The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to have mod_security ignore a particular file

Discussion in 'Security' started by lbeachmike, Nov 30, 2011.

  1. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    Hi there -

    Is there a way that I can add a directive to mod_security's configuration that would tell it to disregard a particular php file?

    In this case, I have TrendyFlash running on my server, and their back-end script triggers false positives on the GotRoot rules like crazy. The path to the file, postsitedata.php, will be unique for each user.

    Is there a way to have it disregard this file entirely so that no rules can trigger with execution of this particular file?

    Thanks.

    Mike
     
  2. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    If you use configserver firewall you can tell it to ignore a file. You can also Grab this free addon from configserver.com
     
    #2 kernow, Nov 30, 2011
    Last edited: Nov 30, 2011
  3. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    I already run this add-on. I see no option for what I am asking about in the add-on.

    mrk
     
  4. texo

    texo Well-Known Member

    Joined:
    Mar 28, 2007
    Messages:
    143
    Likes Received:
    0
    Trophy Points:
    16
    You need to check the modsec log and whitelist the rule(s) that are being triggered. You can do all this with CMC.
     
  5. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    I know how to do that and that is not at all what I am requesting or inquiring about here.
     
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Would you be willing to provide at least one example of the rule being triggered message in the logs for mod_security or Apache so we can see what it shows specifically?
     
  7. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    Hi Tristan -

    Below is an example of the first three rules that were being triggered - these are all being triggered upon attempting to save your work and thus execute postsitedata.php, which I believe uploads the data from their server to mine (though I am not perfectly certain.) I did not continue to white-list rules beyond these three at the time and simply disabled mod_sec for my test account to get it up and running. So, there were additional rules to white-list as well, but I don't yet know how many.

    Note that my rules are currently the delayed rules, but I will soon switch to the realtime rules.

    Thanks for your interest in helping, and let me know if you'd like me to continue further and see what other rules get triggered.

    Thanks.

    Mike
     
    #7 lbeachmike, Nov 30, 2011
    Last edited by a moderator: Dec 1, 2011
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Could you try the following:

    Code:
    SecRule REQUEST_URI "/builder/postsitedata.php" nolog,allow
     
  9. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    Thanks Tristan. I'm not a pro with configuring mod_security, so where would you suggest I add this? Do I just add it to one of the existing rules files, or do I just create a new file and drop it into that directory so the custom rule won't get overwritten? Or is there a way to add via WHM?

    Thanks.

    mrk
     
  10. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    There should be a modsec2.conf file or something along those lines in /usr/local/apache/conf/ location. Where were the GotRoot rules placed? You could always try using whatever file they use for their rules. The line I provided is just a filter like the other mod_security filters.
     
  11. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    The GotRoot rules are placed in /usr/local/apache/conf/modsec_rules/ - and the files in there are overwritten regularly with new rules files. Also, it looks like modsec2.conf gets overwritten when mod_security is updated. As such, I added your recommended rule to modsec2.user.conf, which appears to be preserved through updates.

    I just tested it and it works perfectly! So, thanks very much for the help :)

    mrk
     
Loading...

Share This Page