Facebook
TwitterHello,
I have Mod security enabled on the server. Recently, we've been getting daily bots from cortex/1.0 bot (faceboook). WAF is on and set to comdo Free, and predefined to FAST. I have added some custom rules in the custom directives to limit that user-agent, from a solution I saw online used in Apache.p Site is using Apache-FPM, serve static files by Nginx and nginx caching are not enabled. Only proxy mode and static file processing are enabled.
if I test with curl -A "cortex/1.0" example.com & curl -A "cortex/1.0" example.com & curl -A "cortex/1.0" example.com
it returns the proper result and I see in the logs that there is a Modsecurity deny for the 3rd request. I also tested from python selenium with success and from multiple ips at the same time as well.
However, when the actual bot comes in, its just makes the requests and they are served without any denying. I checked on Cloudflare and I can see the bot making the requests thousands of times with that exact user-agent in the header.... I also can see it in apache logs, that its clearly the same agent making multiple requests in the span of 3 seconds and nothing gets denied at all.
From the apache access log segment below (there are actually thousands of similar requests in the span of seconds/1 minute), Modsecurity should have started denying the requests. I'm wondering if there is a setting I should be aware off because it doesn't make sense to me. Any help is appreciated
I have Mod security enabled on the server. Recently, we've been getting daily bots from cortex/1.0 bot (faceboook). WAF is on and set to comdo Free, and predefined to FAST. I have added some custom rules in the custom directives to limit that user-agent, from a solution I saw online used in Apache.p Site is using Apache-FPM, serve static files by Nginx and nginx caching are not enabled. Only proxy mode and static file processing are enabled.
if I test with curl -A "cortex/1.0" example.com & curl -A "cortex/1.0" example.com & curl -A "cortex/1.0" example.com
it returns the proper result and I see in the logs that there is a Modsecurity deny for the 3rd request. I also tested from python selenium with success and from multiple ips at the same time as well.
However, when the actual bot comes in, its just makes the requests and they are served without any denying. I checked on Cloudflare and I can see the bot making the requests thousands of times with that exact user-agent in the header.... I also can see it in apache logs, that its clearly the same agent making multiple requests in the span of 3 seconds and nothing gets denied at all.
From the apache access log segment below (there are actually thousands of similar requests in the span of seconds/1 minute), Modsecurity should have started denying the requests. I'm wondering if there is a setting I should be aware off because it doesn't make sense to me. Any help is appreciated
