Issue
Imunify360 does not detect the client's IP, rather matches the server's IP causing blocks.
You will find something like:
INFO [2021-12-07 15:08:58,691] defence360agent.internals.the_sink:SensorIncident
({'method': 'INCIDENT', 'plugin_id': 'modsec', 'attackers_ip': '1.2.3.4',
'rule': 'X', 'access_denied'
1.2.3.4 - is the server's IP assigned to some interface, rather it must be the client's IP who made the request.
Environment
- Imunify360
- Apache
Solution
1. Check if the apache mod_remoteip is installed and enabled.
2. Append the server IP as RemoteIPInternalProxy to the current webserver module config and restart the service. This can be done as follows:
<IfModule remoteip_module>
RemoteIPInternalProxy 1.2.3.4
RemoteIPInternalProxy 127.0.0.1
RemoteIPInternalProxy ::1
RemoteIPHeader X-Forwarded-For
</IfModule>
Comments
0 comments
Please sign in to leave a comment.