Re: [mod-security-users] modsecurity is blocking bing & yahoo in windows plesk
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] modsecurity is blocking bing & yahoo in windows plesk
|
From: Joost K. <cho...@gm...> - 2019-06-18 19:08:57
|
Received feedback from Atomicorp: “Thank you for the report, its looks like Microsoft hasnt setup any DNS records for those ranges and is using new IP ranges for Bingbot. We've just released an update that will address this change in their DNS practices.” I’ll check in a few days if this will unblock the requests from Bingbot Joost > On 17 Jun 2019, at 23:40, Joost Kouwenberg <cho...@gm...> wrote: > > Thanks Chaim, I’ll disable rule 303801 for now and contact Amicorp support. > > Cheers, > Joost > > > >> On 17 Jun 2019, at 23:14, Chaim Sanders <ch...@ch... <mailto:ch...@ch...>> wrote: >> >> Ah, I see -- thank you for the detail. You can certainly disable rule 303801 by adding something like `SecRuleRemoveById 303801` to the end of your rules. I am unable to 'fix' the rules, as these are rules provided by Atomicorp. I'd recommend reaching out to their support to determine why they are blocking these bots or if they have some additional configuration capabilities. To be clear the OWASP CRS does not block these bots. >> >> Thanks, >> - Chaim >> >> On Mon, Jun 17, 2019 at 3:11 PM Joost Kouwenberg <cho...@gm... <mailto:cho...@gm...>> wrote: >> Hi Chaim, >> >> Here are some examples of the log file where bingbots are blocked (there are many a day logged...): >> >> >> --23480000-H-- >> Message: Warning. Match of "rx (^msnbot-[0-9]+-[0-9]+-[0-9]+-[0-9]+\\.search\\.msn\\.com$)" against "REMOTE_HOST" required. [file "C:\/Program Files (x86)/Plesk/ModSecurity/rules/tortix/modsec/00_asl_y_searchengines.conf"] [line "106"] [id "303801"] [rev "6"] [msg "Atomicorp.com <http://atomicorp.com/> WAF Rules: Fake msnbot/bingbot webcrawler"] [data ""] >> Message: Warning. RBL lookup of 0.139.66.13.threat2.atomicrbl.com <http://threat2.atomicrbl.com/>. succeeded at REMOTE_ADDR. [file "C:\/Program Files (x86)/Plesk/ModSecurity/rules/tortix/modsec/99_asl_zzzz_threat_intelligence.conf"] [line "64"] [id "355501"] [rev "2"] [msg "Atomicorp.com <http://atomicorp.com/> WAF Rules: Threat Intelligence Match for Spamming Source on Atomicorp Threat Intelligence RBL (TI-2). See this URL for details http://www.atomicrbl.com/lookup <http://www.atomicrbl.com/lookup>"] [severity "ERROR"] [tag "no_ar"] >> Message: Warning. RBL lookup of 0.139.66.13.threat5.atomicrbl.com <http://threat5.atomicrbl.com/>. succeeded at REMOTE_ADDR. [file "C:\/Program Files (x86)/Plesk/ModSecurity/rules/tortix/modsec/99_asl_zzzz_threat_intelligence.conf"] [line "73"] [id "355506"] [rev "1"] [msg "Atomicorp.com <http://atomicorp.com/> WAF Rules: Threat Intelligence Match for Known multi event attacker Source on Atomicorp Threat Intelligence RBL. See this URL for details http://www.atomicrbl.com/lookup <http://www.atomicrbl.com/lookup>"] [severity "ALERT"] >> Apache-Handler: IIS >> Stopwatch: 1560756427841805 207022 (- - -) >> Stopwatch2: 1560756427841805 207022; combined=224046, p1=56045, p2=129961, p3=0, p4=0, p5=19020, sr=1018, sw=1032, l=0, gc=17988 >> Producer: ModSecurity for IIS (STABLE)/2.9.2 (http://www.modsecurity.org/ <http://www.modsecurity.org/>); 201404231529. >> Server: ModSecurity Standalone >> Engine-Mode: "DETECTION_ONLY" >> >> --23480000-Z— >> >> >> --325f0000-F-- >> HTTP/1.1 500 Internal Server Error >> >> --325f0000-H-- >> Message: Warning. RBL lookup of 1.139.66.13.threat2.atomicrbl.com <http://threat2.atomicrbl.com/>. succeeded at REMOTE_ADDR. [file "C:\/Program Files (x86)/Plesk/ModSecurity/rules/tortix/modsec/99_asl_zzzz_threat_intelligence.conf"] [line "64"] [id "355501"] [rev "2"] [msg "Atomicorp.com <http://atomicorp.com/> WAF Rules: Threat Intelligence Match for Spamming Source on Atomicorp Threat Intelligence RBL (TI-2). See this URL for details http://www.atomicrbl.com/lookup <http://www.atomicrbl.com/lookup>"] [severity "ERROR"] [tag "no_ar"] >> Apache-Handler: IIS >> Stopwatch: 1560803751120054 343710 (- - -) >> Stopwatch2: 1560803751120054 343710; combined=343710, p1=62492, p2=281218, p3=0, p4=0, p5=0, sr=0, sw=0, l=0, gc=0 >> Producer: ModSecurity for IIS (STABLE)/2.9.2 (http://www.modsecurity.org/ <http://www.modsecurity.org/>); 201404231529. >> Server: ModSecurity Standalone >> Engine-Mode: "DETECTION_ONLY" >> >> --325f0000-Z-- >> >> --bb660000-A— >> >> >> --f2260000-H-- >> Message: Warning. Match of "rx (^msnbot-[0-9]+-[0-9]+-[0-9]+-[0-9]+\\.search\\.msn\\.com$)" against "REMOTE_HOST" required. [file "C:\/Program Files (x86)/Plesk/ModSecurity/rules/tortix/modsec/00_asl_y_searchengines.conf"] [line "106"] [id "303801"] [rev "6"] [msg "Atomicorp.com <http://atomicorp.com/> WAF Rules: Fake msnbot/bingbot webcrawler"] [data ""] >> Apache-Handler: IIS >> Stopwatch: 1560766857301652 437503 (- - -) >> Stopwatch2: 1560766857301652 437503; combined=0, p1=0, p2=0, p3=0, p4=0, p5=0, sr=0, sw=0, l=0, gc=0 >> Producer: ModSecurity for IIS (STABLE)/2.9.2 (http://www.modsecurity.org/ <http://www.modsecurity.org/>); 201404231529. >> Server: ModSecurity Standalone >> Engine-Mode: "DETECTION_ONLY" >> >> --f2260000-Z— >> >> >> Would the exception need to be created in a .conf file on the windows server or is it just a matter of switching off rule ID’s using the Plesk control panel ? >> >> Thank you for your help. >> >> Joost >> >> >> >> >> >> >> >> >>> On 17 Jun 2019, at 22:52, Chaim Sanders <ch...@ch... <mailto:ch...@ch...>> wrote: >>> >>> Sure, if it is blocking it will have an ID of the rule that is blocking and we can help you write an exception and then take a look at why it is blocking to begin with. Check your error or audit( if enabled) logs. >>> >>> On Mon, Jun 17, 2019 at 11:20 AM Joost Kouwenberg <cho...@gm... <mailto:cho...@gm...>> wrote: >>> Hi, >>> >>> For some reason Bing & yahoo bots are being blocked by modsecurity in Plesk12 on Windows server using “Advanced ModSecurity Rules by Atomicorp”, Google Bot have access. >>> >>> Any thoughts how we can allow Bing & yahoo bots on the Windows Server using Plesk12? >>> >>> Many thanks. >>> >>> Joost >>> >>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... <mailto:mod...@li...> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users <https://lists.sourceforge.net/lists/listinfo/mod-security-users> >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ <http://www.modsecurity.org/projects/commercial/rules/> >>> http://www.modsecurity.org/projects/commercial/support/ <http://www.modsecurity.org/projects/commercial/support/> >>> >>> >>> -- >>> -- >>> Chaim Sanders >>> http://www.ChaimSanders.com <http://www.chaimsanders.com/> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... <mailto:mod...@li...> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users <https://lists.sourceforge.net/lists/listinfo/mod-security-users> >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ <http://www.modsecurity.org/projects/commercial/rules/> >>> http://www.modsecurity.org/projects/commercial/support/ <http://www.modsecurity.org/projects/commercial/support/> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... <mailto:mod...@li...> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users <https://lists.sourceforge.net/lists/listinfo/mod-security-users> >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ <http://www.modsecurity.org/projects/commercial/rules/> >> http://www.modsecurity.org/projects/commercial/support/ <http://www.modsecurity.org/projects/commercial/support/> >> >> >> -- >> -- >> Chaim Sanders >> http://www.ChaimSanders.com <http://www.chaimsanders.com/> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... <mailto:mod...@li...> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > |
