The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity rule only for specific domain/account

Discussion in 'Security' started by BogdanT, Nov 5, 2015.

  1. BogdanT

    BogdanT Member

    Joined:
    Feb 2, 2015
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    Need to enable specific ModSecurity rule for one domain only. Any idea is it possible?

    I have about 50 accounts, so I won't enable this rule and then disable it for 49 except the one.

    Thank you,
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. BogdanT

    BogdanT Member

    Joined:
    Feb 2, 2015
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    CMC allow to disable mod_security entirely, also on a global, per cPanel user or per hosted domain level, but not enable it for one account only
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    The easiest way, assuming modsecurity is on server-wide, would be to add a domain specific vhost includes as outlined in httpd.conf:
    Code:
      # To customize this VirtualHost use an include file at the following location
      # Include "/usr/local/apache/conf/userdata/std/2_4/USERNAME/DOMAIN/*.conf"
    
    Then add the rule to that file and run /scripts/rebuildhttpdconf to make it active.

    Optionally, you could append the modsec rule itself instead. To do this, you would add "chain" to the actions of the rule and then an additional rule line with:

    Code:
    SecRule SERVER_NAME "domain\.com" "t:lowercase"
    
    For example if this was your rule:

    Code:
    SecRule QUERY_STRING "safe_mode=off" "deny,id:1000847,t:urldecode"
    
    You would change it to:
    Code:
    SecRule QUERY_STRING "safe_mode=off" "deny,id:1000847,t:urldecode,chain"
    SecRule SERVER_NAME "domain\.com" "t:lowercase"
    
    This creates a 2nd condition for the rule requiring it to be for that domain in order to be blocked. The t:lowercase will stop requests from making it through if they capitalize the domain. For the best chance at stopping requests that try to evade your rule(s) the above method of using the domain includes is preferred over modifying the rule.
     
    #4 quizknows, Nov 5, 2015
    Last edited: Nov 5, 2015
    BogdanT likes this.
  5. BogdanT

    BogdanT Member

    Joined:
    Feb 2, 2015
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank you for the prompt answer.
    Just want to clarify:

    I should create a file geo.conf under /usr/local/apache/conf/userdata/std/2_4/USERNAME/DOMAIN/ and copy rule there? Rule looks like:

    SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking RU UA IP Address'"
    SecRule GEO:COUNTRY_CODE "@pm RU UA"


    and run /scripts/rebuildhttpdconf

    Am I right?
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Correct, obviously replacing USERNAME and DOMAIN with the cPanel username and their site's domain name.

    once you run /scripts/rebuildhttpdconf you should be able to search through /usr/local/apache/conf/httpd.conf and see that it uncommented the includes line for that domain.

    If you are not using apache 2.4 keep in mind the path may be std/2 or std/2_2 instead; check httpd.conf prior if you are not sure.
     
Loading...

Share This Page