Scott Galambos

Well-Known Member
Jul 13, 2016
83
3
8
Canada
cPanel Access Level
Root Administrator
Are modsec rule ID's sequential? Like is their preference linear? If I want to whitelist an IP does my ID have to be as low as possible (eg. 1 thru say 200)? Or can I make it like 60000 and it will still work?
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
13,304
1,247
313
Houston

Scott Galambos

Well-Known Member
Jul 13, 2016
83
3
8
Canada
cPanel Access Level
Root Administrator
So the ID for a whitelist has to be the ID for an existing rule to whitelist against. Is this how you whitelist an IP address then?
SecRule REMOTE_ADDR "@IPMatch 72.238.15.34" "id:941160,ctl:ruleEngine=Off"
every time I try to whitelist an IP address it says ID already used and won't let apache restart.

For example I see this in my logs:
Code:
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 72.238.15.34] ModSecurity: Warning. Pattern match "(?i)<[^\\\\\\\\... [id "941160"] [rev "2"] [msg "NoScript....
Action: Intercepted (phase 2)
so I want to whitelist IP address 72.238.15.34 againts this rule. so I do:
SecRule REMOTE_ADDR "@IPMatch 72.238.15.34" "id:941160,ctl:ruleEngine=Off"
and it will not work:
Oct 14 08:41:24 core.extremehosting.ca restartsrv_httpd[32070]: ModSecurity: Found another rule with the same id
Oct 14 08:41:24 core.extremehosting.ca systemd[1]: Failed to start Apache web server managed by cPanel EasyApache.

What do I have to do to simply whitelist an IP address for a given modsec rule (ID)?
 

PlotHost

Well-Known Member
Apr 29, 2011
286
14
68
US
cPanel Access Level
Root Administrator
Twitter
Code:
SecRule REMOTE_ADDR "@IPMatch 72.238.15.34" "id:941160,ctl:ruleEngine=Off"
The ID here should be a custom ID. ID 941160 is already used by another rule
900,000–999,999: reserved for the OWASP ModSecurity Core Rule Set

What do I have to do to simply whitelist an IP address for a given modsec rule (ID)?
Try something like. Look in the modsecurity reference manual
Code:
SecRule REMOTE_ADDR "@ipMatch 72.238.15.34" "id:1010,phase:2,t:none,pass,nolog,ctl:ruleRemovebyID=941160"
 
  • Like
Reactions: cPanelLauren