Apache Mod Security is not being disabled for certain path

postcd

October 09, 2017 06:20

Hello, in cPanel i can disable Mod Security for a domain in cPanel / ModSecurity. I wanted to disable it for certain path or files: newreply.php, newthread.php, editpost.php In WHM / Apache Configuration / Includes editor / Pre Virtual host include i tried: Example codes tried: SecFilterEngine Off SecFilterScanPOST Off SecFilterEngine Off SecFilterScanPOST Off SecFilterEngine Off SecFilterScanPOST Off SecFilterEngine Off SecFilterScanPOST Off SecFilterEngine Off SecFilterScanPOST Off (i also tried SecRuleEngine Off )
It not worked, because it not disabled mod security for the URL

Comments

9 comments

rpvw

October 09, 2017 11:33
You can disable modsec for paths (I'm not sure it can go down to individual files ! ) Probably the easiest way of managing your requirements, is to install the free ConfigServer ModSecurity Control (cmc) module that will let you disable by rule, user, domain or DirectoryMatch (e.g. ^/home/someuser/public_html/ignore/some/path/), and has lots more convenient features.
0
postcd

October 09, 2017 12:55
Hello, i have enabled Comodo ModSecurity vendor rules in WHM and one rule is blocking me. So i added new rule that should disable mod security engine on certain URI: SecRule REQUEST_URI "@pm editpost newreply newthread" "id:1076487,phase:1,nolog,noauditlog,allow,ctl:ruleEngine=Off" I added it on the top of the WHM / Security / ModSecurity Tools / "Edit Rules". But the Comodo vendor rule is still triggered and i am 403 as a result. When i use: SecRule REMOTE_ADDR "^myiphere$" "phase:1,t:none,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off,id:9999" i am not blocked, so i assume my custom rules override vendor rules, but the SecRule REQUEST_URI is somehow wrong / or not supported?
0
quizknows

October 09, 2017 17:36
You may be getting into rule parsing order, as rules are processed based on 2 things. first is order of includes but 2nd is phase. Anyway I think your options below are probably depricated: SecFilterEngine Off SecFilterScanPOST Off Try "SecRequestBodyAccess Off" (this will skip processing of the request bodies). I don't see anything wrong with your @pm rule off hand for the record. But you could try this if you want: SecRule REQUEST_URI "editpost|newreply|newthread" "id:1076487,phase:1,nolog,noauditlog,allow,ctl:ruleEngine=Off" I would however recommend this ctl instead of removing the whole rule engine, 'ctl:ruleRemoveById=#COMODORULE' It does seem modsec2.user.conf is included before vendor configs by cpanel's modsec2.conf, for users to be able to whitelist rules like this. Worst case remove off your nolog / noauditlog stuff from your rules for a bit to troubleshoot. The modsec audit log, coupled with the manual, can help you decipher just about anything.
0
postcd

October 10, 2017 17:26
Thx for help, yet i am NOT successfull SecRule REQUEST_URI "editpost|newreply|newthread" "id:1076487,phase:1,nolog,noauditlog,allow,ctl:ruleEngine=Off"
I added Your rule on the top (WHM / Mod sec / Edit Rules section), but it do not prevent other rules (Comodo vendor rules) to cause 403 error. At the bottom of the "Edit Rules" is Included file /usr/local/apache/conf/modsec2.whitelist.conf
# ConfigServer ModSecurity whitelist file SecRuleRemoveById 300012
That also did not work as with your rule. On other hand following rule worked and request went thru without 403. But i think this rule is wrong and allows all traffic on server: # Disables ModSecurity for certain paths SecRule REQUEST_URI "!\/(mydomain\.com\/editpost\.php|mydomain\.com\/newthread\.php|mydomain\.com\/newreply\.php|mydomain2)" "id:945998,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
Following rule also works as mentioned earlier, but is for IP match not for file or path match: SecRule REMOTE_ADDR "^myiphere$" "phase:1,t:none,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off,id:9999"
i want to whitelist domain.tld/file.php or at least file.php which does not work as mentioned. depricated: SecFilterEngine Off SecFilterScanPOST Off Try "SecRequestBodyAccess Off" (this will skip processing of the request bodies).
i tried to use yours mentioned "SecRequestBodyAccess Off" inside pre Virtualhost include all file, but that does not work either!: SecRequestBodyAccess Off SecRequestBodyAccess Off SecRequestBodyAccess Off
I can"t believe there is no simple way to whitelist some path or file names at least from all mod. sec. rules including vendor rules? Please kindly advise, thank you alot in advance.
0
cPanelMichael

October 10, 2017 20:39
I can"t believe there is no simple way to whitelist some path or file names at least from all mod. sec. rules including vendor rules?

Hello, This was possible in older versions of Mod Security through rules in the .htaccess file, however ModSecurity discontinued this functionality in version 2.x. You can read more about this at: How to disable mod_security and mod_security2 in .htaccess Additionally, you may find the following threads helpful for overall ModSecurity troubleshooting: ModSec shows security scanner scanning 127.0.0.1 Editing ModSecurity vendor rules Thank you.
0
quizknows

October 11, 2017 19:32
Your ifmodule is wrong, so those will do nothing. You need to use That said, something odd is going on. The line "SecRuleRemoveById 300012" by itself in a user config like modsec2.user.conf should properly disable the rule if that is the rule causing you trouble. Keep in mind you may have to whitelist several similar rule IDs in some cases. make sure you get rid of all your incorrect ifmodules first. A good way to make sure apache will include your config is to make an invalid line, I.e. SecRule Invalid Run a httpd configtest (NOT RESTART). It should throw an error for the invalid line. If it doesn't, then your include is not being called by apache, or your ifmodule is not allowing that directive to be processed. if it does throw the error, then you can immediately remove the invalid line so that it doesn't break apache, and add your settings knowing they're being parsed.
0
postcd

October 15, 2017 09:34
quizknows: i tried to add yours mentioned invalid rule:
SecRule Invalid

into WHM/Apache configuration/Include Editor/pre virtualhost all include and it returned: SecRule takes two or three arguments, rule target, operator and optional action list So i assume "" is working.. So i removed invalid rule and tried to apply my custom rule which included: SecFilterEngine Off SecFilterScanPOST Off but these not worked, Include editor said it is invalid directives And it found invalid also SecRequestBodyAccess:
The "/usr/local/apache/bin/httpd" command (process 4764) reported error number 1 when it ended. Configuration problem detected on line 150 of file /usr/local/apache/conf/includes/pre_virtualhost_global.conf: Invalid command ' 145 146 147SecRequestBodyAccess Off 148 149 150 ===> <=== 151SecRequestBodyAccess Off 152 153 154 155SecRequestBodyAccess Off 156 --- /usr/local/apache/conf/includes/pre_virtualhost_global.conf ---
So i am now unsure which rule to use to disable Mod.Sec. Inside Mod. Sec. rules (configured and accepted thru WHM/Mod.Sec section) i have the: SecRequestBodyAccess Off without problem. So it seems Include editor somehow not support it. Isn"t that because it is invalid for Module security2_module ? Into which file i need to add my rules:
SecRequestBodyAccess Off SecRequestBodyAccess Off SecRequestBodyAccess Off
Please? And after that i execute /scripts/update_apachectl and then "service httpd configtest"? Unsure why i can not add it thru WHM. (i receive error above in this post)
0
postcd

October 15, 2017 12:26
Thank you all who contributed to this topic. Here are 2 things that worked (to disable modsecurity for certain file names): OPTION A) Add following rule to the WHM / ModSecurity Tools / Edit Custom Rules: # Disable ModSecurity for certain file names SecRule REQUEST_URI "(ajax.php|editpost.php|newthread.php|newpost.php|otherfilename.php)" "id:945998,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
the file name has to match not URL you see in browser address bar, but file name that is reported by ModSecurity Tools/Hits List It not worked for me to define full path like domain.com/filename.php, only filename.php :-( OPTION B) At the bottom of the WHM / ModSecurity Tools / Edit Custom Rules, i have line: Include /usr/local/apache/conf/modsec2.whitelist.conf and when i add following to that *.whitelist.conf file:
SecRuleRemoveById 212000 212620 212770 212870 2172809999999 300012 5000130 SecRequestBodyAccess Off
and restart httpd (service httpd restart), then it also works. It works both SecRuleRemoveById (which disables mod. sec just for one or more rules) and SecRequestBodyAccess disables mod.sec. completely for the defined file name.
0
quizknows

October 16, 2017 04:09
Glad you got going. For option A you could also chain a 2nd condition to limit to domain(s), i.e.
# Disable ModSecurity for certain file names SecRule REQUEST_URI "(ajax.php|editpost.php|newthread.php|newpost.php|otherfilename.php)" "id:945998,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off,chain" SecRule SERVER_NAME "domain.com"
That way the rule only invokes if both domain.com matches and your first regex matches. It seems option B is probably better and I'm guessing you maybe went that way. Editing modsec2.user.conf through the GUI may run into limitations if that's how you were trying to edit rules. If you're doing anything advanced just use the command line.
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?