The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_security - advice

Discussion in 'Security' started by rligg, Mar 17, 2008.

  1. rligg

    rligg Well-Known Member

    Joined:
    Sep 16, 2003
    Messages:
    277
    Likes Received:
    0
    Trophy Points:
    16
    All major php software seems to be hindered by the mod security rule Generic Path Recursion. How do some of you deal with this? Do you remove this rule? Or simply whitelist the domain?
     
  2. Billa

    Billa Member

    Joined:
    May 2, 2007
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    I'll suggest you to just whitelist the domain rather then removing it completely. That help to prevent from attack by some malicous activity on your domain. You can whitelist it by using following command in .htaccess file.

    SecFilterEngine Off
    SecFilterScanPOST Off
     
  3. gundamz

    gundamz Well-Known Member

    Joined:
    Mar 27, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    How do we whitelist domain for mod security?
     
  4. rligg

    rligg Well-Known Member

    Joined:
    Sep 16, 2003
    Messages:
    277
    Likes Received:
    0
    Trophy Points:
    16
    So if I whitelist every domain that uses wordpress, Joomla, phpBB, etc. What exactly am I protecting? These are the sites that will most likely be hacked.
     
  5. whitewlf

    whitewlf Member

    Joined:
    Jan 14, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Work around for the -specific- mod_sec rules

    This is the recent advisory I sent to my co-admins due to our tightened mod_sec2 rules: (edited)


    First, determine which rule it is catching...

    Step 1: Goto the WHM ( https://xxxxxx.xxx:2087/ )

    Step 2: Bottom left menu, choose "Configserver Security & Firewall"

    Step 3: Mid bottom of page, choose "Mod Security Log" (Pick 20-50 entries if you cannot see it)

    (Note: You will need to tail the /etc/httpd/logs/modsec_audit.log or try the built in cpanel mod_sec addon if you don't have cfs/lfd installed)

    Step 4: Find the page and error you need, copy the [id xxxxxx] code.

    Step 5: Left WHM menu again, "Apache Setup" (you can type apache in top search box to go faster)

    Step 6: Select "Include Editor"

    Step 7: Select "Pre Virtual Host Include" and "All Versions"

    Step 8: Copy/Paste the similar configs and replace the mod sec rule ID number

    (Note: Config samples at bottom of this post. BE SPECIFIC for the file locations you are exempting!)


    Step 9: Update, then Restart Apache.

    Step 10: Recheck problem... it might hit more rules after that one, they can be slightly similar.

    If this doesn't work, just ask.

    Please also create 400/401 etc pages from your cpanel (http://xxxxxxx.xxx/cpanel/ ) interface, near the bottom there is a simple editor to add all the pages. At least have something in there to reduce the error-log clutter.


    Below is reference info from the incident we diagnosed:


    http://blogsecurity.net/wordpress/modsecurity-and-wordpress-defense-in-depth/

    http://weblogtoolscollection.com/ar...y-wordpress-admin-and-method-not-implemented/



    root@xxxxxx [~]# tail -f /etc/httpd/logs/modsec_audit.log

    --37d2f309-H--
    Message: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:eek:ute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at ARGS:newcontent. [id "950xxxx"] [msg "System Command Injection. Matched signature <; ?>\" id>"] [severity "CRITICAL"]
    Action: Intercepted (phase 2)
    Stopwatch: 1205643356130899 28484 (22443* 28143 -)
    Producer: ModSecurity v2.1.x (Apache 2.x)
    Server: Apache/2.2.xx (Unix) mod_ssl/2.xxxx OpenSSL/0.xxxx DAV/2 mod_mono/1.2.xxx mod_auth_passthrough/2.xxx mod_bwlimited/1.xxx FrontPage/5.0.x.xxxx mod_perl/2.xxxx Perl/v5.8.xxxx



    Directives added to http.conf:

    <LocationMatch "/wp-admin/post.php">
    SecRuleRemoveById xxxxxx
    </LocationMatch>

    <LocationMatch "/wp-admin/theme-editor.php">
    SecRuleRemoveById xxxxxxx
    </LocationMatch>
     
Loading...

Share This Page