Skip to main content

mod_security configuration

Comments

15 comments

  • cPanelMichael
    Hello :) Please check /usr/local/apache/logs/error_log when this happens or search it using grep in order to determine the specific rule ID that is blocking your WordPress users. You can then remove this rule from the Mod_Security configuration if necessary. Thank you.
    0
  • smartshovon
    how i can check from ssh?
    0
  • cPanelMichael
    Try searching for the username of an account that you experienced this issue with. EX: grep $username /usr/local/apache/logs/error_log
    Note that you will not have to post the entire output here. Instead, just post the snippet associated with the Mod_Security rule. Thank you.
    0
  • smartshovon
    i have sever.. i want to disable mod_security for all my wordpress client. only who use wordpress. how i can do it?
    0
  • cPanelMichael
    There are a couple of ways to do this, but it's better to use a third-party application to achieve this if you are not comfortable on the command line. EX: [url=http://applications.cpanel.net/configserver-modsecurity-control-cmc/]ConfigServer ModSecurity Control | cPanel App Catalog Thank you.
    0
  • smartshovon
    thanks a lot... [COLOR="silver">- - - Updated - - - if i disable this then my main whm are not effect for it right? i want if my client cpanel any hacker can hacked then i have no problem but my main server where whm install that server not any effect for this.
    0
  • quizknows
    Do not just disable modsecurity entirely for those domains, it's a short-sighted solution to a problem that isn't actually that hard. You're opening a lot of risk by takign the "easy" solution in the short term. If your customer(s) get blocked making edits, get their IP's and check the error logs. Usually it's a SQL injection rule that is tripped, if they use words like SELECT, UNION, etc. too many times in a post. Odds are you will only need to whitelist a handful of rule IDs at most to get them going, and their sites will be better protected with the other rules still in place. As recommended, configserver modsec control is a good app to whitelist rule IDs.
    0
  • smartshovon
    some time ago my 1 client block by this... 180.234.27.254 # lfd: (mod_security) mod_security (id:1234123404) triggered by 180.234.27.254 (BD/Bangladesh/AWBL27-254.qubee.com.bd): 5 in the last 3600 secs - Wed Dec 4 22:06:54 2013 i already install ConfigServer ModSecurity Control. now which id i will be white-list?
    0
  • quizknows
    check for 180.234.27.254 in the apache error log, those messages will tell you the rule ID or IDs that you need to whitelist. The info might also be in the modsec audit log, but it will be in error_log for sure.
    0
  • smartshovon
    from where i check apache error log ?
    0
  • cPanelMichael
    The Apache error log is located at: /usr/local/apache/logs/error_log Thank you.
    0
  • smartshovon
    i get this type of error .. where is id? [Thu Dec 05 15:00:02.488245 2013] [:error] [pid 39546] [client 180.211.252.55] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "117"> [id "1234123404"> [msg "Cross-site Scripting (XSS) Attack"> [data ".cookie"> [severity "CRITICAL"> [tag "WEB_ATTACK/XSS"> [hostname "www.domain.com"> [uri "/wp-content/plugins/kk-i-like-it/js/jquery.cookie.js"> [unique_id "UqDpUmB-oGoAAJp6kJoAAAAL">
    0
  • quizknows
    1234123404 is the rule ID (where it says [id "1234123404">) If you have configserver modsec control, use that to whitelist rule 1234123404 for the correct domain if this is a known legitimate request.
    0
  • smartshovon
    what is this id work can you tell me?
    0
  • dekdroiddev
    thanks for good knowledge.;)
    0

Please sign in to leave a comment.