied with code 403 (phase 2). String match within “.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/” at TX:extension. [file “/usr/local/cwaf/rules/10_HTTP_HTTP.conf”] [line “27”] [id “210730”] [msg “COMODO WAF: URL file extension is restricted by policy”] [data “.dat”] [severity “CRITICAL”] [hostname “wpad.domain.nl”] [uri “/wpad.dat”] [unique_id “Vh6qmbkMDRQABW7zX40AAAAC”]
[Wed Oct 14 21:19:51.827695 2015] [:error] [pid 356083:tid 140654440937216] [client 86.84.217.58] ModSecurity: Access denied with code 403 (phase 2). String match within “.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/” at TX:extension. [file “/usr/local/cwaf/rules/10_HTTP_HTTP.conf”] [line “27”] [id “210730”] [msg “COMODO WAF: URL file extension is restricted by policy”] [data “.dat”] [severity “CRITICAL”] [hostname “wpad.domain.nl”] [uri “/wpad.dat”] [unique_id “Vh6q17kMDRQABW7zYMcAAAAw”]
[Wed Oct 14 21:20:15.186131 2015] [:error] [pid 356129:tid 140654493386496] [client 199.180.100.145] ModSecurity: Multipart parsing error (init): Multipart: Invalid boundary in C-T (characters). [hostname “domain.nl”] [uri “/”] [unique_id “Vh6q77kMDRQABW8h2EMAAADr”]
[Wed Oct 14 21:20:15.344313 2015] [:error] [pid 356129:tid 140654493386496] [client 199.180.100.145] ModSecurity: Warning. Match of “eq 0” against “REQBODY_ERROR” required. [file “/usr/local/cwaf/rules/12_HTTP_Protocol.conf”] [line “27”] [id “210230”] [msg “COMODO WAF: The request body could not be parsed. Possibility of an impedance mismatch attack. This is not a false positive.”] [data “Multipart: Invalid boundary in C-T (characters).”] [severity “CRITICAL”] [hostname “domain.nl”] [uri “/”] [unique_id “Vh6q77kMDRQABW8h2EMAAADr”]
[Wed Oct 14 21:20:15.344388 2015] [:error] [pid 356129:tid 140654493386496] [client 199.180.100.145] ModSecurity: Access denied with code 403 (phase 2). Match of “eq 0” against “MULTIPART_STRICT_ERROR” required. [file “/usr/local/cwaf/rules/12_HTTP_Protocol.conf”] [line “30”] [id “210240”] [msg “COMODO WAF: Multipart request body failed strict validation: PE 1”] [severity “CRITICAL”] [hostname “domain.nl”] [uri “/”] [unique_id “Vh6q77kMDRQABW8h2EMAAADr”]
body.xml:1: parser warning : xmlParsePITarget: invalid name prefix ‘xml’
^
body.xml:1: parser error : ParsePI: PI xmlversion space expected
<?xmlversion="1.0"?>pingback.ping<p ^
body.xml:1: parser warning : xmlParsePITarget: invalid name prefix ‘xml’
<?xmlversion="1.0"?>pingback.ping<p ^
body.xml:1: parser error : ParsePI: PI xmlversion space expected
<?xmlversion="1.0"?>pingback.ping<p ^
body.xml:1: parser warning : xmlParsePITarget: invalid name prefix ‘xml’
<?xmlversion="1.0"?>pingback.ping<pdid change the original domains to domain.nl.
Hi
“<?xml” prefix is reserved for first line, so parser goes mad.
I found same issue: xslt - php xmlParsePITarget: invalid name prefix 'xml' error - Stack Overflow
Regards, Oleg
When I look at this link: body.xml:1: parser error : ParsePI: PI xmlversion space expected | WordPress.org
It looks a attack from wordpress? I did enable the XML-RPC rule, do I need to turn it off? I can’t see which user is creating this errors.
Hi
Logs you provided shows XML-RPC attack-like activity.
So topic you found about protection from XML-RPC attack to Wordpress can help.
As they advice please install Disable XML-RPC Wordpress plugin (Disable XML-RPC – WordPress plugin | WordPress.org) or better iThemes Security plugin (iThemes Security – WordPress plugin | WordPress.org)
Also if you not need XML-RPC for your site you can rename xmlrpc.php to avoid attacks.
Regards, Oleg
Thank you for you reply, but that doesn’t help me in this case. Did you have more people that have issues with apache and the high cpu load after activation of waf? Is there any possiblitiy to check if I installed all PERL modules? Is there any check for it?
Hi
Yes we have had LiteSpeed server which have high load issues after CWAF installing.
But it was misconfigured (had keepalive issues).
Perl modules did not interfere with rules functionality. They are for plugin interface only.
You can check how install went by looking into install log file located in your /tmp folder.
Regards, Oleg
Alright, maybe I need the mpm prefork then? I have now worker. Perhaps this fix the issue?
“However, note that the treads are attached to connections and not requests - which means that a keep-alive connection always keeps ahold of a thread until it’s closed (which can be a long time, depending on your configuration). Which is why we have…” ==worker mpm.
Maybe you have some requiments for a DA server with Cloudlinux? Something it’s better to install or not to use?
Unfortunately I don’t have experience with mpm prefork.
We just adjusted net.ipv4.tcp_keepalive system variables with sysctl and turned off KeepAlive in Apache config.
So about requirements and fine server tuning it’s better to ask forum guys 
Regards, Oleg