when i setup mod_security default configuration then if anyone go wordpress admin panel and change any code or some modified then his ip block. why? my all customer complain for this problem. how i can solve this. i want if anyone change anything from his wordpress then his ip not block only anyone want to try hack or give wrong password then his ip block how i can do it. how i can setup mod_security
Hello 
Please check /usr/local/apache/logs/error_log when this happens or search it using grep in order to determine the specific rule ID that is blocking your WordPress users. You can then remove this rule from the Mod_Security configuration if necessary.
Thank you.
Please check /usr/local/apache/logs/error_log when this happens or search it using grep in order to determine the specific rule ID that is blocking your WordPress users. You can then remove this rule from the Mod_Security configuration if necessary.
Thank you.
Try searching for the username of an account that you experienced this issue with. EX:
Note that you will not have to post the entire output here. Instead, just post the snippet associated with the Mod_Security rule.
Thank you.
Code:
grep $username /usr/local/apache/logs/error_logThank you.
i have sever.. i want to disable mod_security for all my wordpress client. only who use wordpress. how i can do it?
There are a couple of ways to do this, but it's better to use a third-party application to achieve this if you are not comfortable on the command line. EX:
ConfigServer ModSecurity Control | cPanel App Catalog
Thank you.
ConfigServer ModSecurity Control | cPanel App Catalog
Thank you.
thanks a lot...
- - - Updated - - -
if i disable this then my main whm are not effect for it right? i want if my client cpanel any hacker can hacked then i have no problem but my main server where whm install that server not any effect for this.
- - - Updated - - -
if i disable this then my main whm are not effect for it right? i want if my client cpanel any hacker can hacked then i have no problem but my main server where whm install that server not any effect for this.
Do not just disable modsecurity entirely for those domains, it's a short-sighted solution to a problem that isn't actually that hard. You're opening a lot of risk by takign the "easy" solution in the short term.
If your customer(s) get blocked making edits, get their IP's and check the error logs. Usually it's a SQL injection rule that is tripped, if they use words like SELECT, UNION, etc. too many times in a post.
Odds are you will only need to whitelist a handful of rule IDs at most to get them going, and their sites will be better protected with the other rules still in place.
As recommended, configserver modsec control is a good app to whitelist rule IDs.
If your customer(s) get blocked making edits, get their IP's and check the error logs. Usually it's a SQL injection rule that is tripped, if they use words like SELECT, UNION, etc. too many times in a post.
Odds are you will only need to whitelist a handful of rule IDs at most to get them going, and their sites will be better protected with the other rules still in place.
As recommended, configserver modsec control is a good app to whitelist rule IDs.
some time ago my 1 client block by this...
180.234.27.254 # lfd: (mod_security) mod_security (id:1234123404) triggered by 180.234.27.254 (BD/Bangladesh/AWBL27-254.qubee.com.bd): 5 in the last 3600 secs - Wed Dec 4 22:06:54 2013
i already install ConfigServer ModSecurity Control. now which id i will be white-list?
180.234.27.254 # lfd: (mod_security) mod_security (id:1234123404) triggered by 180.234.27.254 (BD/Bangladesh/AWBL27-254.qubee.com.bd): 5 in the last 3600 secs - Wed Dec 4 22:06:54 2013
i already install ConfigServer ModSecurity Control. now which id i will be white-list?
check for 180.234.27.254 in the apache error log, those messages will tell you the rule ID or IDs that you need to whitelist. The info might also be in the modsec audit log, but it will be in error_log for sure.
i get this type of error .. where is id?
[Thu Dec 05 15:00:02.488245 2013] [:error] [pid 39546] [client 180.211.252.55] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(??:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?pyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(??:mo(?:use(?(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.domain.com"] [uri "/wp-content/plugins/kk-i-like-it/js/jquery.cookie.js"] [unique_id "UqDpUmB-oGoAAJp6kJoAAAAL"]
[Thu Dec 05 15:00:02.488245 2013] [:error] [pid 39546] [client 180.211.252.55] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?
?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?pyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(??:mo(?:use(?(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.domain.com"] [uri "/wp-content/plugins/kk-i-like-it/js/jquery.cookie.js"] [unique_id "UqDpUmB-oGoAAJp6kJoAAAAL"]1234123404 is the rule ID (where it says [id "1234123404"])
If you have configserver modsec control, use that to whitelist rule 1234123404 for the correct domain if this is a known legitimate request.
If you have configserver modsec control, use that to whitelist rule 1234123404 for the correct domain if this is a known legitimate request.
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| K | Mod_security and scan of port 443 | Security | 12 | |
| M | Effective cPanel mod_security Configuration | Security | 1 | |
|
Recommended mod_security configuration file? | Security | 4 | |
|
mod_security per user configuration | Security | 0 | |
| K | Anyone have a fail proof mod_security configuration? | Security | 17 |