Whitelist an IP address in Modsecurity

[felixr]

How do I whitelist an IP address in Modsecurity ?
One of our accounts uses the sucuri firewall and all traffic from sucuri is being blocked in modsecurity.

 

[quizknows]

Sucuri should be filtering most bad traffic. I don't recommend whitelisting the IP completely, except maybe in csf.ignore if you are using CSF and LF_MODSEC. That's all I would do (add the ip to csf.ignore so it doesn't get blocked completely). Reson being, things like cloud firewall or ddos protection are forwarding requests that other people make; it could be forwarding malicious requests along with good ones. Obviously the point of the sucuri firewall is to filter out the bad ones, but it might miss some.

If there's one particular rule that the sucuri IP is tripping due to it proxying requests or something, you should just whitelist the rule(s) causing issues.

That said if you really want to do this (I'm telling you, it's a bad idea) it's covered in the documentation.

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual

# Allow unrestricted access from 192.168.1.100 
SecRule REMOTE_ADDR "^192\.168\.1\.100$" phase:1,id:95,nolog,allow

 

[felixr]

thanks quizknows.
Problem is ALL traffic from sucuri firewall is being blocked by modsecurity
Even legit traffic, eg i put the url in my browser and that is blocked.

 

[quizknows]

You need to look at the apache error log, or the modsec hits list in WHM. It's probably just one or 2 rule IDs you need to disable to allow it through.

 

[cPanelMichael]

To note, the Mod_Security hit list is available at:

"WHM Home » Security Center » ModSecurity™ Tools"

You can review which rules have been triggered, and disable them directly through the interface if necessary.

Thank you.

 

[joako]

Is there any way to whitelist ip-rule pair or even better ip-rule-hostname so that the rule still gets triggered by other IP address? In this case there is no load balancer and the requests come directly.

 

[quizknows]

Is there any way to whitelist ip-rule pair or even better ip-rule-hostname so that the rule still gets triggered by other IP address? In this case there is no load balancer and the requests come directly.

Could you be a little more specific? Do you want to whitelist a particular rule for a specific remote address? It can be done, but it's more of a modification to the rule itself than a whitelist entry.

if you want to turn off a rule for just one site on your server, that can be done by adding a "SecRuleRemoveByID ###" entry to a userdata includes for that domain.

 

[joako]

Disabling the entire rule seems too extreme. Default rules can't be edited. The most ideal way to whitelist would be based on two factors (rule + hostname, or ip + hostname, ip + rule, etc) If I just disable the entire rule it would open up the server to any IP address.

 

[joako]

Has this been fixed yet? turned mod security back on and it's immediately blocking cpanel internal requests from 127.0.0.1 again.

 

[quizknows]

Has this been fixed yet? turned mod security back on and it's immediately blocking cpanel internal requests from 127.0.0.1 again.

I can probably help you with that if you have the error log entry. There are ways to disable rules on a per IP basis using ctl. For example if rule ID 99999 is tripping for localhost (127.0.0.1) something like this would probably fix it:

SecRule REMOTE_ADDR "127\.0\.0\.1" "id:28374,pass,ctl:ruleRemoveById=99999"

This would need to be specified in configs before the rule which it is disabling.

 

[joako]

What if I want to fully whitelist an IP? Now I am seeing it is blocking an IP address due to Microsoft Outlook Autodiscover requests (which is something else in Cpanel that's totally broken)

 

[quizknows]

To fully whitelist a remote address it's very similar to the above rule:

SecRule REMOTE_ADDR "123\.123\.123\.123" "id:28375,allow"

Generally though I recommend whitelisting broken rules instead. I made cPanel aware in the past that their autodiscover user agent is (was?) libwww-perl which is blocked by many modsec rule sets. I'm still waiting on an update to case CPANEL-268 for a resolution of this as far as I know. I was hoping that was already fixed. If you have log entries from the cpanel autodiscover IP addresses we can figure out why they're being blocked.

 

[cPanelMichael]

Generally though I recommend whitelisting broken rules instead. I made cPanel aware in the past that their autodiscover user agent is (was?) libwww-perl which is blocked by many modsec rule sets. I'm still waiting on an update to case CPANEL-268 for a resolution of this as far as I know. I was hoping that was already fixed. If you have log entries from the cpanel autodiscover IP addresses we can figure out why they're being blocked.

Hello,

A resolution stemming from internal case CPANEL-268 was implemented at the end of January, 2016:

 Case CPANEL-268: Add a non-default user-agent string to autoconfig/autodiscover.cpanel.net to ensure that it's not blocked by Mod_Security.

@joako, could you let us know the output to /usr/local/apache/logs/error_log when this happens?

Thank you.

 

[quizknows]

Thanks for the update on that cPanelMichael. I can confirm my central modsec logging isn't seeing that issue anymore

 

[joako]

I don't use cpanel's autodiscover server. My server should be redirecting the request to the exchange server for the proper autodiscover. This is what the log shows:

960015: Request Missing an Accept Header
Request:
POST /autodiscover/autodiscover.xml
Action Description:
Warning.
Justification:
Match of "pm AppleWebKit Android" against "REQUEST_HEADERS:User-Agent" required.

For this type of request I think there was another error that was getting logged. I don't have it with me, but each time I see it I use the report option. Not that cPanel ever bothers to look at, much less fix, reported bugs.

In addition this is another one that has yet to be fixed in more than a year!

960008: Request Missing a Host Header
Source 127.0.0.1
Request:
GET /whm-server-status
Action Description:
Warning.
Justification:
Operator EQ matched 0 at REQUEST_HEADERS.

 

[cPanelMichael]

For this type of request I think there was another error that was getting logged. I don't have it with me, but each time I see it I use the report option. Not that cPanel ever bothers to look at, much less fix, reported bugs.

Hello,

OWASP is a third-party vendor offering a core rule list. There are some risks with using a third-party vendor, as documented at:

OWASP ModSecurity CRS - cPanel Knowledge Base - cPanel Documentation

As with any mechanism that blocks web traffic, there is the risk that the rules could block legitimate traffic (false positives). While both OWASP and cPanel, Inc. aim to curate the OWASP rule set to reduce the potential for false positives, there is a risk that the rule set may block legitimate traffic. Review the ModSecurity Tools ( Home >> Security Center >> ModSecurity™ Tools ) interface routinely to evaluate the traffic that the rule set blocks and whether these blocks affect legitimate users.

In addition to reporting a false positive to OWASP through WHM, you can also find the mailing list for the OWASP ModSecurity core rule list at:

Owasp-modsecurity-core-rule-set Info Page

Thank you.

 

[Entelekta]

How can i add a Hostname in the whitelist? Like *.andydomain.com?

 

[cPRex]

ModSecurity doesn't act on incoming domain names as it sees IP addresses and rules. If you wanted to disable ModSecurity for one domain on your machine you can do that through cPanel >> ModSecurity if you have that feature enabled for your users.