Rules for individual configs(websites) not working

Hi,

Today I got 2 complaints of sites suddenly not working. I checked and found mod security rules were hit.

I think did a check under the config for the sites and those rules were already off for both sites. But they were on globally for the rest.

However the customers still hitting those rules.

If I however disable the rules globally then both clients sites work perfectly.

Is there something I’m missing. I’m sure this was working before :frowning:

Hi,

it’s quite difficult to answer your question without configuration files examples and structure. Also I would like to know what software you use. Do you use our plugin with some WHMS (cPanel/Plesk) or it is standalone install?
What kind of web-server is used (Apache/LiteSpeed)? What was changed on your server today?

We use Litespeed and cPanel.

I’m going to try and reinstall comodo waf rules tonight and see.

Ok, please provide content of /var/cpanel/cwaf/etc/httpd/domains folder and HTTP request which lead to triggering of mod_security.
Blocking of domains implemented with SERVER_NAME directive.

For example:

SecRule SERVER_NAME "(?:.*\.)?ftp\.site\.com(?::80)?|(?:.*\.)?site\.com(?::80)?" "phase:1,nolog,noauditlog,allow,ctl:ruleEngine=Off,id:12345"

Seems blocked domains were requested with SERVER_NAME not matching pattern.

Thank god it’s not only us with the same problem.
We also have problems with comodo on litespeed server. It’s not working to disable rules on accounts/domain. We had to disable the whole rule on all litespeed servers.
Please get a fix on this asap.

If you need any logs, do not hesitate to ask!

Any reply from Comodo on the issues on Litespeed rules?

Hi

We didn’t received configs from sahostking yet.

Can you please provide us your content of /var/cpanel/cwaf/etc/httpd/domains folder and HTTP request which lead to triggering of mod_security for domain?
If it’s sensitive information, PM it to me.
Thanks in advance.