Hi Blason R,
On Fri, Apr 21, 2023 at 11:16:35PM +0530, Blason R wrote:
[...]
> Am I doing anything wrong here?
>
> Here are the requests
> 192.168.5.232 - - [21/Apr/2023:23:10:34 +0530] "GET /administrator
> HTTP/2.0" 301 165 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
> Gecko/20100101 Firefox/112.0"
> 192.168.5.232 - - [21/Apr/2023:23:10:53 +0530] "GET /administrator/
> HTTP/2.0" 302 154 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
> Gecko/20100101 Firefox/112.0"
> 192.168.5.232 - - [21/Apr/2023:23:11:03 +0530] "GET
> /administrator/Login.aspx?Session=Out HTTP/2.0" 200 6013 "-" "Mozilla/5.0
> (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"
>
> And here is the rule in modsecurity.conf
> SecRule REQUEST_URI "@contains /administrator"
> "id:10,phase:1,t:none,t:lowercase,deny,status:403,log,msg:'Admin Panel
> Unathorised Access'"
>
> And how do I allow or bypass certain IP addresses?
your rule seems good.
Could you turn on the debug log for a while, and check this rule?
SecDebugLog /var/log/nginx/modsec_debug.log
SecDebugLogLevel 9
and after sending a request, check the log, especially the rule
ID 10.
a.