Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

AllowOverride: how and where?

Discussion in 'Database Discussion' started by edenent, Jul 2, 2009.

  1. edenent

    edenent Member

    Jul 2, 2009
    Likes Received:
    Trophy Points:
    Hello I had been using shared hosting for along time to run my sites. Well the other day I got a vps running centos5 and using cpanel/whm. I have used easy appache and enabled mod_security, and im using the gotroot rules. What im looking to do sence only one of the 3 sites I have on the vps is broken because of the rules is how do I set AllowOverride for just that one virtualhost so I can use htacces to SecFilterEngine Off. Im somewhat of a linux noob, so please use easy terms :) .
  2. Spiral

    Spiral BANNED

    Jun 24, 2005
    Likes Received:
    Trophy Points:
    Depending on how Mod_Security has been compiled on your server,
    you may or may not have the option of turning off Mod_Security using
    the "SecFilterEngine Off" in your web hosting account .HTACCESS file.

    You keep asking about "AllowOverride" in your post above, but that is really
    not the issue here at all. Some people don't realize that Mod_Security
    can be optionally compiled at install time so as to to not allow any website
    to override the security settings via .HTACCESS and this option was created
    for a good reason as Mod_Security would be pretty if every website could
    just simply "Turn it Off" and you will find that more and more servers have
    this option setup as the default with no "SecFilterEngine Off" commands!

    Instead of turning off Mod_Security, which defeats the entire purpose
    of you having security setup in the first place, I would recommend that
    you instead find out which rules are being triggered for the site having
    problems and write in exceptions to those rules so that they are no
    longer being triggered anymore. A simple review of your log file at
    /usr/local/apache/logs/modsec_audit.log will tell you very quickly
    what rule is getting triggered and why it is getting triggered and
    from that, you should be able to add a custom exemption rule for
    the site if you find the rule should not be triggered. In some cases,
    you may find the web site is actually doing something it should not
    be doing and you might find you actually want to leave the rule in place
    and instead change out the offending program on the web site instead.

    On a different but related note ...

    Now one thing that does concern me is you mentioning that you
    are running a VPS server and that you are using the ruleset from
    "Got Root" for Mod_Security. Those two items almost seem like
    an oxymoron in the same sentence together as VPS servers are
    far too often very limited in resources compared to real actual
    dedicated servers and running extra processes like Mod_Security
    or a large ruleset as you find with the "Got Root" rules could
    be very taxing resource wise on a server with such limited
    resources as you commonly find with most VPS servers.
    #2 Spiral, Jul 2, 2009
    Last edited: Jul 2, 2009
  3. edenent

    edenent Member

    Jul 2, 2009
    Likes Received:
    Trophy Points:
    I compiled it using easy apache, so I dont know how to install it with the optional setting thing. With the gotroot rules my vps has 1gn of ram should I be fine im mean atm my memory is like 67% free. Would I be better off with the default WHM rules?? On another note the one rules in question is only effecting the 1 of my 3 sites here what its saying in log.

    [Thu Jul 02 17:23:35 2009] [error] [client] ModSecurity: Access denied with code 406 (phase 2). RBL lookup of succeeded at REMOTE_ADDR. [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "30"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the Blacklist"] [severity "ALERT"] [hostname ""] [uri "/index.php"] [unique_id "Sk0lbkgsUOAAAA@V4lAAAAAG"]

    And this is what its saying on the cpanel/whm mod_sec interface log

    2009-07-02 17:23:38 / HTTP/1.1 Access denied with code 406 (phase 2). RBL lookup of succeeded at REMOTE_ADDR. [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "30"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the Blacklist"] [severity "ALERT"] 406

    2009-07-02 17:23:35 /index.php HTTP/1.1 Access denied with code 406 (phase 2). RBL lookup of succeeded at REMOTE_ADDR. [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "30"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the Blacklist"] [severity "ALERT"] 301

    on the logs when posting them here I took out the name of my real site and just put in mysite
  4. Spiral

    Spiral BANNED

    Jun 24, 2005
    Likes Received:
    Trophy Points:
    Regarding your server having 1 GB of memory, that would bare bones
    minimum to get away with running the full "Got Root" rules on a dedicated
    server but I seriously worry about running that set on a VPS that only
    has 1 GB of memory which is really pushing the threshold of things there.

    As for the other, I got some good news and bad news for you ...

    As for the error messages and rules you quoted, the visitors to your sites
    are being flagged as blacklisted by Spamhaus as bad IPs and the reason
    this is happening is because they recently combined their PBL data into
    the new renamed list replacing XBL.

    In plain English what happens is instead of just blacklisting visitors who are
    known spammers from reaching your web sites, almost all visitors are now silently
    getting blocked now if your visitors originate from most any known regular ISP
    account such as you get with most cable modem and DSL providers so basically
    just about everyone is getting blacklisted from your server. Because of this
    recent change, at our own company, we DO NOT use Spamhaus anymore
    and we recommend DO NOT recommend that anyone use Spamhaus
    RBL blacklist databases to filter out traffic or email! We still have confidence in
    SpamCop but our faith in Spamhaus is gone because of this change!

    Combining those separate databases was well intentioned and meant to limit spam
    traffic from non-server originating mail senders but instead had the unintentional
    side effect of blocking massive amounts of web traffic from reaching web servers
    for hosts that had previously relied on the earlier blacklist databases and did not
    expect to see any changes like this coming down the line.

    I would either delete all the Spamhaus rules from the "00_ASL_RBL.conf" file
    where you store your Mod_Security "Got Root" rules and just use the
    rules for SpamCop only (OR) just simply delete that file entirely and
    then Mod_Security won't perform any RBL Blacklisting checking. The only difference
    between the two is whether or not you keep SpamCop RBL checks or stop those.

    You should be advised that many of the spam protection systems for
    email and Exim's configuration itself may also perform Spamhaus checking
    as well as many forum community and CMS applications so you might also
    get legitimate visitors blocked elsewhere in your server as well and should
    see about removing those checks as well.

    Incidentally, we had the same thing happen to some of our servers a while
    back and we were also pretty pissed when we found out that RBL checks
    had been escalated from known spammers to all non-web server IPs
    suddenly blocking most of our visitors without our knowledge. However
    now that you are aware of this, you can take action to fix it. If you need
    any assistance whatsoever, feel free to ask and I would be more than
    willing to give you a hand with clearing that up.

    While on the subject of major RBL blacklist databases, everyone should probably
    know that one of the other major databases named SORBS is currently scheduled to
    go out of business effective July 20th and at that time if anyone is using SORBS
    for blacklist checks for your email or any program, you'll probably start getting a
    lot of connections flagged as blacklisted by mistake as often happens when these
    servers go out of business. That given if you are using SORBS for any RBL checks,
    you may want to go ahead and remove that from your servers right now.

    All of the above blacklist services (SORBS, Spamhaus, and SpamCop) will each tell you
    that they themselves don't "blacklist IPs" but all that really means is that they don't
    own the code on your server doing the actual IP blocking. They do however provide
    the database information that many software applications and modules on your server
    might use to in turn block user traffic --- and sometimes block legitimate users too!
    #4 Spiral, Jul 3, 2009
    Last edited: Jul 3, 2009
  5. edenent

    edenent Member

    Jul 2, 2009
    Likes Received:
    Trophy Points:
    Would this rule work with spamcop?

    SecRule REMOTE_ADDR "@rbl" "chain,deny, log, id:350000,msg:'RBL:',severity:'1'"
    SecRule REMOTE_ADDR "@rbl"
  6. Spiral

    Spiral BANNED

    Jun 24, 2005
    Likes Received:
    Trophy Points:
    I don't have the rules in front of me at the moment but what you wrote
    looks about right for calling SpamCop RBL inquiries.

    Reminder: SpamCop is not the service reporting regular non-spammer IPs
    so you shouldn't have any trouble continuing to use SpamCop. It is the
    other services, particularily Spamhaus, that are the source of trouble now
    with blacklisting IPs that should not be blocked and the rules for the
    Spamhaus service is what you mainly want to get rid of.

    As for me, I'm not much on today as yesterday I just got out of the
    hospital following them cleaning out a blocked stint installed a few years
    ago and I think they let me out too early as not doing so great today and
    they didn't do any follow up xrays or anything and I'm not online much today
    as feel generally "gruddy" as the word goes. I may be on and off later
    depending on how I'm doing and try to answer any questions I can but just
    letting you know that my replies may be a bit slow coming the next few days.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice