The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

disabling mod_sec ONLY for one domain

Discussion in 'General Discussion' started by erick_paper, Jul 2, 2007.

  1. erick_paper

    erick_paper Well-Known Member

    Joined:
    Apr 19, 2005
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    Hi, I have mod_security enabled for my WHM, for all domains. But one client is asking me to disable it n his domain because his site requires some functionality that gets blocked by mod_sec filters. So my question:

    1. Where can I begin looking at the mod_sec filters in place that may be preventing his site functionality? Apparently he wants to allow URLs where a lot of hexadecimal characters are used.

    2. Or, how can I disallow mod_sec on a specific domain while keeping the security for the rest of my domains intact?

    I am on a typical WHM setup with the Config Server firewall and LFD. Many thanks in advance!
     
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    If you didn't put in .htaccess restrictions when setting up mod_security,
    it can be disabled from the user's .htaccess file.

    HOWEVER ...

    I absolutely do not recommend that you disable mod_security on a "per site"
    basis and it is not wise to listen to your client's requests on this.

    I work for several very large hosting firms and as a policy from experience,
    we absolutely do not allow any client sites to have mod_security disabled
    no matter how much they whine and permanently disabled the commands
    to disable .htaccess. This is because disabling mod_security as a whole
    for any single site would leave a security hole and defeat the entire point
    of having mod_security in the first place!

    What I would recommend is that you instead leave mod_security fully active
    for all your clients (including the one requesting it be disabled) and instead
    find out what specific security rules you have installed that are conflicting
    with that particular client's program and simply modify those specific rules
    so that they don't trigger with the client's program.
     
  3. ManojB

    ManojB Well-Known Member

    Joined:
    Mar 25, 2005
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    pune
    If you want to disable mod_sec for one domain then add the following Line in .htaccess

    SecFilterEngine Off

    Regards,
    Manoj Bahiram
     
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    This is why it is a good idea to use IDs for all of your mod_security rules. Then if a client's website is being hit by a particular mod_security rule, you just have to add:

    <IfModule mod_security.c>
    <Location /path/to/script>
    SecFilterRemove id1 id2 id3...
    </Location>
    </IfModule>


    To the VirtualHost entry of that account in the httpd.conf file.

    The Location container is not necessary, but makes it more specific.

    This basically excludes certain rules from being applied on that VirtualHost or to a certain path within that VirtualHost.

    I agree with Spiral, all of my servers have .htaccess controls for mod_security disabled. There are just too many ill-advised howto guides on there on the Internet that tell users "If you are having trouble with mod_security, just disable it with this little command in your .htaccess file". Well if that's going on, then really what is the point of having mod_security installed at all?

    I don't have that much of a problem with disabling mod_security on a VirtualHost if a lot of rules are being hit. However if I do this for a client's website I add a disclaimer that they have to keep all of the scripts on their accounts up-to-date and if an exploit is discovered on the server and traced back to the account, then it can be grounds for suspension or termination. If I am going to waive a server-wide security protocol, then I expect the client to offer me a reason to do so. If their script is exploited because it is outdated, then they have effectively lost my trust.

    Mod_security's main function is to offer a very broad protection against a slew of script exploits. It has been my experience that clients and end-users are unwilling to keep their scripts up-to-date. This is a sore point within the webhosting industry. However, if all of your clients would stay up-to-date with script updates, and apply script updates as soon as they become available, then the need for mod_security becomes real low (maybe unnecessary). But in my experience this is not something that normally goes on. End users do not want to update their scripts for fear of breaking something and using the philosophy of, "its not broke so why upgrade it?" but they don't seem to understand that just because what they are using is not broke, does not mean that there is not a rogue file associated with that script somewhere that needs a security patch applied.
     
  5. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    My problem is how do I know why one of my script been blocked ? Whne mod_security blok you, it didn't said blocked by rule #10 or which part in your URL is not OK.

    And how can I add a pass rule for mod_security to know this is my hand write script and I don't want it block it ? Can someone show me one example ?

    I have a form let my staff submit product information, and submit, the url is like:
    http://www.myname.com/sss/product-update.php

    I try add a line:
    SecFilterSelective THE_REQUEST "/sss/product-update.php" pass
    and this won't work.
     
  6. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    Sorry, I just know what should I do, I should use "allow" instead of pass.
     
Loading...

Share This Page