Can someone help with mod_sec rules and an application I am trying to run?

[betoranaldi]

I am running the default mod security rules. I installed an application that isn't playing nice. I get the following:

Code:

[Tue Apr 21 15:34:56 2009] [error] [client xxx.xxx.xxx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature <; id>"] [severity "CRITICAL"] [hostname "sub.domain.com"] [uri "/index.php"] [unique_id "Se4f4ErIWbsAAB0oMSIAAAAC"]

I would prefer not to disable mod_sec for the domain. Does anyone know how I would be able to modify the rules to allow the application yet not add any vulnerabilities to the domain?

If I had to, how would one disable mod security for just a sub domain?

[thewebhosting]

I am running the default mod security rules. I installed an application that isn't playing nice. I get the following:

If I had to, how would one disable mod security for just a sub domain?

Create a new file named .htaccess inside your sub domain, and add in the following code:

SecFilterEngine Off
SecFilterScanPOST Off

The above entries in the .htaccess should disable the ModSecurity (mod_security) module for the sub domain.

[betoranaldi]

Create a new file named .htaccess inside your sub domain, and add in the following code:

SecFilterEngine Off
SecFilterScanPOST Off

The above entries in the .htaccess should disable the ModSecurity (mod_security) module for the sub domain.

I tried that but it doesn't work. I get a 500 error. It appears I am running mod sec 2.5 (whatever the default install is with WHM) which doesn't allow the override.

[sawbuck]

Try Sparek's suggestion in this thread.

http://forums.cpanel.net/showpost.ph...36&postcount=4

[betoranaldi]

Try Sparek's suggestion in this thread.

http://forums.cpanel.net/showpost.ph...36&postcount=4

This is great, and I will use it if I have to but would it be possible to just disable it for a subdomain. I would rather not have the whole domain vulnerable.

[betoranaldi]

After doing some research, I found out that I can disable the rule for a particular folder.

Code:

<Directory /home/user/public_html/subdomain>
  SecRuleRemoveById 990011
</Directory>

I manually added this to my http.conf and restarted apache. The rule is still in effect so I guess I put that code in the wrong place. Where in the http.conf file should that be added and how can I make is so cpanel doesn't overwrite it on update?

Thanks
Brian

[simpleupdates]

We wanted to do this same thing: disable modsec2 for one domain on a cpanel server.

We found we could get it to work by creating a conf file, and referencing it in the httpd.conf for the custom include.

in this referenced file, we put

<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>

or you can put a specific rule

<IfModule mod_security2.c>
SecRuleRemoveById 950001
</IfModule>

The difference we found critical, is we are using Apache 2.2, and the modsec is modsec2, and the IfModule has to reference the "2" as well for it to work.

Hope this helps someone else.

[innsites]

Could you write it specifically? I have one domain I wish to exclude. I am apache2 and modsec2.

I understand to make a conf file but do not understand where/how to
reference it in the httpd.conf for the custom include.