The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_security configuration

Discussion in 'Security' started by smartshovon, Dec 4, 2013.

  1. smartshovon

    smartshovon Member

    Joined:
    Sep 30, 2013
    Messages:
    24
    Likes Received:
    1
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    when i setup mod_security default configuration then if anyone go wordpress admin panel and change any code or some modified then his ip block. why? my all customer complain for this problem. how i can solve this. i want if anyone change anything from his wordpress then his ip not block only anyone want to try hack or give wrong password then his ip block how i can do it. how i can setup mod_security
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,776
    Likes Received:
    663
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Please check /usr/local/apache/logs/error_log when this happens or search it using grep in order to determine the specific rule ID that is blocking your WordPress users. You can then remove this rule from the Mod_Security configuration if necessary.

    Thank you.
     
  3. smartshovon

    smartshovon Member

    Joined:
    Sep 30, 2013
    Messages:
    24
    Likes Received:
    1
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    how i can check from ssh?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,776
    Likes Received:
    663
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Try searching for the username of an account that you experienced this issue with. EX:

    Code:
    grep $username /usr/local/apache/logs/error_log
    Note that you will not have to post the entire output here. Instead, just post the snippet associated with the Mod_Security rule.

    Thank you.
     
  5. smartshovon

    smartshovon Member

    Joined:
    Sep 30, 2013
    Messages:
    24
    Likes Received:
    1
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    i have sever.. i want to disable mod_security for all my wordpress client. only who use wordpress. how i can do it?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,776
    Likes Received:
    663
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  7. smartshovon

    smartshovon Member

    Joined:
    Sep 30, 2013
    Messages:
    24
    Likes Received:
    1
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    thanks a lot...

    - - - Updated - - -

    if i disable this then my main whm are not effect for it right? i want if my client cpanel any hacker can hacked then i have no problem but my main server where whm install that server not any effect for this.
     
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    56
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Do not just disable modsecurity entirely for those domains, it's a short-sighted solution to a problem that isn't actually that hard. You're opening a lot of risk by takign the "easy" solution in the short term.

    If your customer(s) get blocked making edits, get their IP's and check the error logs. Usually it's a SQL injection rule that is tripped, if they use words like SELECT, UNION, etc. too many times in a post.

    Odds are you will only need to whitelist a handful of rule IDs at most to get them going, and their sites will be better protected with the other rules still in place.

    As recommended, configserver modsec control is a good app to whitelist rule IDs.
     
  9. smartshovon

    smartshovon Member

    Joined:
    Sep 30, 2013
    Messages:
    24
    Likes Received:
    1
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    some time ago my 1 client block by this...


    180.234.27.254 # lfd: (mod_security) mod_security (id:1234123404) triggered by 180.234.27.254 (BD/Bangladesh/AWBL27-254.qubee.com.bd): 5 in the last 3600 secs - Wed Dec 4 22:06:54 2013

    i already install ConfigServer ModSecurity Control. now which id i will be white-list?
     
  10. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    56
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    check for 180.234.27.254 in the apache error log, those messages will tell you the rule ID or IDs that you need to whitelist. The info might also be in the modsec audit log, but it will be in error_log for sure.
     
  11. smartshovon

    smartshovon Member

    Joined:
    Sep 30, 2013
    Messages:
    24
    Likes Received:
    1
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    from where i check apache error log ?
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,776
    Likes Received:
    663
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  13. smartshovon

    smartshovon Member

    Joined:
    Sep 30, 2013
    Messages:
    24
    Likes Received:
    1
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    i get this type of error .. where is id?

    [Thu Dec 05 15:00:02.488245 2013] [:error] [pid 39546] [client 180.211.252.55] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:eek:pyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:eek:(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.domain.com"] [uri "/wp-content/plugins/kk-i-like-it/js/jquery.cookie.js"] [unique_id "UqDpUmB-oGoAAJp6kJoAAAAL"]
     
  14. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    56
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    1234123404 is the rule ID (where it says [id "1234123404"])

    If you have configserver modsec control, use that to whitelist rule 1234123404 for the correct domain if this is a known legitimate request.
     
  15. smartshovon

    smartshovon Member

    Joined:
    Sep 30, 2013
    Messages:
    24
    Likes Received:
    1
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    what is this id work can you tell me?
     
  16. dekdroiddev

    dekdroiddev Registered

    Joined:
    Dec 6, 2013
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    thanks for good knowledge.;)
     
Loading...

Share This Page