Re: [mod-security-users] modsecurity is blocking bing & yahoo in windows plesk
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] modsecurity is blocking bing & yahoo in windows plesk
|
From: Chaim S. <ch...@ch...> - 2019-06-17 22:15:04
|
Ah, I see -- thank you for the detail. You can certainly disable rule 303801 by adding something like `SecRuleRemoveById 303801` to the end of your rules. I am unable to 'fix' the rules, as these are rules provided by Atomicorp. I'd recommend reaching out to their support to determine why they are blocking these bots or if they have some additional configuration capabilities. To be clear the OWASP CRS does not block these bots. Thanks, - Chaim On Mon, Jun 17, 2019 at 3:11 PM Joost Kouwenberg <cho...@gm...> wrote: > Hi Chaim, > > Here are some examples of the log file where bingbots are blocked (there > are many a day logged...): > > > --23480000-H-- > Message: Warning. Match of "rx > (^msnbot-[0-9]+-[0-9]+-[0-9]+-[0-9]+\\.search\\.msn\\.com$)" against > "REMOTE_HOST" required. [file "C:\/Program Files > (x86)/Plesk/ModSecurity/rules/tortix/modsec/00_asl_y_searchengines.conf"] > [line "106"] [id "303801"] [rev "6"] [msg "Atomicorp.com WAF Rules: Fake > msnbot/bingbot webcrawler"] [data ""] > Message: Warning. RBL lookup of 0.139.66.13.threat2.atomicrbl.com. > succeeded at REMOTE_ADDR. [file "C:\/Program Files > (x86)/Plesk/ModSecurity/rules/tortix/modsec/99_asl_zzzz_threat_intelligence.conf"] > [line "64"] [id "355501"] [rev "2"] [msg "Atomicorp.com WAF Rules: Threat > Intelligence Match for Spamming Source on Atomicorp Threat Intelligence RBL > (TI-2). See this URL for details http://www.atomicrbl.com/lookup"] > [severity "ERROR"] [tag "no_ar"] > Message: Warning. RBL lookup of 0.139.66.13.threat5.atomicrbl.com. > succeeded at REMOTE_ADDR. [file "C:\/Program Files > (x86)/Plesk/ModSecurity/rules/tortix/modsec/99_asl_zzzz_threat_intelligence.conf"] > [line "73"] [id "355506"] [rev "1"] [msg "Atomicorp.com WAF Rules: Threat > Intelligence Match for Known multi event attacker Source on Atomicorp > Threat Intelligence RBL. See this URL for details > http://www.atomicrbl.com/lookup"] [severity "ALERT"] > Apache-Handler: IIS > Stopwatch: 1560756427841805 207022 (- - -) > Stopwatch2: 1560756427841805 207022; combined=224046, p1=56045, p2=129961, > p3=0, p4=0, p5=19020, sr=1018, sw=1032, l=0, gc=17988 > Producer: ModSecurity for IIS (STABLE)/2.9.2 (http://www.modsecurity.org/); > 201404231529. > Server: ModSecurity Standalone > Engine-Mode: "DETECTION_ONLY" > > --23480000-Z— > > > --325f0000-F-- > HTTP/1.1 500 Internal Server Error > > --325f0000-H-- > Message: Warning. RBL lookup of 1.139.66.13.threat2.atomicrbl.com. > succeeded at REMOTE_ADDR. [file "C:\/Program Files > (x86)/Plesk/ModSecurity/rules/tortix/modsec/99_asl_zzzz_threat_intelligence.conf"] > [line "64"] [id "355501"] [rev "2"] [msg "Atomicorp.com WAF Rules: Threat > Intelligence Match for Spamming Source on Atomicorp Threat Intelligence RBL > (TI-2). See this URL for details http://www.atomicrbl.com/lookup"] > [severity "ERROR"] [tag "no_ar"] > Apache-Handler: IIS > Stopwatch: 1560803751120054 343710 (- - -) > Stopwatch2: 1560803751120054 343710; combined=343710, p1=62492, p2=281218, > p3=0, p4=0, p5=0, sr=0, sw=0, l=0, gc=0 > Producer: ModSecurity for IIS (STABLE)/2.9.2 (http://www.modsecurity.org/); > 201404231529. > Server: ModSecurity Standalone > Engine-Mode: "DETECTION_ONLY" > > --325f0000-Z-- > > --bb660000-A— > > > --f2260000-H-- > Message: Warning. Match of "rx > (^msnbot-[0-9]+-[0-9]+-[0-9]+-[0-9]+\\.search\\.msn\\.com$)" against > "REMOTE_HOST" required. [file "C:\/Program Files > (x86)/Plesk/ModSecurity/rules/tortix/modsec/00_asl_y_searchengines.conf"] > [line "106"] [id "303801"] [rev "6"] [msg "Atomicorp.com WAF Rules: Fake > msnbot/bingbot webcrawler"] [data ""] > Apache-Handler: IIS > Stopwatch: 1560766857301652 437503 (- - -) > Stopwatch2: 1560766857301652 437503; combined=0, p1=0, p2=0, p3=0, p4=0, > p5=0, sr=0, sw=0, l=0, gc=0 > Producer: ModSecurity for IIS (STABLE)/2.9.2 (http://www.modsecurity.org/); > 201404231529. > Server: ModSecurity Standalone > Engine-Mode: "DETECTION_ONLY" > > --f2260000-Z— > > > Would the exception need to be created in a .conf file on the windows > server or is it just a matter of switching off rule ID’s using the Plesk > control panel ? > > Thank you for your help. > > Joost > > > > > > > > > On 17 Jun 2019, at 22:52, Chaim Sanders <ch...@ch...> wrote: > > Sure, if it is blocking it will have an ID of the rule that is blocking > and we can help you write an exception and then take a look at why it is > blocking to begin with. Check your error or audit( if enabled) logs. > > On Mon, Jun 17, 2019 at 11:20 AM Joost Kouwenberg < > cho...@gm...> wrote: > >> Hi, >> >> For some reason Bing & yahoo bots are being blocked by modsecurity in >> Plesk12 on Windows server using “Advanced ModSecurity Rules by Atomicorp”, >> Google Bot have access. >> >> Any thoughts how we can allow Bing & yahoo bots on the Windows Server >> using Plesk12? >> >> Many thanks. >> >> Joost >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > > > -- > -- > Chaim Sanders > http://www.ChaimSanders.com <http://www.chaimsanders.com/> > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > -- -- Chaim Sanders http://www.ChaimSanders.com |
