Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 9th January 2013, 00:21
alleks alleks is offline
Senior Member
 
Join Date: Nov 2010
Posts: 157
Thanks: 9
Thanked 9 Times in 9 Posts
Default LocationMatch issues

So, on my server with the latest stable ISPConfig and also having installed mod_security... I'm trying to avoid some rules for wordpress specific pages, but with no success.

Rules:

Code:
<LocationMatch "/">
  SecRuleRemoveById 910006 # Google robot activity - Useful in someways but noisy for sites where you want them crawled
  SecRuleRemoveById 960015 # Request Missing an Accept Header -  Allow for Google Reader
</LocationMatch>

<LocationMatch "/wp-admin/post.php">
  SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
</LocationMatch>

<LocationMatch "(/wp-admin/|/wp-login.php)">
  SecRuleRemoveById 950005 # Remote File Access Attempt - Probably no need to be disabled by everyone; it allows me putting /etc/ and other linux paths in posts.
  SecRuleRemoveById 950117 # Remote File Inclusion Attack - Disable to allow http:// to be passed in args
  SecRuleRemoveById 960010 # Request content type is not allowed by policy
</LocationMatch>

<LocationMatch "(/wp-admin/options.php|/wp-admin/theme-editor.php|/wp-content/plugins/)">
  SecRuleRemoveById 950907 # System Command Injection
  SecRuleRemoveById 950005 # Remote File Access Attempt - Probably no need to be disabled by everyone; it allows me putting /etc/ and other linux paths in posts.
  SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
  SecRuleRemoveById 959006 # SQL Injection Attack -
  SecRuleRemoveById 960008 # Request Missing a Host Header
  SecRuleRemoveById 960011 # GET or HEAD requests with bodies
  SecRuleRemoveById 960904 # Request Containing Content, but Missing Content-Type header

  SecRuleRemoveById phpids-17 # Detects JavaScript object properties and methods
  SecRuleRemoveById phpids-20 # Detects JavaScript language constructs
  SecRuleRemoveById phpids-21 # Detects very basic XSS probings
  SecRuleRemoveById phpids-30 # Detects common XSS concatenation patterns 1/2
  SecRuleRemoveById phpids-61 # Detects url injections and RFE attempts
</LocationMatch>

<LocationMatch "/wp-includes/">
  SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
  SecRuleRemoveById 959006 # SQL Injection Attack -
  SecRuleRemoveById 960010 # Request content type is not allowed by policy - Allows for amongst other things spell check to work on admin area
  SecRuleRemoveById 960012 # Require Content-Length to be provided with every POST request - Same as above

  SecRuleRemoveById phpids-17 # Detects JavaScript object properties and methods
  SecRuleRemoveById phpids-20 # Detects JavaScript language constructs
  SecRuleRemoveById phpids-21 # Detects very basic XSS probings
  SecRuleRemoveById phpids-30 # Detects common XSS concatenation patterns 1/2
  SecRuleRemoveById phpids-61 # Detects url injections and RFE attempts
</LocationMatch>
Any ideas why the LocationMatch won't match? Just to make clear, setting the command outside LocationMatch works

My question on SO http://stackoverflow.com/questions/1...h-not-matching
Reply With Quote
Sponsored Links
  #2  
Old 9th January 2013, 09:20
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,733
Thanks: 840
Thanked 5,596 Times in 4,407 Posts
Default

Were did you add these lines, in the apache directives field of the website?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 9th January 2013, 16:44
alleks alleks is offline
Senior Member
 
Join Date: Nov 2010
Posts: 157
Thanks: 9
Thanked 9 Times in 9 Posts
Default

Yes Till, in the apache directives in Domain's options
Reply With Quote
  #4  
Old 9th January 2013, 18:37
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,733
Thanks: 840
Thanked 5,596 Times in 4,407 Posts
 
Default

Have you checked in the vhost file if the directives have been added there? Maybe there is a syntax error somewhere and ispconfig could not apply the new configuration.

I added some mod_security rules a few days ago in one site by adding them in the apache directives field in ispconfig and it worked on my server. I described it here in the faq, the rules I used are not as complete as your list though:

http://www.faqforge.com/linux/apache...ress-and-modx/
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Tags
apache, locationmatch, mod_scurity

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Various Postfix/IMAP/Squirrelmail issues suaswe HOWTO-Related Questions 2 23rd May 2012 12:08
SSL issues profm2 Installation/Configuration 7 2nd May 2012 12:02
Disabling public access to ISPConfig, any issues? Michael_BoG General 3 3rd May 2011 17:22
Opensuse 11.3 ispconfig3 ssh, sftp, issues wildnux Server Operation 1 30th November 2010 12:06
Mail issues with "The Perfect Server - CentOS 5.2 x86_64" dp6ai HOWTO-Related Questions 0 9th December 2008 14:43


All times are GMT +2. The time now is 17:18.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.