mod_security - advice

[rligg]

All major php software seems to be hindered by the mod security rule Generic Path Recursion. How do some of you deal with this? Do you remove this rule? Or simply whitelist the domain?

[Billa]

I'll suggest you to just whitelist the domain rather then removing it completely. That help to prevent from attack by some malicous activity on your domain. You can whitelist it by using following command in .htaccess file.

SecFilterEngine Off
SecFilterScanPOST Off

[gundamz]

How do we whitelist domain for mod security?

[rligg]

I'll suggest you to just whitelist the domain rather then removing it completely. That help to prevent from attack by some malicous activity on your domain. You can whitelist it by using following command in .htaccess file.

SecFilterEngine Off
SecFilterScanPOST Off

So if I whitelist every domain that uses wordpress, Joomla, phpBB, etc. What exactly am I protecting? These are the sites that will most likely be hacked.

[whitewlf]

This is the recent advisory I sent to my co-admins due to our tightened mod_sec2 rules: (edited)


First, determine which rule it is catching...

Step 1: Goto the WHM ( https://xxxxxx.xxx:2087/ )

Step 2: Bottom left menu, choose "Configserver Security & Firewall"

Step 3: Mid bottom of page, choose "Mod Security Log" (Pick 20-50 entries if you cannot see it)

(Note: You will need to tail the /etc/httpd/logs/modsec_audit.log or try the built in cpanel mod_sec addon if you don't have cfs/lfd installed)

Step 4: Find the page and error you need, copy the [id xxxxxx] code.

Step 5: Left WHM menu again, "Apache Setup" (you can type apache in top search box to go faster)

Step 6: Select "Include Editor"

Step 7: Select "Pre Virtual Host Include" and "All Versions"

Step 8: Copy/Paste the similar configs and replace the mod sec rule ID number

(Note: Config samples at bottom of this post. BE SPECIFIC for the file locations you are exempting!)


Step 9: Update, then Restart Apache.

Step 10: Recheck problem... it might hit more rules after that one, they can be slightly similar.

If this doesn't work, just ask.

Please also create 400/401 etc pages from your cpanel (http://xxxxxxx.xxx/cpanel/ ) interface, near the bottom there is a simple editor to add all the pages. At least have something in there to reduce the error-log clutter.


Below is reference info from the incident we diagnosed:


http://blogsecurity.net/wordpress/mo...ense-in-depth/

http://weblogtoolscollection.com/arc...t-implemented/



root@xxxxxx [~]# tail -f /etc/httpd/logs/modsec_audit.log

--37d2f309-H--
Message: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at ARGS:newcontent. [id "950xxxx"] [msg "System Command Injection. Matched signature <; ?>\" id>"] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Stopwatch: 1205643356130899 28484 (22443* 28143 -)
Producer: ModSecurity v2.1.x (Apache 2.x)
Server: Apache/2.2.xx (Unix) mod_ssl/2.xxxx OpenSSL/0.xxxx DAV/2 mod_mono/1.2.xxx mod_auth_passthrough/2.xxx mod_bwlimited/1.xxx FrontPage/5.0.x.xxxx mod_perl/2.xxxx Perl/v5.8.xxxx



Directives added to http.conf:

<LocationMatch "/wp-admin/post.php">
SecRuleRemoveById xxxxxx
</LocationMatch>

<LocationMatch "/wp-admin/theme-editor.php">
SecRuleRemoveById xxxxxxx
</LocationMatch>