Mod Security Rules Incorrectly Blocking Googlebot

Hello everyone

I'm using CSF Firewall in my blog and the problem is the Mod_Security rules incorrectly blocks Googlebot regularly. It is happening almost every week.

In past I have removed a Mod Security rule which was blocking Googlebot and now a new Mod Security rule 950005 is blocking Googlebot.

Whenever it blocks Googlebot, I manually remove Googlebot IP address from deny list using WHM.

Is there any way to permanently stop this? How can I set Mod Security to not block Googlebot?

My hosting staff suggested me to add following rule at the end of Mod Security configuration:

Code:

#Allow googlebots
SecRule REMOTE_HOST googlebot.com$ allow,pass

But I'm not sure whether I should add it or not. Is there any security risk in adding this rule or is it ok? Is there any other recommended way to allow Googlebot?

Any kind of suggestions will be highly appreciated.

 

^^ Thanks for your reply but if someone edits browser's user-agent using add-on or configurations and make it look-like Googlebot's useragent then? Will it cause a security risk?

 

^^ I'm using CSF firewall. Following is the email alert content:

Code:

Time: Fri Jan 4 13:47:06 2013
IP: 66.249.73.150 (US/United States/crawl-66-249-73-150.googlebot.com)
Failures: 5 (mod_security)
Interval: 300 seconds
Blocked: Permanent Block

Log entries:

[Fri Jan 04 13:44:02 2013] [error] [client 66.249.73.150] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\.asa|httpd\\.conf|boot\\.ini)\\b|\\/etc\\/)" at ARGS:s. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "119"] [id "950005"] [msg "Remote File Access Attempt"] [data "boot.ini"] [severity "CRITICAL"] [tag "WEB_ATTACK/FILE_INJECTION"] [hostname "xxx.xxx"] [uri "/"] [unique_id "xxx"]

[Fri Jan 04 13:44:03 2013] [error] [client 66.249.73.150] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\.asa|httpd\\.conf|boot\\.ini)\\b|\\/etc\\/)" at ARGS:s. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "119"] [id "950005"] [msg "Remote File Access Attempt"] [data "boot.ini"] [severity "CRITICAL"] [tag "WEB_ATTACK/FILE_INJECTION"] [hostname "xxx.xxx"] [uri "/"] [unique_id "xxx"]

[Fri Jan 04 13:45:03 2013] [error] [client 66.249.73.150] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\.asa|httpd\\.conf|boot\\.ini)\\b|\\/etc\\/)" at ARGS:s. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "119"] [id "950005"] [msg "Remote File Access Attempt"] [data "boot.ini"] [severity "CRITICAL"] [tag "WEB_ATTACK/FILE_INJECTION"] [hostname "xxx.xxx"] [uri "/"] [unique_id "xxx"]

[Fri Jan 04 13:46:04 2013] [error] [client 66.249.73.150] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\.asa|httpd\\.conf|boot\\.ini)\\b|\\/etc\\/)" at ARGS:s. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "119"] [id "950005"] [msg "Remote File Access Attempt"] [data "boot.ini"] [severity "CRITICAL"] [tag "WEB_ATTACK/FILE_INJECTION"] [hostname "xxx.xxx"] [uri "/"] [unique_id "xxx"]

[Fri Jan 04 13:47:04 2013] [error] [client 66.249.73.150] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\.asa|httpd\\.conf|boot\\.ini)\\b|\\/etc\\/)" at ARGS:s. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "119"] [id "950005"] [msg "Remote File Access Attempt"] [data "boot.ini"] [severity "CRITICAL"] [tag "WEB_ATTACK/FILE_INJECTION"] [hostname "xxx.xxx"] [uri "/"] [unique_id "xxx"]

 

^^ Will it not disable Mod security?

 

^^ Thanks. But will it solve the problem? I mean it'll block Googlebot IP temporary and after 1 hour when Googlebot will try to crawl again, firewall will again block it temporary. Is it right?

PS: Can you please clarify what's the difference between enabling and disabling CSF checking of mod_security logs? I mean if we disable the checking, what will happen in that situation? How will the malicious IP address blocked by the server if we disable CSF checking? I'm a little bit confused between Mod security and CSF.

 

^^ Thanks again for your help. So if I disable LF_MODSEC, Mod_Security will still check IP addresses based upon its rules and if it finds something malicious, it'll block it. Right?

 

^^ Thanks for all your help.