The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can someone help with mod_sec rules and an application I am trying to run?

Discussion in 'General Discussion' started by betoranaldi, Apr 22, 2009.

  1. betoranaldi

    betoranaldi Well-Known Member

    Joined:
    Dec 5, 2007
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    I am running the default mod security rules. I installed an application that isn't playing nice. I get the following:

    Code:
    [Tue Apr 21 15:34:56 2009] [error] [client xxx.xxx.xxx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "91"] [id "950006"] [msg "System Command Injection. Matched signature <; id>"] [severity "CRITICAL"] [hostname "sub.domain.com"] [uri "/index.php"] [unique_id "Se4f4ErIWbsAAB0oMSIAAAAC"]
    I would prefer not to disable mod_sec for the domain. Does anyone know how I would be able to modify the rules to allow the application yet not add any vulnerabilities to the domain?

    If I had to, how would one disable mod security for just a sub domain?
     
  2. thewebhosting

    thewebhosting Well-Known Member

    Joined:
    May 9, 2008
    Messages:
    1,201
    Likes Received:
    1
    Trophy Points:
    38
    Create a new file named .htaccess inside your sub domain, and add in the following code:

    SecFilterEngine Off
    SecFilterScanPOST Off

    The above entries in the .htaccess should disable the ModSecurity (mod_security) module for the sub domain.
     
  3. betoranaldi

    betoranaldi Well-Known Member

    Joined:
    Dec 5, 2007
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    I tried that but it doesn't work. I get a 500 error. It appears I am running mod sec 2.5 (whatever the default install is with WHM) which doesn't allow the override.
     
  4. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
  5. betoranaldi

    betoranaldi Well-Known Member

    Joined:
    Dec 5, 2007
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
  6. betoranaldi

    betoranaldi Well-Known Member

    Joined:
    Dec 5, 2007
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    After doing some research, I found out that I can disable the rule for a particular folder.

    Code:
    <Directory /home/user/public_html/subdomain>
      SecRuleRemoveById 990011
    </Directory>
    I manually added this to my http.conf and restarted apache. The rule is still in effect so I guess I put that code in the wrong place. Where in the http.conf file should that be added and how can I make is so cpanel doesn't overwrite it on update?

    Thanks
    Brian
     
  7. simpleupdates

    simpleupdates Member

    Joined:
    Jan 17, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    We got it to work...

    We wanted to do this same thing: disable modsec2 for one domain on a cpanel server.

    We found we could get it to work by creating a conf file, and referencing it in the httpd.conf for the custom include.

    in this referenced file, we put

    <IfModule mod_security2.c>
    SecRuleEngine Off
    </IfModule>

    or you can put a specific rule

    <IfModule mod_security2.c>
    SecRuleRemoveById 950001
    </IfModule>

    The difference we found critical, is we are using Apache 2.2, and the modsec is modsec2, and the IfModule has to reference the "2" as well for it to work.

    Hope this helps someone else.
     
  8. innsites

    innsites Well-Known Member

    Joined:
    Nov 30, 2005
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Please elaborate

    Could you write it specifically? I have one domain I wish to exclude. I am apache2 and modsec2.

    I understand to make a conf file but do not understand where/how to
    reference it in the httpd.conf for the custom include.
     
Loading...

Share This Page