AllowOverride: how and where?

[edenent]

Hello I had been using shared hosting for along time to run my sites. Well the other day I got a vps running centos5 and using cpanel/whm. I have used easy appache and enabled mod_security, and im using the gotroot rules. What im looking to do sence only one of the 3 sites I have on the vps is broken because of the rules is how do I set AllowOverride for just that one virtualhost so I can use htacces to SecFilterEngine Off. Im somewhat of a linux noob, so please use easy terms .

[Spiral]

Quote:

Originally Posted by edenent

Hello I had been using shared hosting for along time to run my sites. Well the other day I got a vps running centos5 and using cpanel/whm. I have used easy appache and enabled mod_security, and im using the gotroot rules. What im looking to do sence only one of the 3 sites I have on the vps is broken because of the rules is how do I set AllowOverride for just that one virtualhost so I can use htacces to SecFilterEngine Off. Im somewhat of a linux noob, so please use easy terms .

Depending on how Mod_Security has been compiled on your server,
you may or may not have the option of turning off Mod_Security using
the "SecFilterEngine Off" in your web hosting account .HTACCESS file.

You keep asking about "AllowOverride" in your post above, but that is really
not the issue here at all. Some people don't realize that Mod_Security
can be optionally compiled at install time so as to to not allow any website
to override the security settings via .HTACCESS and this option was created
for a good reason as Mod_Security would be pretty if every website could
just simply "Turn it Off" and you will find that more and more servers have
this option setup as the default with no "SecFilterEngine Off" commands!

Instead of turning off Mod_Security, which defeats the entire purpose
of you having security setup in the first place, I would recommend that
you instead find out which rules are being triggered for the site having
problems and write in exceptions to those rules so that they are no
longer being triggered anymore. A simple review of your log file at
/usr/local/apache/logs/modsec_audit.log will tell you very quickly
what rule is getting triggered and why it is getting triggered and
from that, you should be able to add a custom exemption rule for
the site if you find the rule should not be triggered. In some cases,
you may find the web site is actually doing something it should not
be doing and you might find you actually want to leave the rule in place
and instead change out the offending program on the web site instead.


On a different but related note ...

Now one thing that does concern me is you mentioning that you
are running a VPS server and that you are using the ruleset from
"Got Root" for Mod_Security. Those two items almost seem like
an oxymoron in the same sentence together as VPS servers are
far too often very limited in resources compared to real actual
dedicated servers and running extra processes like Mod_Security
or a large ruleset as you find with the "Got Root" rules could
be very taxing resource wise on a server with such limited
resources as you commonly find with most VPS servers.

[edenent]

I compiled it using easy apache, so I dont know how to install it with the optional setting thing. With the gotroot rules my vps has 1gn of ram should I be fine im mean atm my memory is like 67% free. Would I be better off with the default WHM rules?? On another note the one rules in question is only effecting the 1 of my 3 sites here what its saying in log.

[Thu Jul 02 17:23:35 2009] [error] [client 76.123.225.96] ModSecurity: Access denied with code 406 (phase 2). RBL lookup of 96.225.123.76.xbl.spamhaus.org succeeded at REMOTE_ADDR. [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "30"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ALERT"] [hostname "www.mysite.com"] [uri "/index.php"] [unique_id "Sk0lbkgsUOAAAA@V4lAAAAAG"]

And this is what its saying on the cpanel/whm mod_sec interface log

2009-07-02 17:23:38 76.123.225.96 / HTTP/1.1 www.mysite.com Access denied with code 406 (phase 2). RBL lookup of 96.225.123.76.xbl.spamhaus.org succeeded at REMOTE_ADDR. [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "30"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ALERT"] 406

2009-07-02 17:23:35 76.123.225.96 /index.php HTTP/1.1 www.mysite.com Access denied with code 406 (phase 2). RBL lookup of 96.225.123.76.xbl.spamhaus.org succeeded at REMOTE_ADDR. [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "30"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ALERT"] 301

on the logs when posting them here I took out the name of my real site and just put in mysite

[Spiral]

Regarding your server having 1 GB of memory, that would bare bones
minimum to get away with running the full "Got Root" rules on a dedicated
server but I seriously worry about running that set on a VPS that only
has 1 GB of memory which is really pushing the threshold of things there.

As for the other, I got some good news and bad news for you ...

Quote:

2009-07-02 17:23:38 76.123.225.96 / HTTP/1.1 www.mysite.com Access denied with code 406 (phase 2). RBL lookup of 96.225.123.76.xbl.spamhaus.org succeeded at REMOTE_ADDR. [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "30"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ALERT"] 406

2009-07-02 17:23:35 76.123.225.96 /index.php HTTP/1.1 www.mysite.com Access denied with code 406 (phase 2). RBL lookup of 96.225.123.76.xbl.spamhaus.org succeeded at REMOTE_ADDR. [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "30"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ALERT"] 301

As for the error messages and rules you quoted, the visitors to your sites
are being flagged as blacklisted by Spamhaus as bad IPs and the reason
this is happening is because they recently combined their PBL data into
the new renamed list replacing XBL.

In plain English what happens is instead of just blacklisting visitors who are
known spammers from reaching your web sites, almost all visitors are now silently
getting blocked now if your visitors originate from most any known regular ISP
account such as you get with most cable modem and DSL providers so basically
just about everyone is getting blacklisted from your server. Because of this
recent change, at our own company, we DO NOT use Spamhaus anymore
and we recommend DO NOT recommend that anyone use Spamhaus
RBL blacklist databases to filter out traffic or email! We still have confidence in
SpamCop but our faith in Spamhaus is gone because of this change!

Combining those separate databases was well intentioned and meant to limit spam
traffic from non-server originating mail senders but instead had the unintentional
side effect of blocking massive amounts of web traffic from reaching web servers
for hosts that had previously relied on the earlier blacklist databases and did not
expect to see any changes like this coming down the line.

I would either delete all the Spamhaus rules from the "00_ASL_RBL.conf" file
where you store your Mod_Security "Got Root" rules and just use the
rules for SpamCop only (OR) just simply delete that file entirely and
then Mod_Security won't perform any RBL Blacklisting checking. The only difference
between the two is whether or not you keep SpamCop RBL checks or stop those.

You should be advised that many of the spam protection systems for
email and Exim's configuration itself may also perform Spamhaus checking
as well as many forum community and CMS applications so you might also
get legitimate visitors blocked elsewhere in your server as well and should
see about removing those checks as well.

Incidentally, we had the same thing happen to some of our servers a while
back and we were also pretty pissed when we found out that RBL checks
had been escalated from known spammers to all non-web server IPs
suddenly blocking most of our visitors without our knowledge. However
now that you are aware of this, you can take action to fix it. If you need
any assistance whatsoever, feel free to ask and I would be more than
willing to give you a hand with clearing that up.

While on the subject of major RBL blacklist databases, everyone should probably
know that one of the other major databases named SORBS is currently scheduled to
go out of business effective July 20th and at that time if anyone is using SORBS
for blacklist checks for your email or any program, you'll probably start getting a
lot of connections flagged as blacklisted by mistake as often happens when these
servers go out of business. That given if you are using SORBS for any RBL checks,
you may want to go ahead and remove that from your servers right now.

All of the above blacklist services (SORBS, Spamhaus, and SpamCop) will each tell you
that they themselves don't "blacklist IPs" but all that really means is that they don't
own the code on your server doing the actual IP blocking. They do however provide
the database information that many software applications and modules on your server
might use to in turn block user traffic --- and sometimes block legitimate users too!

[edenent]

Would this rule work with spamcop?

SecRule REMOTE_ADDR "@rbl bl.spamcop.net" "chain,deny, log, id:350000,msg:'RBL: httpbl.spamcop.net',severity:'1'"
SecRule REMOTE_ADDR "@rbl bl.spamcop.net"

[Spiral]

I don't have the rules in front of me at the moment but what you wrote
looks about right for calling SpamCop RBL inquiries.

Reminder: SpamCop is not the service reporting regular non-spammer IPs
so you shouldn't have any trouble continuing to use SpamCop. It is the
other services, particularily Spamhaus, that are the source of trouble now
with blacklisting IPs that should not be blocked and the rules for the
Spamhaus service is what you mainly want to get rid of.

As for me, I'm not much on today as yesterday I just got out of the
hospital following them cleaning out a blocked stint installed a few years
ago and I think they let me out too early as not doing so great today and
they didn't do any follow up xrays or anything and I'm not online much today
as feel generally "gruddy" as the word goes. I may be on and off later
depending on how I'm doing and try to answer any questions I can but just
letting you know that my replies may be a bit slow coming the next few days.