Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache Mod Security is not being disabled for certain path

Discussion in 'Security' started by postcd, Oct 9, 2017.

Tags:
  1. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    670
    Likes Received:
    11
    Trophy Points:
    68
    Hello,

    in cPanel i can disable Mod Security for a domain in cPanel / ModSecurity.

    I wanted to disable it for certain path or files:
    newreply.php, newthread.php, editpost.php

    In WHM / Apache Configuration / Includes editor / Pre Virtual host include i tried:
    <IfModule security2_module>
    <IfModule mod_security.c>
    <IfModule mod_security2.c>

    Example codes tried:

    It not worked , because it not disabled mod security for the URL https://mydomain.com/editpost.php?p=123&do=editpost, i got 403 by mod. sec. I have not forgot to restart httpd.
    Please kindly how to do it properly?

    Server version: Apache/2.2.34 (Unix)
    Server built: Oct 8 2017 12:30:19
    Cpanel::Easy::Apache v3.34.17 rev9999
    security2_module (shared)
     
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    334
    Likes Received:
    95
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    You can disable modsec for paths (I'm not sure it can go down to individual files ! )

    Probably the easiest way of managing your requirements, is to install the free ConfigServer ModSecurity Control (cmc) module that will let you disable by rule, user, domain or DirectoryMatch (e.g. ^/home/someuser/public_html/ignore/some/path/), and has lots more convenient features.
     
    quizknows and Infopro like this.
  3. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    670
    Likes Received:
    11
    Trophy Points:
    68
    Hello,

    i have enabled Comodo ModSecurity vendor rules in WHM and one rule is blocking me.
    So i added new rule that should disable mod security engine on certain URI:

    SecRule REQUEST_URI "@pm editpost newreply newthread" "id:1076487,phase:1,nolog,noauditlog,allow,ctl:ruleEngine=Off"

    I added it on the top of the WHM / Security / ModSecurity Tools / "Edit Rules".

    But the Comodo vendor rule is still triggered and i am 403 as a result.

    When i use:
    SecRule REMOTE_ADDR "^myiphere$" "phase:1,t:none,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off,id:9999"
    i am not blocked, so i assume my custom rules override vendor rules, but the SecRule REQUEST_URI is somehow wrong / or not supported?
     
    #3 postcd, Oct 9, 2017
    Last edited: Oct 9, 2017
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    986
    Likes Received:
    76
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    You may be getting into rule parsing order, as rules are processed based on 2 things. first is order of includes but 2nd is phase.

    Anyway I think your options below are probably depricated:
    SecFilterEngine Off
    SecFilterScanPOST Off

    Try "SecRequestBodyAccess Off" (this will skip processing of the request bodies).

    I don't see anything wrong with your @pm rule off hand for the record. But you could try this if you want:

    SecRule REQUEST_URI "editpost|newreply|newthread" "id:1076487,phase:1,nolog,noauditlog,allow,ctl:ruleEngine=Off"

    I would however recommend this ctl instead of removing the whole rule engine, 'ctl:ruleRemoveById=#COMODORULE'

    It does seem modsec2.user.conf is included before vendor configs by cpanel's modsec2.conf, for users to be able to whitelist rules like this. Worst case remove off your nolog / noauditlog stuff from your rules for a bit to troubleshoot. The modsec audit log, coupled with the manual, can help you decipher just about anything.
     
    #4 quizknows, Oct 9, 2017
    Last edited: Oct 9, 2017
  5. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    670
    Likes Received:
    11
    Trophy Points:
    68
    Thx for help, yet i am NOT successfull

    I added Your rule on the top (WHM / Mod sec / Edit Rules section), but it do not prevent other rules (Comodo vendor rules) to cause 403 error. At the bottom of the "Edit Rules" is Included file /usr/local/apache/conf/modsec2.whitelist.conf

    Code:
    # ConfigServer ModSecurity whitelist file
    <LocationMatch "/(editpost\.php|newthread\.php|newreply\.php)">
    SecRuleRemoveById 300012
    </LocationMatch>
    That also did not work as with your rule.

    On other hand following rule worked and request went thru without 403. But i think this rule is wrong and allows all traffic on server:

    Following rule also works as mentioned earlier, but is for IP match not for file or path match:
    i want to whitelist domain.tld/file.php or at least file.php which does not work as mentioned.

    i tried to use yours mentioned "SecRequestBodyAccess Off" inside pre Virtualhost include all file, but that does not work either!:

    I can"t believe there is no simple way to whitelist some path or file names at least from all mod. sec. rules including vendor rules? Please kindly advise, thank you alot in advance.
     
    #5 postcd, Oct 10, 2017
    Last edited: Oct 10, 2017
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    This was possible in older versions of Mod Security through rules in the .htaccess file, however ModSecurity discontinued this functionality in version 2.x. You can read more about this at:

    How to disable mod_security and mod_security2 in .htaccess

    Additionally, you may find the following threads helpful for overall ModSecurity troubleshooting:

    ModSec shows security scanner scanning 127.0.0.1
    Editing ModSecurity vendor rules

    Thank you.
     
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    986
    Likes Received:
    76
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Your ifmodule is wrong, so those will do nothing. You need to use <IfModule security2_module>

    That said, something odd is going on. The line "SecRuleRemoveById 300012" by itself in a user config like modsec2.user.conf should properly disable the rule if that is the rule causing you trouble. Keep in mind you may have to whitelist several similar rule IDs in some cases. make sure you get rid of all your incorrect ifmodules first. A good way to make sure apache will include your config is to make an invalid line, I.e.
    <IfModule security2_module>
    SecRule Invalid
    </IfModule>

    Run a httpd configtest (NOT RESTART). It should throw an error for the invalid line. If it doesn't, then your include is not being called by apache, or your ifmodule is not allowing that directive to be processed. if it does throw the error, then you can immediately remove the invalid line so that it doesn't break apache, and add your settings knowing they're being parsed.
     
  8. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    670
    Likes Received:
    11
    Trophy Points:
    68
    quizknows: i tried to add yours mentioned invalid rule:
    into WHM/Apache configuration/Include Editor/pre virtualhost all include
    and it returned:
    SecRule takes two or three arguments, rule target, operator and optional action list
    So i assume "<IfModule security2_module>" is working..
    So i removed invalid rule and tried to apply my custom rule which included:
    SecFilterEngine Off
    SecFilterScanPOST Off
    but these not worked, Include editor said it is invalid directives
    And it found invalid also SecRequestBodyAccess:
    Code:
    The “/usr/local/apache/bin/httpd” command (process 4764) reported error number 1 when it ended. Configuration problem detected on line 150 of file /usr/local/apache/conf/includes/pre_virtualhost_global.conf: Invalid command ' 145 146 147SecRequestBodyAccess Off 148 149 150 ===> <=== 151SecRequestBodyAccess Off 152 153 154 155SecRequestBodyAccess Off 156 --- /usr/local/apache/conf/includes/pre_virtualhost_global.conf --- 
    So i am now unsure which rule to use to disable Mod.Sec. Inside Mod. Sec. rules (configured and accepted thru WHM/Mod.Sec section) i have the:
    SecRequestBodyAccess Off
    without problem. So it seems Include editor somehow not support it. Isn"t that because it is invalid for Module security2_module ?
    Into which file i need to add my rules:
    Code:
    <IfModule security2_module>
    
    <FilesMatch "^(editpost|newreply|newthread)\.php$">
    SecRequestBodyAccess Off
    </FilesMatch>
    
    <File editpost.php>
    SecRequestBodyAccess Off
    </File>
    
    <If "%{REQUEST_URI} =~ m#/editpost.php#">
    SecRequestBodyAccess Off
    </If>
    
    </IfModule>
    
    Please?
    And after that i execute /scripts/update_apachectl and then "service httpd configtest"? Unsure why i can not add it thru WHM. (i receive error above in this post)
     
    #8 postcd, Oct 15, 2017 at 4:34 AM
    Last edited by a moderator: Oct 15, 2017 at 5:41 AM
  9. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    670
    Likes Received:
    11
    Trophy Points:
    68
    Thank you all who contributed to this topic.
    Here are 2 things that worked (to disable modsecurity for certain file names):

    OPTION A)
    Add following rule to the WHM / ModSecurity Tools / Edit Custom Rules:
    the file name has to match not URL you see in browser address bar, but file name that is reported by ModSecurity Tools/Hits List

    It not worked for me to define full path like domain.com/filename.php, only filename.php :-(

    OPTION B)
    At the bottom of the WHM / ModSecurity Tools / Edit Custom Rules, i have line:
    Include /usr/local/apache/conf/modsec2.whitelist.conf and when i add following to that *.whitelist.conf file:
    Code:
    <LocationMatch "/(ajax\.php|otherfilenameaccordingtoModSecHitlist\.php)">
    SecRuleRemoveById 212000 212620 212770 212870 2172809999999 300012 5000130
    SecRequestBodyAccess Off
    </LocationMatch>
    
    and restart httpd (service httpd restart), then it also works. It works both SecRuleRemoveById (which disables mod. sec just for one or more rules) and SecRequestBodyAccess disables mod.sec. completely for the defined file name.
     
    #9 postcd, Oct 15, 2017 at 7:26 AM
    Last edited by a moderator: Oct 15, 2017 at 8:22 AM
  10. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    986
    Likes Received:
    76
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Glad you got going. For option A you could also chain a 2nd condition to limit to domain(s), i.e.

    Code:
    # Disable ModSecurity for certain file names
    SecRule REQUEST_URI "(ajax.php|editpost.php|newthread.php|newpost.php|otherfilename.php)" "id:945998,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off,chain"
    SecRule SERVER_NAME "domain.com"
    
    That way the rule only invokes if both domain.com matches and your first regex matches. It seems option B is probably better and I'm guessing you maybe went that way.

    Editing modsec2.user.conf through the GUI may run into limitations if that's how you were trying to edit rules. If you're doing anything advanced just use the command line.
     
Loading...

Share This Page