Issue Extension ModSecurity issues with matomo?

[Azurel]

We have a team member that frequently will banned by "plesk-modsecurity" and maybe more visitors?

Fail2Ban Jails Management

• plesk-modsecurity bans the IP addresses detected as harmful by the ModSecurity Web Application Firewall. ...... The ban lasts for 10 minutes.

How I find the reason why he is detected as "harmful"? I take a look in /var/log/modsec_audit.log but that very hard, because its 90MB and very slow. Its possible to make a logfile per day?

Is this addon/rules incompatible with Matomo?
The "GET" is always (100%) a legal /matomo/piwik.php?download=https%3A%2F%2....... url created by matomo itself and show than this

Message: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "179"] [id "33340162"] [rev "294"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: URL detected as argument, possible RFI attempt detected"] [data "%TX:1,TX:1"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith %{request_headers.host}" against "TX:1" required.

Motomo is installed on host analytics.example.com and user surfing on www.example.de. What I can see is, that user coming from user panel (access only logged in) as referer.

Here a full example for this case

--a473ef48-A--
[01/Dec/2018:11:04:47 +0100] XAJcv@qA2Z4wjj2VQ2YJCgAAAAE xx.xx.xx.xx 58994 xx.xx.xx.xx 7081
--a473ef48-B--
GET /matomo/piwik.php?download=https%3A%2F%2Fcdn.example.de%2Fimages%2Fitem%2Fimage%2F2%2F2916%2Ffull%2F403344.jpg&idsite=1&rec=1&r=931005&h=11&m=4&s=46&url=https%3A%2F%2Fwww.example.de%2Fitem%2F2916&urlref=https%3A%2F%2Fwww.example.de%2Fusercp%2Fprofile&_id=eacff84d6fb77fbb&_idts=1531739314&_idvc=864&_idn=0&_refts=0&_viewts=1543653077&send_image=1&cookie=1&res=1920x1080&gt_ms=195&pv_id=fmfEhn HTTP/1.0
Host: analytics.example.com
X-Real-IP: xx.xx.xx.xx
X-Accel-Internal: /internal-nginx-static-location
Connection: close
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
accept: */*
accept-language: de,en-US;q=0.7,en;q=0.3
accept-encoding: gzip, deflate, br
referer: https://www.example.de/item/2916
dnt: 1

--a473ef48-F--
HTTP/1.1 403 Forbidden
Last-Modified: Sun, 13 Nov 2016 18:38:19 GMT
ETag: "3fe-5413306f3b248"
Accept-Ranges: bytes
Content-Length: 1022
Connection: close
Content-Type: text/html

--a473ef48-H--
Message: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "179"] [id "33340162"] [rev "294"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: URL detected as argument, possible RFI attempt detected"] [data "%TX:1,TX:1"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith %{request_headers.host}" against "TX:1" required.
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Action: Intercepted (phase 2)
Stopwatch: 1543658687423572 6125 (- - -)
Stopwatch2: 1543658687423572 6125; combined=3553, p1=2, p2=3549, p3=0, p4=0, p5=2, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.1 (ModSecurity: Open Source Web Application Firewall 201811211523.
Server: Apache
Engine-Mode: "ENABLED"

--a473ef48-Z--

Why is he detected as "CRITICAL" and banned for 10min? Is it that?:
"URL detected as argument, possible RFI attempt detected".
But that must ban each visitor on this website. What can I do?

EDIT: I search on matomo side and found this article
How do I configure Piwik when mod_security (or CA SiteMinder) is enabled? - Analytics Platform - Matomo
Is it possible to whitelist a domain in modsecurity?

EDIT2: I found How to disable a single ModSecurity rule for a website?
Where I find the rule ID or tag in my case?
Is it this bold red number?
Message: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "179"] [id "33340162"] [rev "294"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: URL detected as argument, possible RFI attempt detected"]

I think it is. I can find this id with Find and Disable Specific ModSecurity Rules | InMotion Hosting

 

[Azurel]

This issue still exists 2 years later.

How I can use matomo without block page visitors?

 

[Bitpalast]

You can simply exclude the rule "id" from Web Application Firewall. In this case as presented above it would be 33340162, but check your own logs, maybe it is a different rule id there.

This change needs a web server reload, so you might need to wait for n minutes until your web server reload interval expires and the exclusion takes effect.

 

[Azurel]

Thanks! Yeah this time its was a Comodo rule to add "211120". After 2 years I forgot about this. I have make me a notice. ;=)

Message: Access denied with code 403 (phase 2). Match of "endsWith /modules/paypal/express_checkout/payment.php" against "REQUEST_FILENAME" required. [file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/02_Global_Generic.conf"] [line "29"] [id "211120"] [rev "11"] [msg "COMODO WAF: Remote File Inclusion Attack||analytics.example.com|F|2"] [data "Matched Data: https://www.example.de/folder/123456,text-text-text? found within REQUEST_FILENAME: /matomo/matomo.php"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"]

I don't get it what here happen. This match make no sense.