Tuesday, 15 November 2011

Disable mod_security rule for a specific application for a specific domain


If you face any mod_security issue, don't white list the whole domain from mod_security rules. But override the mod_security settings for the domain narrowly, so that override is allowed for only particular page and particular rule. Follow the steps below to trouble shoot mod_security issues.

1) Tail the apache error logs and find the error.

2) Every rule has an Id and URL causing the mod_security issue. So overriding them alone will solve the issue. Check the sample aoache logs below.
++++++++++++++++++++++++++++
[19:37] [Tue Sep 06 19:31:22 2011] [error] [client 203.197.151.138] ModSecurity: [file "/usr/local/apache/conf/modsec_rules/30_asl_antispam.conf"] [line "116"] [id "300023"] [rev "1"] [msg "Atomicorp.com WAF Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)"] [data "[http://domainname.com] |- | ahx || mitch schwenk || |- | almico || alfredo milani ccrestron || [..."] [severity "ERROR"] Access denied with code 403 (phase 2). Pattern match "(\\[ ?http://.*){4,}" at ARGS:wpTextbox1. [hostname "domainname.com"] [uri "/index.php"] [unique_id "TmZm@lUN67oAACO3LgMAAAAN"]
++++++++++++++++++++++++++++
Here ID is 300023 and the URL is index.php. The error is Mutiple embedded URL used.
3) To override this, create a new directory 

mkdir -p /usr/local/apache/conf/userdata/std/2/username/domainname/

4) Create mod_security2.conf file. vi /usr/local/apache/conf/userdata/std/2/username/domainname/mod_security.conf

5) Paste the following contents in the file based on the data collected in step 2.
++++++++++
<LocationMatch /URL>
<IfModule mod_security2.c>
SecRuleRemoveById ruleId
</IfModule>
</LocationMatch>
++++++++++
We are overriding the settings by URL and ID match.
Eg:
++++++++++
<LocationMatch /index.php>
<IfModule mod_security2.c>
SecRuleRemoveById 300023
</IfModule>
</LocationMatch>
++++++++++

6) Run the script 
  /scripts/ensure_vhost_includes --user=username.

7) check whether the file is included in httpd using the command below.
grep "std/2/username" conf/httpd.conf

8) Restart the apache.

2 comments:

How to register a domain said...

Fantastic content I think you learn something new every day. Nice, informative site by the way.Thanks to sharing

Dhanasekaran N said...

Thank you for your comment!!!

We always welcome your comments to improve our blog. So, Please keep on visiting our blog and provide an suggestion to improve our blog.