Issue
Denied access from the client's IP address with 403 error. In the console.log there are entries with the message "Found crawler not in whitelist".
INFO [2021-12-06 10:59:27,320]
defence360agent.internals.the_sink: SensorIncident({'method': 'INCIDENT', 'plugin_id': 'modsec',
'attackers_ip': '10.0.0.20', ]
............
'name': 'IM360 WAF: Found crawler not in whitelist', ......
Environment
- Web-shield
- cPanel
- CloudLinux (or any compatible with Imunify360)
- Imunify 5.11.6-1
Solution
1. The 10.0.0.20 IP is the server address configured in the eth0 interface. You can add an additional proxy subnet by running the following command:
imunify360-agent remote-proxy add add 10.0.0.0/24 --name "my_own_proxy"
2. To fix the issue, set the mod_remoteip by adding these lines info the following config:
/etc/apache2/conf.d/includes/pre_virtualhost_global.conf
<IfModule remoteip_module>
RemoteIPInternalProxy 10.0.0.20/32
</IfModule>
3. After that send a SIGQUIT for restarting Apache gracefully:
# apachectl graceful
4. When the changes are applied, restart WebShield and imunify360 services:
systemctl restart imunify360-webshieldsystemctl restart imunify360
5. To revert changes:
If you want to rollback, just run:
# rm /etc/apache2/conf.d/includes/pre_virtualhost_global.conf
# apachectl graceful
Cause
Imunify360 incorrectly determines the IP and blocks the request.
Useful links
Comments
3 comments
Cause:
Imunify360 incorrectly determines the IP and blocks the request.
It's a 6 months concern ?
Why does i360 incorrectly determines the IP ? (not explained yet)
It would be appreciate to add more info about that, because actually, it looks like “we know that our system failed, don't know the real reason, but fix the issue by yourself, if it happens”.
But, when end-user report issue from the Google Search Console (after of failing crawling), it's already too late, ranking and money are lost already.
Should i360 not supposed to work out of the box with CloudFlare ?
Blocking Googlebot is the first thing we want to avoid. I identify this as a critical issue.
I encourage i360 team to complete this article and include the best fix of workaround in the heart of i360 to help that this big issue never happen again.
Googlebot blocked by le Firewall would be a review on my Trustpilot that would seriously impact our reputation.
Greetings, Nicolas.
Imunify360 does not block legitimate Google bots, but in case a visitor's IP address is detected incorrectly at the web server level, such access can be restricted at the ModSecurity level.
We understand how important it is for legitimate search engine bots to access sites, and Imunify360 has separate mechanisms for that. That's how we process connections for the search bots. We use the ModSecurity rule ID 33311.
If one of these statements is true, the incoming request will be blocked. Legitimate bots pass all these checks and are not blocked by Imunify360 components.
However, if the web server for some reason is unable to identify the visitor's IP address correctly (e.g. there is no remoteip module on the server, or the module hasn't been configured yet for Cloudflare, for example), the attacker's IP address might indeed be incorrectly detected and the request will be blocked by ModSecurity.
In any case, you can always contact our support (and colleagues tell me that the corresponding ticket is already in progress) and we will check Imunify360 on server for you. :)
The article would definitely need to be expanded, and I especially thank you for your feedback on it.
Infinite thanks.
The Imunify360 support was able to produce, for myself, a perfect tutorial in minutes that solves the Cloudflare-cPanel issue !
CloudLinux & Imunify360, you are incredible.
The Web Problem Solver !
Thanks thanks thanks!
Please sign in to leave a comment.