removing modsec1 rule per domain by attaching Id to a rule

See below how we can add Id tag to modsec1 rule and remove that id only for a specific domain.
In modsec as I explained earlier, we dont get the line number of the particular rule. So add all rules to a single file (Include “/usr/local/apache/conf/modsec.user.conf”)
When you see this error for pattern match in the logs, search for the pattern on the modsec conf file.
[Thu Sep 02 20:24:06 2010] [error] [client xx.xx.xx.xx] mod_security: Access denied with code 406. Pattern match “xmlrpc” at POST_PAYLOAD [severity “EMERGENCY”] [hostname “www.domain.com“] [uri “/administrator/index.php”] [unique_id “TIBcRswtQSoAACdEYPcAAAA0”]
Here you get the pattern as “xmlrpc” . Search for that and you may see multiple lines that contain xmlrpc. In most cases there will be a line in conf with exact match. Attach Id to the modsec1 rule as follows.
Change
SecFilter “xmlrpc” 
to
SecFilter “xmlrpc” “id:900000,deny,log,status:406”
Now recreate the error to confirm this Id itself is causing the issue by taking the url in the browser. You can find the logs as follows
[Thu Sep 02 22:38:16 2010] [error] [clientxx.xx.xx.xx ] mod_security: Access denied with code 406. Pattern match “xmlrpc” at POST_PAYLOAD [id “900000”] [severity “EMERGENCY”] [hostname “www.domain.com“] [uri “/administrator/index.php”] [unique_id “TIB7uMwtQSoAABUN-kYAAAAT”]
We can comment this rule for the particular domain as follows inside the virtualhost entry of the domain inside httpd.conf file.
SecFilterRemove 900000
/etc/rc.d/init.d/httpd configtest
If You get “Syntax Ok” then restart apache gracefully
/etc/rc.d/init.d/httpd graceful
Be sure to update the cpanel userdata files as follows.
/usr/local/cpanel/bin/apache_conf_distiller –update
Once this is done you can see the modsec value you have changed has been added to the user data from here.
cd /var/cpanel/userdata/username/
cat domain.com
secfilterremove:

value: ” 900000″
Advertisements
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: