strange bruteforce issue

sahostking · September 22, 2015, 8:33am

Seems when I restart Apache sometimes all works well:

[Tue Sep 22 10:03:25.002394 2015] [:error] [pid 556716:tid 139809366443776] [client 82.146.43.146] ModSecurity: Access denied with code 403 (phase 2). Operator GT matched 5 at IP:multiple_username_count. [file “/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/09_Bruteforce_Bruteforce.conf”] [line “58”] [id “230011”] [msg “COMODO WAF: Multiple Username Violation: Too Many Usernames Submitted for Authentication.”] [data “Current Username: domainname”] [hostname “domainname”] [uri “/wp-login.php”] [unique_id “VgELTMXyRKIACH6scrEAAAIJ”]

But then after a few minutes :

[Tue Sep 22 10:13:57.276896 2015] [:error] [pid 556781:tid 139809387423488] [client 82.146.43.146] ModSecurity: collection_store: Failed to write to DBM file “/var/cpanel/secdatadir/ip”: Invalid argument [hostname “domainname”] [uri “/wp-login.php”] [unique_id “VgENxcXyRKIACH7t8XkAAAAH”]

Then I never seem to get the top one again.

It’s like the file gets corrupted or just breaks on cpanel. Weird.

oleg.tsygany · September 22, 2015, 9:51am

Hi

Can it be cause of issue?

"Invalid argument [hostname "domainname"]"

For example cPanel domain name is corrupted.

Regards, Oleg

sahostking · September 22, 2015, 9:54am

no I just took it out before pasting it here. My own personal rules to not post links to customers websites on forums etc.

oleg.tsygany · September 22, 2015, 10:26am

Ahh, got it

By the way, is mod_ruid2 enabled?
Found this topic on cPanel forum discussing issue.

Regards, Oleg

sahostking · September 22, 2015, 12:07pm

Just Apache MPM Event with Cloudlinux, mod_lsapi.

It does not seem to happen when I switch back to LiteSpeed but I guess Litespeed comodo rules does not have all the rules as the apache one.

TDmitry · September 22, 2015, 4:05pm

The difference between LS and Apache rulesets is minimal as much as possible.