Skip to main content

ZC-11209 - ModSec custom rules lost after Leapp upgrade

Comments

3 comments

  • gramzon
    I found the problem. Rule 901162 was disabled. I have replaced it with a custom rule at some point, but the upgrade disabled all my custom rules, as the modsec2.user.conf file is empty now. This was the file prior to the upgrade: SecUploadDir /tmp SecTmpDir /tmp SecDataDir /tmp SecRequestBodyAccess On # Limit client hits by user agent SecRule REQUEST_HEADERS:User-Agent "@pm facebookexternalhit" "id:400009,phase:2,nolog,pass,setvar:global.ratelimit_facebookexternalhit=+1,expirevar:global.ratelimit_facebookexternalhit=5" SecRule GLOBAL:RATELIMIT_FACEBOOKEXTERNALHIT "@gt 1" "chain,id:4000011,phase:2,deny,status:429,setenv:RATELIMITED,nolog,msg:'RATELIMITED BOT'" SecRule REQUEST_HEADERS:User-Agent "@pm facebookexternalhit" Header always set Retry-After "5" env=RATELIMITED ErrorDocument 429 "Too Many Requests" # Fix wp elementor access denied (this is unsafe) SecRuleRemoveById 949110 SecRuleRemoveById 980130 SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134 # Setup brute force detection. # React if block flag has been set. SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 10 minutes, more than 10 login attempts in 3 minutes.'" # Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed. SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136" SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137" SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=600,setvar:ip.bf_counter=0" ErrorDocument 401 default # Default HTTP policy: allowed_request_content_type (rule 900220) SecRule &TX:allowed_request_content_type "@eq 0" "id:1901162, phase:1, pass, nolog, setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain|text/x-gwt-rpc'"
    After restoring the custom rules everything works fine.
    0
  • cPRex Jurassic Moderator
    Hey there! I'm doing some testing with this now and I'll let you know what I find!
    0
  • cPRex Jurassic Moderator
    The good news - this isn't specifically related to ELevate, as the removal of the customization happens when the ea-apache24 packages get removed. The bad news - I don't have a workaround available just yet, besides manually restoring the file as you did. I've created case ZC-11209 to have our developers take a look at this, and I'll be sure to post an update once I get one.
    0

Please sign in to leave a comment.