The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Whitelist for Mod Security available?

Discussion in 'Security' started by NTar, May 29, 2015.

Tags:
  1. NTar

    NTar Member

    Joined:
    Apr 16, 2015
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Hi guys,

    Sunday I have installed Mod Security on our VPS (this is our first time we are using Mod Security). Unfortunately it has banned all visitors, except me. This is generally not a problem, but to be honest this time I have no idea how to unban those users.

    Does anyone have an idea? If I view Mod Security's 'Hits list', I'm able to see 300 pages with IP addresses being banned, including some of my clients. :O

    I hope someone can help. Thanks a lot!

    - NTar
     
  2. NTar

    NTar Member

    Joined:
    Apr 16, 2015
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Hi guys,

    Yesterday, all our Wordpress visitors have been banned for loading content on the server by Mod Security. Does anyone have a whitelist available that prevent users to be banned for no reason? Below you can find our current whitelist.

    Code:
    <LocationMatch "/">
      SecRuleRemoveById 910006 # Google robot activity - Useful in someways but noisy for sites where you want them crawled
      SecRuleRemoveById 960015 # Request Missing an Accept Header -  Allow for Google Reader
      SecRuleRemoveById 950901 # Another False One
      SecRuleRemoveById 981172 # SQL Injection False Positive
      SecRuleRemoveById 981319 # Breaks woocommerce
      SecRuleRemoveById 960009 # Request_Headers False Positive
      SecRuleRemoveById 981173 # False Positive that blocks admin scripts
      SecRuleRemoveById 981231 # False Positive
      SecRuleRemoveById 958291 # False Positive - WordPress
      SecRuleRemoveById 950109 # Breaks Steam Auth
      SecRuleRemoveById 970901 # Breaks forums when in deactive mode
    </LocationMatch>
    
    <LocationMatch "/admin.php">
      SecRuleRemoveById 973338 # Breaks disturbia admin functions
      SecRuleRemoveById 981243 # Breaks user edit if user has special characters in their name
    </LocationMatch>
    
    <DirectoryMatch '/wp-admin/'>
        SecRuleRemoveById 950001
        SecRuleRemoveById 950109
        SecRuleRemoveById 950901
        SecRuleRemoveById 958056
        SecRuleRemoveById 958030
        SecRuleRemoveById 958057
        SecRuleRemoveById 958030
        SecRuleRemoveById 958977
        SecRuleRemoveById 959073
        SecRuleRemoveById 959072
        SecRuleRemoveById 960024
        SecRuleRemoveById 960915
        SecRuleRemoveById 970015
        SecRuleRemoveById 970901
        SecRuleRemoveById 973335
        SecRuleRemoveById 973333
        SecRuleRemoveById 973340
        SecRuleRemoveById 973342
        SecRuleRemoveById 973343
        SecRuleRemoveById 973304
        SecRuleRemoveById 973334
        SecRuleRemoveById 973332
        SecRuleRemoveById 973327
        SecRuleRemoveById 973324
        SecRuleRemoveById 973300
        SecRuleRemoveById 973302
        SecRuleRemoveById 970003
        SecRuleRemoveById 973317
        SecRuleRemoveById 973306
        SecRuleRemoveById 913342
        SecRuleRemoveById 973350
        SecRuleRemoveById 950907
        SecRuleRemoveById 981205
        SecRuleRemoveById 981251
        SecRuleRemoveById 981244
        SecRuleRemoveById 981255
        SecRuleRemoveById 981249
        SecRuleRemoveById 981242
        SecRuleRemoveById 981231
        SecRuleRemoveById 981256
        SecRuleRemoveById 981243
        SecRuleRemoveById 981245
        SecRuleRemoveById 981246
        SecRuleRemoveById 981257
        SecRuleRemoveById 981173
        SecRuleRemoveById 981318
        SecRuleRemoveById 981317
        SecRuleRemoveById 981248
        SecRuleRemoveById 981240
        SecRuleRemoveById 981204
    </DirectoryMatch>
    
    <DirectoryMatch '/adminpanel/'>
        SecRuleRemoveById 950001
        SecRuleRemoveById 950109
        SecRuleRemoveById 950901
        SecRuleRemoveById 958056
        SecRuleRemoveById 958030
        SecRuleRemoveById 958057
        SecRuleRemoveById 958030
        SecRuleRemoveById 958977
        SecRuleRemoveById 959073
        SecRuleRemoveById 959072
        SecRuleRemoveById 960024
        SecRuleRemoveById 960915
        SecRuleRemoveById 970015
        SecRuleRemoveById 970901
        SecRuleRemoveById 973335
        SecRuleRemoveById 973333
        SecRuleRemoveById 973340
        SecRuleRemoveById 973342
        SecRuleRemoveById 973343
        SecRuleRemoveById 973304
        SecRuleRemoveById 973334
        SecRuleRemoveById 973332
        SecRuleRemoveById 973327
        SecRuleRemoveById 973324
        SecRuleRemoveById 973300
        SecRuleRemoveById 973302
        SecRuleRemoveById 970003
        SecRuleRemoveById 973317
        SecRuleRemoveById 973306
        SecRuleRemoveById 913342
        SecRuleRemoveById 973350
        SecRuleRemoveById 950907
        SecRuleRemoveById 981205
        SecRuleRemoveById 981251
        SecRuleRemoveById 981244
        SecRuleRemoveById 981255
        SecRuleRemoveById 981249
        SecRuleRemoveById 981242
        SecRuleRemoveById 981231
        SecRuleRemoveById 981256
        SecRuleRemoveById 981243
        SecRuleRemoveById 981245
        SecRuleRemoveById 981246
        SecRuleRemoveById 981257
        SecRuleRemoveById 981173
        SecRuleRemoveById 981318
        SecRuleRemoveById 981317
        SecRuleRemoveById 981248
        SecRuleRemoveById 981240
        SecRuleRemoveById 981204
    </DirectoryMatch>
    
    <DirectoryMatch '/inloggen'>
        SecRuleRemoveById 950109
        SecRuleRemoveById 950901
        SecRuleRemoveById 950911
        SecRuleRemoveById 958977
        SecRuleRemoveById 958979
        SecRuleRemoveById 960010
        SecRuleRemoveById 960915
        SecRuleRemoveById 973337
        SecRuleRemoveById 973338
        SecRuleRemoveById 973340
        SecRuleRemoveById 973342
        SecRuleRemoveById 973343
        SecRuleRemoveById 981176
        SecRuleRemoveById 981214
        SecRuleRemoveById 981240
        SecRuleRemoveById 981243
        SecRuleRemoveById 981245
        SecRuleRemoveById 981246
        SecRuleRemoveById 981248
        SecRuleRemoveById 981257
    </DirectoryMatch>
    <DirectoryMatch '/admin([0-9]+)/'>
        SecRuleRemoveById 950901
        SecRuleRemoveById 960915
        SecRuleRemoveById 973337
        SecRuleRemoveById 973343
        SecRuleRemoveById 981240
        SecRuleRemoveById 981246
        SecRuleEngine Off
    </DirectoryMatch>
    <DirectoryMatch '/mobile/'>
        SecRuleRemoveById 200002
        SecRuleRemoveById 960010
        SecRuleRemoveById 960912
    </DirectoryMatch>
    <DirectoryMatch '/backoffice/'>
        SecRuleRemoveById 950901
        SecRuleRemoveById 958977
        SecRuleRemoveById 958979
        SecRuleRemoveById 960915
        SecRuleRemoveById 973340
        SecRuleRemoveById 973343
        SecRuleRemoveById 973350
        SecRuleRemoveById 981257
        SecRuleRemoveById 981261
        SecRuleRemoveById 981243
        SecRuleRemoveById 981245
        SecRuleRemoveById 981248
    </DirectoryMatch>
    <DirectoryMatch '/plugins/system/virtuemart_multiupload/'>
        SecRuleRemoveById 960010
    </DirectoryMatch>
    
    <LocationMatch "/wp-admin/post.php|/wp-admin/admin-ajax.php">
      SecRuleRemoveById 981248 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 981240 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 950907 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 981318 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 981251 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 981244 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 981255 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 981249 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 981242 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 973334 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 973334 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 981231 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 973332 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 973327 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 973324 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 973317 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 973306 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 973302 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 958056 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 958030 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 958057 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 981256 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 959073 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 959072 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 950001 # WordPress Post Page SQL Injection.
      SecRuleRemoveById 973335 # WordPress Post Page XSS block.
      SecRuleRemoveById 973333 # WordPress Post Page XSS block.
      SecRuleRemoveById 973304 # WordPress Post Page XSS block.
      SecRuleRemoveById 973300 # WordPress Post Page XSS 403 block.
      SecRuleRemoveById 981243 # WordPress Post Page SQL Injection 403 block.
      SecRuleRemoveById 981246 # WordPress Post Page SQL Injection 403 block.
      SecRuleRemoveById 981245 # WordPress Post Page SQL Injection 403 block.
      SecRuleRemoveById 981257 # WordPress Post Page SQL Injection 403 block.
      SecRuleRemoveById 981173 # WordPress Post Page SQL Injection 403 block.
      SecRuleRemoveById 960024 # WordPress Post Page SQL Injection 403 block.
      SecRuleRemoveById 981317 # WordPress Post Page SQL Injection 403 block.
      SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
    </LocationMatch>
    
    <LocationMatch "/xmlrpc.php">
      SecRuleRemoveById 981173
    </LocationMatch>
    
    <LocationMatch "/development/*">
      SecRuleRemoveById 981173
    </LocationMatch>
    
    <LocationMatch "/wp-admin/network/update-core.php|/wp-admin/network/update.php">
      SecRuleRemoveById 981173 # Update Core SQL Injection
    </LocationMatch>
    
    <LocationMatch "(/wp-admin/|/wp-login.php)">
      SecRuleRemoveById 950005 # Remote File Access Attempt - Probably no need to be disabled by everyone; it allows me putting /etc/ and other linux paths in posts.
      SecRuleRemoveById 973301 # XSS
      SecRuleRemoveById 950109 # Multiple URL encoding
      SecRuleRemoveById 950117 # Remote File Inclusion Attack - Disable to allow http:// to be passed in args
    </LocationMatch>
    
    <LocationMatch "(/wp-admin/themes.php|/wp-admin/options.php|/wp-admin/theme-editor.php|/wp-content/plugins/)">
      SecRuleRemoveById 950907 # System Command Injection
      SecRuleRemoveById 950005 # Remote File Access Attempt - Probably no need to be disabled by everyone; it allows me putting /etc/ and other linux paths in posts.
      SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
      SecRuleRemoveById 959006 # SQL Injection Attack -
      SecRuleRemoveById 960008 # Request Missing a Host Header
      SecRuleRemoveById 960011 # GET or HEAD requests with bodies
      SecRuleRemoveById 960904 # Request Containing Content, but Missing Content-Type header
      SecRuleRemoveById 981173 # SQL Injection
      SecRuleRemoveById phpids-17 # Detects JavaScript object properties and methods
      SecRuleRemoveById phpids-20 # Detects JavaScript language constructs
      SecRuleRemoveById phpids-21 # Detects very basic XSS probings
      SecRuleRemoveById phpids-30 # Detects common XSS concatenation patterns 1/2
      SecRuleRemoveById phpids-61 # Detects url injections and RFE attempts
    </LocationMatch>
    
    <LocationMatch "/wp-includes/">
      SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
      SecRuleRemoveById 959006 # SQL Injection Attack -
      SecRuleRemoveById 960010 # Request content type is not allowed by policy - Allows for amongst other things spell check to work on admin area
      SecRuleRemoveById 960012 # Require Content-Length to be provided with every POST request - Same as above
      SecRuleRemoveById phpids-17 # Detects JavaScript object properties and methods
      SecRuleRemoveById phpids-20 # Detects JavaScript language constructs
      SecRuleRemoveById phpids-21 # Detects very basic XSS probings
      SecRuleRemoveById phpids-30 # Detects common XSS concatenation patterns 1/2
      SecRuleRemoveById phpids-61 # Detects url injections and RFE attempts
    </LocationMatch>
    Yet this does not cover all mistakenly bans.

    For example, this is a 'reason' for being banned I see all the time.

    Code:
    Request:    GET /
    Action Description:    Access denied with redirection to http://www.*domain.com*/ using status 302 (phase 2).
    Justification:    Matched phrase "winhttp.winhttprequest.5" at REQUEST_HEADERS:User-Agent.
    Does anyone know what happens right here? Thanks!
     
  3. NTar

    NTar Member

    Joined:
    Apr 16, 2015
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    I've installed Comodo's third-party vendor. It seems to stop banning innocent visitors, yet I cannot confirm anything at this time. Keep this topic updated!
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    I am happy to see that vendor's ruleset is helpful. Let us know if any additional issues continue.

    Thank you.
     
    thuminh likes this.
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    The OWASP rule set requires a ton of exclusions still as evidenced by NTar's post. The comodo vendor set is much better for avoiding false positives if you do not have the experience to customize the OWASP rule set as required.

    I like to relate the OWASP rule set to an F1 car... tons of features, but the average person couldn't get it out of the driveway. The Comodo rule set is much more akin to an automatic transmission car.
     
    thuminh and Infopro like this.
  6. NTar

    NTar Member

    Joined:
    Apr 16, 2015
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Thanks for brainstorming with me. It seems Comodo's package has fixed the problem as visitors don't get banned anymore (but hackers are :) ).

    Topic closed.
     
    thuminh likes this.
  7. hrace009

    hrace009 Well-Known Member

    Joined:
    Dec 24, 2013
    Messages:
    66
    Likes Received:
    8
    Trophy Points:
    8
    Location:
    Root
    cPanel Access Level:
    Root Administrator
    Twitter:
    btw, how to get commodo modsec vendor?

    Thanks for sharing this.
     
  8. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    83
    Likes Received:
    15
    Trophy Points:
    8
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    The instructions for adding the Comodo WAF rules for Apache and Litespeed are here.
     
    cPanelMichael likes this.
  9. hrace009

    hrace009 Well-Known Member

    Joined:
    Dec 24, 2013
    Messages:
    66
    Likes Received:
    8
    Trophy Points:
    8
    Location:
    Root
    cPanel Access Level:
    Root Administrator
    Twitter:
    hi thanks, yes i already have installed it
     
    cPanelMichael likes this.
Loading...

Share This Page