Mod Security Whitelist

Cloud9

• October 27, 2013 05:29

I added this SecRule REMOTE_ADDR "^XXX\.XXX\.XXX\XXX$" phase:1,nolog,allow,ctl:ruleEngine=Off
To modsec2.conf But get a syntax error that it has no rule id ? I just want to whitelist my IP for all mod sec rules

• 

  Cloud9

  • October 27, 2013 11:02

  I wanted to whitelist my IP due to not being able to do some stuff in acp on an ipb forum This is the rule triggered by mod sec DOMAIN.com MYIPADDRESS 950004 [27/Oct/2013:10:49:05 +0000] Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at ARGS:nexus_invoice_header. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "117"> [id "950004"> [msg "Cross-site Scripting (XSS) Attack"> [data "src=\x22http:"> [severity "CRITICAL"> [tag "WEB_ATTACK/XSS">
  Cause was pasting html code in an IPB forum in the admin control panel I have whitelisted the rule for that domain - but is that the best solution or can i just whitelist that rule for the acp ?

  0
• 

  Infopro

  • October 27, 2013 12:19

  You'll find this plugin helpful in making that task a bit easier to manage: [url=http://applications.cpanel.net/configserver-modsecurity-control-cmc/]ConfigServer ModSecurity Control | cPanel App Catalog

  0
• 

  24x7server

  • October 27, 2013 13:03

  Hello, Also you can disable the mod_sec for one domain using the following code in your conf file. SecRuleEngine Off
  Please check :

  0
• 

  Cloud9

  • October 27, 2013 13:17

  Thanks Ideally is there any way i can whitelist an IP (my own) so modsec ignores me ? [COLOR="silver">- - - Updated - - - [quote="Infopro, post: 1491382">You'll find this plugin helpful in making that task a bit easier to manage: [url=http://applications.cpanel.net/configserver-modsecurity-control-cmc/]ConfigServer ModSecurity Control | cPanel App Catalog
  Thanks I have all the CFS stuff installed (its very good) - I still cant see where to whitelist an IP in mod sec - and not tie it to any rule ids

  0
• 

  georgeb

  • October 28, 2013 00:00

  Just add this line in your modsec2.whitelist.conf: SecRule REMOTE_ADDR "^XX.XX.XX.XX" phase:1,nolog,allow,id:999999999,ctl:ruleEngine=off
  Do you see the difference ? Regards

  0

Please sign in to leave a comment.