Issue
A large number of hits are coming from localhost (127.0.0.1) and triggering the following rules related to XML Brute-Force Amplification:
INFO [2024-03-27 12:31:44,298] defence360agent.internals.the_sink: SensorIncident({'method': 'INCIDENT', 'plugin_id': 'modsec', 'attackers_ip': '127.0.0.1', 'transaction_id': 'zwET-Sxf@-BpYeJtZtVpw0Hg', 'rule': '77350180', 'message': 'IM360 WAF: XMLRPC getUsersBlogs||T:LITESPEED||', 'severity': 5, 'tag': ['service_im360', 'noshow'], 'status_code': '20', 'advanced': {'headers': [['Host', 'www.domain.com'], ['Content-Length', '485'], ['Cookie', [['wordpress_test_cookie', '[chr]{2}%[digit]{2}[chr]{6}%[digit]{2}[chr]{5}']]], ['User-Agent', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36'], ['Content-Type', 'application/xml']], 'http_method': 'POST'}, 'user_id': 'e644d4c89683598ec7aaf2edafea4b410d5676ac', 'name': 'IM360 WAF: XMLRPC getUsersBlogs', 'timestamp': 1711560586.0555239, 'domain': 'www.domain.com'}) processed in 0.0934 seconds
INFO [2024-03-27 12:31:44,204] defence360agent.internals.the_sink: SensorIncident({'method': 'INCIDENT', 'plugin_id': 'modsec', 'attackers_ip': '127.0.0.1', 'transaction_id': 'zwET-Sxf@-BpYeJtZtVpw0Hg', 'rule': '77317980', 'message': 'IM360 WAF: XML Brute-Force Amplification||T:LITESPEED||', 'severity': 5, 'tag': ['service_im360', 'noshow'], 'status_code': '20', 'advanced': {'headers': [['Host', 'www.domain.com'], ['Content-Length', '485'], ['Cookie', [['wordpress_test_cookie', '[chr]{2}%[digit]{2}[chr]{6}%[digit]{2}[chr]{5}']]], ['User-Agent', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36'], ['Content-Type', 'application/xml']], 'http_method': 'POST'}, 'user_id': 'e644d4c89683598ec7aaf2edafea4b410d5676ac', 'name': 'IM360 WAF: XML Brute-Force Amplification', 'timestamp': 1711560586.0539873, 'domain': 'www.domain.com'}) processed in 0.0241 seconds
Environment
- Imunify360
- cPanel
- ModSecurity
- CDN service is in use
Solution
It is recommended to add `RemoteIPInternalProxy` directive to the web server config e.g.
# cat /etc/apache2/conf.d/i360.remoteip.conf
<IfModule remoteip_module>
RemoteIPInternalProxy 127.0.0.1
RemoteIPInternalProxy ::1
RemoteIPHeader X-Forwarded-For
</IfModule>
Comments
0 comments
Article is closed for comments.