Whitelist an IP address in Modsecurity

felixr

Registered
Feb 2, 2015
4
0
1
cPanel Access Level
Root Administrator
How do I whitelist an IP address in Modsecurity ?
One of our accounts uses the sucuri firewall and all traffic from sucuri is being blocked in modsecurity.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
Sucuri should be filtering most bad traffic. I don't recommend whitelisting the IP completely, except maybe in csf.ignore if you are using CSF and LF_MODSEC. That's all I would do (add the ip to csf.ignore so it doesn't get blocked completely). Reson being, things like cloud firewall or ddos protection are forwarding requests that other people make; it could be forwarding malicious requests along with good ones. Obviously the point of the sucuri firewall is to filter out the bad ones, but it might miss some.

If there's one particular rule that the sucuri IP is tripping due to it proxying requests or something, you should just whitelist the rule(s) causing issues.

That said if you really want to do this (I'm telling you, it's a bad idea) it's covered in the documentation.

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual

Code:
# Allow unrestricted access from 192.168.1.100 
SecRule REMOTE_ADDR "^192\.168\.1\.100$" phase:1,id:95,nolog,allow
 
Last edited:

felixr

Registered
Feb 2, 2015
4
0
1
cPanel Access Level
Root Administrator
thanks quizknows.
Problem is ALL traffic from sucuri firewall is being blocked by modsecurity :(
Even legit traffic, eg i put the url in my browser and that is blocked.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
You need to look at the apache error log, or the modsec hits list in WHM. It's probably just one or 2 rule IDs you need to disable to allow it through.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
To note, the Mod_Security hit list is available at:

"WHM Home » Security Center » ModSecurity™ Tools"

You can review which rules have been triggered, and disable them directly through the interface if necessary.

Thank you.
 

joako

Well-Known Member
Aug 7, 2003
112
2
168
cPanel Access Level
DataCenter Provider
Is there any way to whitelist ip-rule pair or even better ip-rule-hostname so that the rule still gets triggered by other IP address? In this case there is no load balancer and the requests come directly.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
Is there any way to whitelist ip-rule pair or even better ip-rule-hostname so that the rule still gets triggered by other IP address? In this case there is no load balancer and the requests come directly.
Could you be a little more specific? Do you want to whitelist a particular rule for a specific remote address? It can be done, but it's more of a modification to the rule itself than a whitelist entry.

if you want to turn off a rule for just one site on your server, that can be done by adding a "SecRuleRemoveByID ###" entry to a userdata includes for that domain.
 
Last edited:

joako

Well-Known Member
Aug 7, 2003
112
2
168
cPanel Access Level
DataCenter Provider
Disabling the entire rule seems too extreme. Default rules can't be edited. The most ideal way to whitelist would be based on two factors (rule + hostname, or ip + hostname, ip + rule, etc) If I just disable the entire rule it would open up the server to any IP address.
 

joako

Well-Known Member
Aug 7, 2003
112
2
168
cPanel Access Level
DataCenter Provider
Has this been fixed yet? turned mod security back on and it's immediately blocking cpanel internal requests from 127.0.0.1 again.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
Has this been fixed yet? turned mod security back on and it's immediately blocking cpanel internal requests from 127.0.0.1 again.
I can probably help you with that if you have the error log entry. There are ways to disable rules on a per IP basis using ctl. For example if rule ID 99999 is tripping for localhost (127.0.0.1) something like this would probably fix it:

SecRule REMOTE_ADDR "127\.0\.0\.1" "id:28374,pass,ctl:ruleRemoveById=99999"

This would need to be specified in configs before the rule which it is disabling.
 

joako

Well-Known Member
Aug 7, 2003
112
2
168
cPanel Access Level
DataCenter Provider
What if I want to fully whitelist an IP? Now I am seeing it is blocking an IP address due to Microsoft Outlook Autodiscover requests (which is something else in Cpanel that's totally broken)
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
To fully whitelist a remote address it's very similar to the above rule:

SecRule REMOTE_ADDR "123\.123\.123\.123" "id:28375,allow"

Generally though I recommend whitelisting broken rules instead. I made cPanel aware in the past that their autodiscover user agent is (was?) libwww-perl which is blocked by many modsec rule sets. I'm still waiting on an update to case CPANEL-268 for a resolution of this as far as I know. I was hoping that was already fixed. If you have log entries from the cpanel autodiscover IP addresses we can figure out why they're being blocked.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Generally though I recommend whitelisting broken rules instead. I made cPanel aware in the past that their autodiscover user agent is (was?) libwww-perl which is blocked by many modsec rule sets. I'm still waiting on an update to case CPANEL-268 for a resolution of this as far as I know. I was hoping that was already fixed. If you have log entries from the cpanel autodiscover IP addresses we can figure out why they're being blocked.
Hello,

A resolution stemming from internal case CPANEL-268 was implemented at the end of January, 2016:

Code:
 Case CPANEL-268: Add a non-default user-agent string to autoconfig/autodiscover.cpanel.net to ensure that it's not blocked by Mod_Security.
@joako, could you let us know the output to /usr/local/apache/logs/error_log when this happens?

Thank you.
 
  • Like
Reactions: quizknows

joako

Well-Known Member
Aug 7, 2003
112
2
168
cPanel Access Level
DataCenter Provider
I don't use cpanel's autodiscover server. My server should be redirecting the request to the exchange server for the proper autodiscover. This is what the log shows:

960015: Request Missing an Accept Header
Request:
POST /autodiscover/autodiscover.xml
Action Description:
Warning.
Justification:
Match of "pm AppleWebKit Android" against "REQUEST_HEADERS:User-Agent" required.

For this type of request I think there was another error that was getting logged. I don't have it with me, but each time I see it I use the report option. Not that cPanel ever bothers to look at, much less fix, reported bugs.

In addition this is another one that has yet to be fixed in more than a year!

960008: Request Missing a Host Header
Source 127.0.0.1
Request:
GET /whm-server-status
Action Description:
Warning.
Justification:
Operator EQ matched 0 at REQUEST_HEADERS.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
For this type of request I think there was another error that was getting logged. I don't have it with me, but each time I see it I use the report option. Not that cPanel ever bothers to look at, much less fix, reported bugs.
Hello,

OWASP is a third-party vendor offering a core rule list. There are some risks with using a third-party vendor, as documented at:

OWASP ModSecurity CRS - cPanel Knowledge Base - cPanel Documentation

As with any mechanism that blocks web traffic, there is the risk that the rules could block legitimate traffic (false positives). While both OWASP and cPanel, Inc. aim to curate the OWASP rule set to reduce the potential for false positives, there is a risk that the rule set may block legitimate traffic. Review the ModSecurity Tools ( Home >> Security Center >> ModSecurity™ Tools ) interface routinely to evaluate the traffic that the rule set blocks and whether these blocks affect legitimate users.
In addition to reporting a false positive to OWASP through WHM, you can also find the mailing list for the OWASP ModSecurity core rule list at:

Owasp-modsecurity-core-rule-set Info Page

Thank you.