Tuesday 15 November 2011

Disable mod_security rule for a specific application for a specific domain


If you face any mod_security issue, don't white list the whole domain from mod_security rules. But override the mod_security settings for the domain narrowly, so that override is allowed for only particular page and particular rule. Follow the steps below to trouble shoot mod_security issues.

1) Tail the apache error logs and find the error.

2) Every rule has an Id and URL causing the mod_security issue. So overriding them alone will solve the issue. Check the sample aoache logs below.
++++++++++++++++++++++++++++
[19:37] [Tue Sep 06 19:31:22 2011] [error] [client 203.197.151.138] ModSecurity: [file "/usr/local/apache/conf/modsec_rules/30_asl_antispam.conf"] [line "116"] [id "300023"] [rev "1"] [msg "Atomicorp.com WAF Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)"] [data "[http://domainname.com] |- | ahx || mitch schwenk || |- | almico || alfredo milani ccrestron || [..."] [severity "ERROR"] Access denied with code 403 (phase 2). Pattern match "(\\[ ?http://.*){4,}" at ARGS:wpTextbox1. [hostname "domainname.com"] [uri "/index.php"] [unique_id "TmZm@lUN67oAACO3LgMAAAAN"]
++++++++++++++++++++++++++++
Here ID is 300023 and the URL is index.php. The error is Mutiple embedded URL used.
3) To override this, create a new directory 

mkdir -p /usr/local/apache/conf/userdata/std/2/username/domainname/

4) Create mod_security2.conf file. vi /usr/local/apache/conf/userdata/std/2/username/domainname/mod_security.conf

5) Paste the following contents in the file based on the data collected in step 2.
++++++++++
<LocationMatch /URL>
<IfModule mod_security2.c>
SecRuleRemoveById ruleId
</IfModule>
</LocationMatch>
++++++++++
We are overriding the settings by URL and ID match.
Eg:
++++++++++
<LocationMatch /index.php>
<IfModule mod_security2.c>
SecRuleRemoveById 300023
</IfModule>
</LocationMatch>
++++++++++

6) Run the script 
  /scripts/ensure_vhost_includes --user=username.

7) check whether the file is included in httpd using the command below.
grep "std/2/username" conf/httpd.conf

8) Restart the apache.
Posted by at
Labels:

2 comments:

How to register a domain said...

Fantastic content I think you learn something new every day. Nice, informative site by the way.Thanks to sharing

Tuesday, December 06, 2011 1:36:00 am
Dhanasekaran N said...

Thank you for your comment!!!

We always welcome your comments to improve our blog. So, Please keep on visiting our blog and provide an suggestion to improve our blog.

Wednesday, December 07, 2011 12:23:00 am

Post a Comment

Subscribe to: Post Comments (Atom)