mod_security configuration

smartshovon

Active Member
Sep 30, 2013
34
1
58
cPanel Access Level
Root Administrator
when i setup mod_security default configuration then if anyone go wordpress admin panel and change any code or some modified then his ip block. why? my all customer complain for this problem. how i can solve this. i want if anyone change anything from his wordpress then his ip not block only anyone want to try hack or give wrong password then his ip block how i can do it. how i can setup mod_security
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,270
463
Hello :)

Please check /usr/local/apache/logs/error_log when this happens or search it using grep in order to determine the specific rule ID that is blocking your WordPress users. You can then remove this rule from the Mod_Security configuration if necessary.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,270
463
Try searching for the username of an account that you experienced this issue with. EX:

Code:
grep $username /usr/local/apache/logs/error_log
Note that you will not have to post the entire output here. Instead, just post the snippet associated with the Mod_Security rule.

Thank you.
 

smartshovon

Active Member
Sep 30, 2013
34
1
58
cPanel Access Level
Root Administrator
thanks a lot...

- - - Updated - - -

if i disable this then my main whm are not effect for it right? i want if my client cpanel any hacker can hacked then i have no problem but my main server where whm install that server not any effect for this.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Do not just disable modsecurity entirely for those domains, it's a short-sighted solution to a problem that isn't actually that hard. You're opening a lot of risk by takign the "easy" solution in the short term.

If your customer(s) get blocked making edits, get their IP's and check the error logs. Usually it's a SQL injection rule that is tripped, if they use words like SELECT, UNION, etc. too many times in a post.

Odds are you will only need to whitelist a handful of rule IDs at most to get them going, and their sites will be better protected with the other rules still in place.

As recommended, configserver modsec control is a good app to whitelist rule IDs.
 

smartshovon

Active Member
Sep 30, 2013
34
1
58
cPanel Access Level
Root Administrator
some time ago my 1 client block by this...


180.234.27.254 # lfd: (mod_security) mod_security (id:1234123404) triggered by 180.234.27.254 (BD/Bangladesh/AWBL27-254.qubee.com.bd): 5 in the last 3600 secs - Wed Dec 4 22:06:54 2013

i already install ConfigServer ModSecurity Control. now which id i will be white-list?
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
check for 180.234.27.254 in the apache error log, those messages will tell you the rule ID or IDs that you need to whitelist. The info might also be in the modsec audit log, but it will be in error_log for sure.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,270
463
The Apache error log is located at:

/usr/local/apache/logs/error_log

Thank you.
 

smartshovon

Active Member
Sep 30, 2013
34
1
58
cPanel Access Level
Root Administrator
i get this type of error .. where is id?

[Thu Dec 05 15:00:02.488245 2013] [:error] [pid 39546] [client 180.211.252.55] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:eek:pyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:eek:(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.domain.com"] [uri "/wp-content/plugins/kk-i-like-it/js/jquery.cookie.js"] [unique_id "UqDpUmB-oGoAAJp6kJoAAAAL"]
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
1234123404 is the rule ID (where it says [id "1234123404"])

If you have configserver modsec control, use that to whitelist rule 1234123404 for the correct domain if this is a known legitimate request.