Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

mod security blocking people mistakenly

Discussion in 'Security' started by czerdrill, Dec 2, 2011.

  1. czerdrill

    czerdrill Well-Known Member

    Joined:
    Feb 18, 2011
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    56
    I'm getting a lot of notices about mod_security blocking people but they should not be getting blocked. Here's the message:

    [Wed Nov 30 17:50:16 2011] [error] [client <IP>] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:eek:gg|gopher|zlib|(?:ht|f)tps?)\\:/" at ARGS:location. [file "/opt/mod_security/10_asl_rules.conf"] [line "827"] [id "340153"] [rev "22"] [msg "Generic PHP code injection protection via ARGS 3"] [severity "CRITICAL"] [hostname "domain.tld"] [uri "/xxx/file.php"] [unique_id "xxxxxx"]

    The file in question is actually a legit file and is not any PHP code injection attempt or something. How can I make mod_security ignore that file?
     
  2. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    9
    Trophy Points:
    68
    Location:
    Athens Greece
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. czerdrill

    czerdrill Well-Known Member

    Joined:
    Feb 18, 2011
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    56
    But wouldn't that block the rule completely? I only want to block the rule from applying to that specific file.
     
  4. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    11
    Trophy Points:
    168
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    I do it like this:
    I use ConfigServer ModSecurity Control to disable the rule for that domain.
    Then in SSH I go to:
    /usr/local/apache/conf/userdata/std/2/<PANELUSERNAME> and edit the file modsec.conf

    In that I edit the 1st line to be like:
    <LocationMatch "/path/to/the/file">

    and then I restart Apache
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. czerdrill

    czerdrill Well-Known Member

    Joined:
    Feb 18, 2011
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    56
    Thanks everyone, got it sorted out!
     
  7. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Could you please indicate which post you followed to correct it, so we know how it was resolved? Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. czerdrill

    czerdrill Well-Known Member

    Joined:
    Feb 18, 2011
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    56
    I followed yours Tristan, did the SecRule in the modsec2.user.conf file
     
  9. mikegotroot

    mikegotroot Well-Known Member

    Joined:
    Apr 29, 2008
    Messages:
    85
    Likes Received:
    1
    Trophy Points:
    58
    You should definitely upgrade your rules, 340153 hasn't been included in our rules for years. So if that rule is being triggered, your rules are extremely old and your missing a ton of fixes, as well as years of security improvements.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice