ModSecurity rule only for specific domain/account

[BogdanT]

Hello,

Need to enable specific ModSecurity rule for one domain only. Any idea is it possible?

I have about 50 accounts, so I won't enable this rule and then disable it for 49 except the one.

Thank you,

 

[cPanelMichael]

Hello

You may find the following third-party utility helpful if you want to avoid manually altering a user's VirtualHost:

ConfigServer ModSecurity Control

Thank you.

 

[BogdanT]

Hello,

CMC allow to disable mod_security entirely, also on a global, per cPanel user or per hosted domain level, but not enable it for one account only

 

[quizknows]

The easiest way, assuming modsecurity is on server-wide, would be to add a domain specific vhost includes as outlined in httpd.conf:

  # To customize this VirtualHost use an include file at the following location
  # Include "/usr/local/apache/conf/userdata/std/2_4/USERNAME/DOMAIN/*.conf"

Then add the rule to that file and run /scripts/rebuildhttpdconf to make it active.

Optionally, you could append the modsec rule itself instead. To do this, you would add "chain" to the actions of the rule and then an additional rule line with:

SecRule SERVER_NAME "domain\.com" "t:lowercase"

For example if this was your rule:

SecRule QUERY_STRING "safe_mode=off" "deny,id:1000847,t:urldecode"

You would change it to:

SecRule QUERY_STRING "safe_mode=off" "deny,id:1000847,t:urldecode,chain"
SecRule SERVER_NAME "domain\.com" "t:lowercase"

This creates a 2nd condition for the rule requiring it to be for that domain in order to be blocked. The t:lowercase will stop requests from making it through if they capitalize the domain. For the best chance at stopping requests that try to evade your rule(s) the above method of using the domain includes is preferred over modifying the rule.

 

[BogdanT]

Thank you for the prompt answer.
Just want to clarify:

I should create a file geo.conf under /usr/local/apache/conf/userdata/std/2_4/USERNAME/DOMAIN/ and copy rule there? Rule looks like:

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking RU UA IP Address'"
SecRule GEO:COUNTRY_CODE "@pm RU UA"


and run /scripts/rebuildhttpdconf

Am I right?

 

[quizknows]

Correct, obviously replacing USERNAME and DOMAIN with the cPanel username and their site's domain name.

once you run /scripts/rebuildhttpdconf you should be able to search through /usr/local/apache/conf/httpd.conf and see that it uncommented the includes line for that domain.

If you are not using apache 2.4 keep in mind the path may be std/2 or std/2_2 instead; check httpd.conf prior if you are not sure.