Need Modsecurity whitelist help for OpenX, can't find right ID?

[aarondwyer]

Hi

Modsecurity is blocking the OpenX ad management system from displaying ads on one of my accounts.

I need help identifying what modsecurity rule to exclude.

From /etc/httpd/logs/error_log

[Tue Jan 18 13:24:50 2011] [error] [client 211.30.165.234] ModSecurity: Access d
enied with code 500 (phase 2). Pattern match "\\.php\\?.*loc=(http|https|ftp)\\:
\\/" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "30
2"] [hostname "domain.com"] [uri "/ads/www/delivery/spc.php"] [unique_id "T
TUIAkg03YoAACviTToAAAAV"]

I know I can add a file /usr/local/apache/conf/userdata/std/2/domain/domain.com/whitelist.conf

With this in it.

<LocationMatch "/ads/www/delivery/spc.php">
  SecRuleRemoveById ?????????
</LocationMatch>

But I don't know what the corresponding modsecurity ID has been triggered, so where I have ???????? question marks I need an ID.

Does anyone know how to find this information if the error_log file doesn't specify it.

Thanks
Aaron

 

[Infopro]

Are you using an old version of modsec2.user.conf? Those rules should be providing ID numbers. I suppose you could check line 302 in that file to see what it says. No way of knowing from here though, my modsec2.user.conf seems to be different than yours.

WHM > Plugins > Mod Security > Edit Config

 

[aarondwyer]

Thanks, this is first line and line 302 of modsec2.user.conf

### Modsec2 rules v0.2 ###

SecRule REQUEST_URI "\.php\?.*loc=(http|https|ftp)\:\/"

I'd rather not comment it out. Perhaps my modsecurity needs an upgrade?

How do you know what version of modsecurity is running, and how does it get updated?

Is modsecurity and it's rules updated via the normal cPanel updates?

Thanks
Aaron

 

[Infopro]

Mod Security is installed via Easy Apache, and is not automatic.

 

[aarondwyer]

In WHM > Plugins > Mod Security > Edit Config

I clicked on the Reset Configuation textarea to : Default Configuration

A whole different set of rules appeared, each one with a ID against each of the rules.

I have my server managed for me, so I can only assume that they entered in a custom ruleset.

I'll run with the default configuration from cPanel for awhile and see what happens.

Thanks for your help

Aaron

 

[syslint]

It is not a good idea to run big openx websites with a tightened cPanel box. Also not a good idea to host in a shared box. See here an optimization article for openx with cPanel Openx Handbook Openx Server Optimization And Performance Tuning | Say GNU/Linux