The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod security blocking people mistakenly

Discussion in 'Security' started by czerdrill, Dec 2, 2011.

  1. czerdrill

    czerdrill Well-Known Member

    Joined:
    Feb 18, 2011
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    I'm getting a lot of notices about mod_security blocking people but they should not be getting blocked. Here's the message:

    [Wed Nov 30 17:50:16 2011] [error] [client <IP>] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:eek:gg|gopher|zlib|(?:ht|f)tps?)\\:/" at ARGS:location. [file "/opt/mod_security/10_asl_rules.conf"] [line "827"] [id "340153"] [rev "22"] [msg "Generic PHP code injection protection via ARGS 3"] [severity "CRITICAL"] [hostname "domain.tld"] [uri "/xxx/file.php"] [unique_id "xxxxxx"]

    The file in question is actually a legit file and is not any PHP code injection attempt or something. How can I make mod_security ignore that file?
     
  2. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
  3. czerdrill

    czerdrill Well-Known Member

    Joined:
    Feb 18, 2011
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    But wouldn't that block the rule completely? I only want to block the rule from applying to that specific file.
     
  4. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    I do it like this:
    I use ConfigServer ModSecurity Control to disable the rule for that domain.
    Then in SSH I go to:
    /usr/local/apache/conf/userdata/std/2/<PANELUSERNAME> and edit the file modsec.conf

    In that I edit the 1st line to be like:
    <LocationMatch "/path/to/the/file">

    and then I restart Apache
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
  6. czerdrill

    czerdrill Well-Known Member

    Joined:
    Feb 18, 2011
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Thanks everyone, got it sorted out!
     
  7. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Could you please indicate which post you followed to correct it, so we know how it was resolved? Thanks!
     
  8. czerdrill

    czerdrill Well-Known Member

    Joined:
    Feb 18, 2011
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    I followed yours Tristan, did the SecRule in the modsec2.user.conf file
     
  9. mikegotroot

    mikegotroot Well-Known Member

    Joined:
    Apr 29, 2008
    Messages:
    85
    Likes Received:
    1
    Trophy Points:
    8
    You should definitely upgrade your rules, 340153 hasn't been included in our rules for years. So if that rule is being triggered, your rules are extremely old and your missing a ton of fixes, as well as years of security improvements.
     
Loading...

Share This Page