The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Whitelist an IP address in Modsecurity

Discussion in 'Security' started by felixr, Feb 25, 2015.

Tags:
  1. felixr

    felixr Registered

    Joined:
    Feb 2, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    How do I whitelist an IP address in Modsecurity ?
    One of our accounts uses the sucuri firewall and all traffic from sucuri is being blocked in modsecurity.
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Sucuri should be filtering most bad traffic. I don't recommend whitelisting the IP completely, except maybe in csf.ignore if you are using CSF and LF_MODSEC. That's all I would do (add the ip to csf.ignore so it doesn't get blocked completely). Reson being, things like cloud firewall or ddos protection are forwarding requests that other people make; it could be forwarding malicious requests along with good ones. Obviously the point of the sucuri firewall is to filter out the bad ones, but it might miss some.

    If there's one particular rule that the sucuri IP is tripping due to it proxying requests or something, you should just whitelist the rule(s) causing issues.

    That said if you really want to do this (I'm telling you, it's a bad idea) it's covered in the documentation.

    https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual

    Code:
    # Allow unrestricted access from 192.168.1.100 
    SecRule REMOTE_ADDR "^192\.168\.1\.100$" phase:1,id:95,nolog,allow
    
     
    #2 quizknows, Feb 25, 2015
    Last edited: Feb 25, 2015
  3. felixr

    felixr Registered

    Joined:
    Feb 2, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    thanks quizknows.
    Problem is ALL traffic from sucuri firewall is being blocked by modsecurity :(
    Even legit traffic, eg i put the url in my browser and that is blocked.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You need to look at the apache error log, or the modsec hits list in WHM. It's probably just one or 2 rule IDs you need to disable to allow it through.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    To note, the Mod_Security hit list is available at:

    "WHM Home » Security Center » ModSecurity™ Tools"

    You can review which rules have been triggered, and disable them directly through the interface if necessary.

    Thank you.
     
  6. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    97
    Likes Received:
    2
    Trophy Points:
    8
    Is there any way to whitelist ip-rule pair or even better ip-rule-hostname so that the rule still gets triggered by other IP address? In this case there is no load balancer and the requests come directly.
     
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Could you be a little more specific? Do you want to whitelist a particular rule for a specific remote address? It can be done, but it's more of a modification to the rule itself than a whitelist entry.

    if you want to turn off a rule for just one site on your server, that can be done by adding a "SecRuleRemoveByID ###" entry to a userdata includes for that domain.
     
    #7 quizknows, Feb 26, 2015
    Last edited: Feb 26, 2015
  8. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    97
    Likes Received:
    2
    Trophy Points:
    8
    Disabling the entire rule seems too extreme. Default rules can't be edited. The most ideal way to whitelist would be based on two factors (rule + hostname, or ip + hostname, ip + rule, etc) If I just disable the entire rule it would open up the server to any IP address.
     
  9. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    97
    Likes Received:
    2
    Trophy Points:
    8
    Has this been fixed yet? turned mod security back on and it's immediately blocking cpanel internal requests from 127.0.0.1 again.
     
  10. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I can probably help you with that if you have the error log entry. There are ways to disable rules on a per IP basis using ctl. For example if rule ID 99999 is tripping for localhost (127.0.0.1) something like this would probably fix it:

    SecRule REMOTE_ADDR "127\.0\.0\.1" "id:28374,pass,ctl:ruleRemoveById=99999"

    This would need to be specified in configs before the rule which it is disabling.
     
  11. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    97
    Likes Received:
    2
    Trophy Points:
    8
    What if I want to fully whitelist an IP? Now I am seeing it is blocking an IP address due to Microsoft Outlook Autodiscover requests (which is something else in Cpanel that's totally broken)
     
  12. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    To fully whitelist a remote address it's very similar to the above rule:

    SecRule REMOTE_ADDR "123\.123\.123\.123" "id:28375,allow"

    Generally though I recommend whitelisting broken rules instead. I made cPanel aware in the past that their autodiscover user agent is (was?) libwww-perl which is blocked by many modsec rule sets. I'm still waiting on an update to case CPANEL-268 for a resolution of this as far as I know. I was hoping that was already fixed. If you have log entries from the cpanel autodiscover IP addresses we can figure out why they're being blocked.
     
  13. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    A resolution stemming from internal case CPANEL-268 was implemented at the end of January, 2016:

    Code:
     Case CPANEL-268: Add a non-default user-agent string to autoconfig/autodiscover.cpanel.net to ensure that it's not blocked by Mod_Security.
    @joako, could you let us know the output to /usr/local/apache/logs/error_log when this happens?

    Thank you.
     
    quizknows likes this.
  14. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Thanks for the update on that cPanelMichael. I can confirm my central modsec logging isn't seeing that issue anymore :)
     
    cPanelMichael likes this.
  15. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    97
    Likes Received:
    2
    Trophy Points:
    8
    I don't use cpanel's autodiscover server. My server should be redirecting the request to the exchange server for the proper autodiscover. This is what the log shows:

    960015: Request Missing an Accept Header
    Request:
    POST /autodiscover/autodiscover.xml
    Action Description:
    Warning.
    Justification:
    Match of "pm AppleWebKit Android" against "REQUEST_HEADERS:User-Agent" required.

    For this type of request I think there was another error that was getting logged. I don't have it with me, but each time I see it I use the report option. Not that cPanel ever bothers to look at, much less fix, reported bugs.

    In addition this is another one that has yet to be fixed in more than a year!

    960008: Request Missing a Host Header
    Source 127.0.0.1
    Request:
    GET /whm-server-status
    Action Description:
    Warning.
    Justification:
    Operator EQ matched 0 at REQUEST_HEADERS.
     
  16. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    OWASP is a third-party vendor offering a core rule list. There are some risks with using a third-party vendor, as documented at:

    OWASP ModSecurity CRS - cPanel Knowledge Base - cPanel Documentation

    In addition to reporting a false positive to OWASP through WHM, you can also find the mailing list for the OWASP ModSecurity core rule list at:

    Owasp-modsecurity-core-rule-set Info Page

    Thank you.
     
Loading...

Share This Page