Seems when I restart Apache sometimes all works well:
[Tue Sep 22 10:03:25.002394 2015] [:error] [pid 556716:tid 139809366443776] [client 220.127.116.11] ModSecurity: Access denied with code 403 (phase 2). Operator GT matched 5 at IP:multiple_username_count. [file “/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/09_Bruteforce_Bruteforce.conf”] [line “58”] [id “230011”] [msg “COMODO WAF: Multiple Username Violation: Too Many Usernames Submitted for Authentication.”] [data “Current Username: domainname”] [hostname “domainname”] [uri “/wp-login.php”] [unique_id “VgELTMXyRKIACH6scrEAAAIJ”]
But then after a few minutes :
[Tue Sep 22 10:13:57.276896 2015] [:error] [pid 556781:tid 139809387423488] [client 18.104.22.168] ModSecurity: collection_store: Failed to write to DBM file “/var/cpanel/secdatadir/ip”: Invalid argument [hostname “domainname”] [uri “/wp-login.php”] [unique_id “VgENxcXyRKIACH7t8XkAAAAH”]
Then I never seem to get the top one again.
It’s like the file gets corrupted or just breaks on cpanel. Weird.
Can it be cause of issue?
"Invalid argument [hostname "domainname"]"
For example cPanel domain name is corrupted.
no I just took it out before pasting it here. My own personal rules to not post links to customers websites on forums etc.
Ahh, got it
By the way, is mod_ruid2 enabled?
Found this topic on cPanel forum discussing issue.
Just Apache MPM Event with Cloudlinux, mod_lsapi.
It does not seem to happen when I switch back to LiteSpeed but I guess Litespeed comodo rules does not have all the rules as the apache one.
The difference between LS and Apache rulesets is minimal as much as possible.