The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity Issue

Discussion in 'Security' started by bloodsavi, Aug 16, 2013.

  1. bloodsavi

    bloodsavi Member

    Joined:
    Feb 21, 2013
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi, Can someone please help me to disable ModSecurity rule ID "1234123456" for a specific folder. I spent hours without any success. I'm currently on WHM 11.38.1 (build 15) if that helps.

    First I added this directives to my domain's custom include file -

    Code:
        <IfModule mod_security2.c>
            SecRuleRemoveById 1234123456 13050 13051
        </IfModule>
    
    I have added 13050, 13051 to avoid some rules which are affecting WordPress. And only those 2 IDs are removed but not 1234123456 and it's still active. Then I tried the following

    Code:
        <IfModule mod_security2.c>
            SecRuleEngine Off
        </IfModule>
    
    Even after that, WordPress rules are removed but not 1234123456. To verify this I checked the modsec2 debug log file and the rule is there. Then I had to disable it globally by commenting out the rule it self in modsec2.conf file which was added by EA I guess which I'm sure will get added when I do an update in the future. And I really don't like to mess with those files. Can someone please help to disable the Rule ID 1234123456 using my domain's custom apache include file.

    Thank you very much :)
     
    #1 bloodsavi, Aug 16, 2013
    Last edited: Aug 16, 2013
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. bloodsavi

    bloodsavi Member

    Joined:
    Feb 21, 2013
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks a lot for the quick reply :) And Thanks a lot for the Addon link. But can you please let me know what I'm doing wrong? How can I do this without installing the addon you mentioned? Thanks
     
  4. bloodsavi

    bloodsavi Member

    Joined:
    Feb 21, 2013
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi Infopro, I installed the addon but unfortunately still it's not working. Can it be because the ID is really long "1234123456" ? Please help me out :( Thank you
     
  5. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    So when you had installed ConfigServer ModSecurity Control did you disable that rule for the account in question?

    The ID is not too long.
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    It is possible there was problem with muiti part processing, the info from your modsec debug log or modsec audit log would help. You might just need to add tmpdir settings or something.
     
  7. bloodsavi

    bloodsavi Member

    Joined:
    Feb 21, 2013
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    @quietFin, I first checked disabling it for the account and then tried globally, In both cases it didn't work.

    @quizknows, Thanks for the reply, I'm pretty sure this is a false positive. I did go through the modsec debug log and the error is triggered because DB - 1 which I think is because "HTTP Response Body - Data Before" is having an issue. Anyway, I would like to disable that rule :) Any idea how I can do it rather than commenting out the rule itself in the modsec2.conf file which I really don't like to do :(

    Thank you
     
  8. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    I have disabled that rule in a few accounts using ConfigServer ModSecurity Control.
    If that does not work then there is probably something wrong with you mod_sec configuration.
     
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I'm not saying it is not a false positive. That's the info I needed ( DB - 1 / DB %{MULTIPART_DATA_BEFORE}). Simply remove DB %{MULTIPART_DATA_BEFORE} fron the rule chain on SecRule MULTIPART_STRICT_ERROR and it will remove just that one check.

    If you look at the first part of the rule: "!@eq 0" means "is not null" You can just remove that one particular check from the rule, which is what I would do in your case.
     
Loading...

Share This Page