However when I login to a wordpress site I get blocked by fail2ban, I checked the modsec_audit.log and I see it logged the all the html code from the site.
How can I prevent this from happening?
A part form being blocked I noticed that when a user is logged in to wordpress everything in logged to modsec_audit.log, by everything I mean the html/php code from wordpress site which makes the log huge.
Please provide us your mod_security configuration.
Are you using CWAF rules or other ruleset?
What version of mod_security do you have?
What web-server installed (Apache, LiteSpeed, Nginx)?
Do you have any web hosting panel on your server (cPanel, Plesk etc) ?
If you using CWAF rules are you using CWAF plugin or vendor?
I am using webmin and comodo waf plugin with comodo rules.
I have modesecurity latest version, 2.9.
The web server is apache 2.2 with centos 6.7
I also have google mod_pagespeed and zend opcache
I have installed the client using cwaf_client_install.sh.
I haven´t changed anything apart from placing I few country blocks in custom rules which by the way work great.
I am new to modsecurity so I don´t know if it is normal to see full web pages with html, php, etc in the modsec_audit.log
Here is what I see in mosec_audit.log just before a full webpage is loaded in the log:
Seems you installed mod_security and some ruleset as dependency ( core rule set? ).
With CWAF enabled you don’t need configuration file ( /etc/httpd/conf.d/modsecurity.conf ) from this ruleset.
Please rename it to some other name so it’s directives will not interfere with CWAF modsecurity directives:
Now in your Apache conf.d directory will be only CWAF modsecurity related config (zzzz_cwaf_security2.conf)
Please try to restart Apache and check it mosec_audit.log issue fixed.
I have realized that even after remaining modsecurity.conf the problem persisted so I desabled the rule “214560: Potential Obfuscated Javascript in Output - Excessive fromCharCode” and now it seems the problem is solved.
Now when I login to a wordpress site no more html code is loaded into modsec log.
I hope this does not indicate some misconfiguration ???