The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need Modsecurity whitelist help for OpenX, can't find right ID?

Discussion in 'Security' started by aarondwyer, Jan 17, 2011.

  1. aarondwyer

    aarondwyer Well-Known Member

    Joined:
    Mar 26, 2005
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brisbane
    cPanel Access Level:
    Root Administrator
    Hi

    Modsecurity is blocking the OpenX ad management system from displaying ads on one of my accounts.

    I need help identifying what modsecurity rule to exclude.

    From /etc/httpd/logs/error_log

    Code:
    [Tue Jan 18 13:24:50 2011] [error] [client 211.30.165.234] ModSecurity: Access d
    enied with code 500 (phase 2). Pattern match "\\.php\\?.*loc=(http|https|ftp)\\:
    \\/" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "30
    2"] [hostname "domain.com"] [uri "/ads/www/delivery/spc.php"] [unique_id "T
    TUIAkg03YoAACviTToAAAAV"]
    
    I know I can add a file /usr/local/apache/conf/userdata/std/2/domain/domain.com/whitelist.conf

    With this in it.

    Code:
    <LocationMatch "/ads/www/delivery/spc.php">
      SecRuleRemoveById ?????????
    </LocationMatch>
    But I don't know what the corresponding modsecurity ID has been triggered, so where I have ???????? question marks I need an ID.

    Does anyone know how to find this information if the error_log file doesn't specify it.

    Thanks
    Aaron
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Are you using an old version of modsec2.user.conf? Those rules should be providing ID numbers. I suppose you could check line 302 in that file to see what it says. No way of knowing from here though, my modsec2.user.conf seems to be different than yours.

    WHM > Plugins > Mod Security > Edit Config
     
  3. aarondwyer

    aarondwyer Well-Known Member

    Joined:
    Mar 26, 2005
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brisbane
    cPanel Access Level:
    Root Administrator
    Thanks, this is first line and line 302 of modsec2.user.conf

    ### Modsec2 rules v0.2 ###

    SecRule REQUEST_URI "\.php\?.*loc=(http|https|ftp)\:\/"

    I'd rather not comment it out. Perhaps my modsecurity needs an upgrade?

    How do you know what version of modsecurity is running, and how does it get updated?

    Is modsecurity and it's rules updated via the normal cPanel updates?

    Thanks
    Aaron
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Mod Security is installed via Easy Apache, and is not automatic.
     
  5. aarondwyer

    aarondwyer Well-Known Member

    Joined:
    Mar 26, 2005
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brisbane
    cPanel Access Level:
    Root Administrator
    In WHM > Plugins > Mod Security > Edit Config

    I clicked on the Reset Configuation textarea to : Default Configuration

    A whole different set of rules appeared, each one with a ID against each of the rules.

    I have my server managed for me, so I can only assume that they entered in a custom ruleset.

    I'll run with the default configuration from cPanel for awhile and see what happens.

    Thanks for your help

    Aaron
     
  6. syslint

    syslint Well-Known Member

    Joined:
    Oct 9, 2006
    Messages:
    249
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
Loading...

Share This Page