Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 24th July 2012, 13:36
MaddinXx MaddinXx is offline
Senior Member
 
Join Date: Jul 2011
Location: Switzerland
Posts: 197
Thanks: 25
Thanked 62 Times in 46 Posts
Exclamation [Collection] mod_security Whitelists

Hello everyone

Some of you might have mod_security installed on their server, so do I.

Since the rules are sometimes very strict, you often have to disable rules for specific applications.

I thought that it might be a good idea to create a little collection of what rules you have to disable for what application.

General
I assume you have mod_security installed like described here: http://www.faqforge.com/linux/apache...n-6-0-squeeze/

How to whitelist?
You should choose one of these methods:
  • server-wide deactivation
    Code:
    nano /etc/apache2/mod-security/modsecurity_crs_99_whitelist.conf
  • per-site deactivation
    In ISPConfig -> Sites -> domain.tld -> Options -> Apache Directives
    Code:
    <ifModule mod_security2.c>
        (paste the rules here)
    </ifModule>

Applications
Here are the per-application specific rules you should disable if you encounter problems running them.

IP based access
Reason
Accessing a website by it's IP isn't allowed

Rules
SecRuleRemoveById 960017

Usage
You should place this rule within the global whitelist

------------------------------------------------

ionizeCMS
Reason
the built-in flash uploader doesn't work

Rules
SecRuleRemoveById 960015

Usage
You should place them per-site

------------------------------------------------

WebDAV
Reason
You'll get an 405 - Method not allowed when connecting with a WebDAV client

Rules
SecRuleRemoveById 960015
SecRuleRemoveById 960032

Usage
You should place them per-site or within the custom vhost (WebDAV block)

------------------------------------------------

Wordpress
Reason
pasting iFrames within the editor gets blocked as well as selecting images

Rules
SecRuleRemoveById 950001
SecRuleRemoveById 950004

Usage
You should place them per-site

Summary
If you have rulesets by yourself, we would appreciate it if you would share them too

Regards,
MaddinXx
__________________
Rackster Internet Services's presences:
Official | Open Source | Github | Facebook | Twitter
Reply With Quote
The Following 3 Users Say Thank You to MaddinXx For This Useful Post:
falko (25th July 2012), sageman (8th March 2013), till (8th November 2013)
Sponsored Links
  #2  
Old 25th July 2012, 16:28
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Great post! Do you think you could create a little tutorial from it?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 25th July 2012, 23:26
MaddinXx MaddinXx is offline
Senior Member
 
Join Date: Jul 2011
Location: Switzerland
Posts: 197
Thanks: 25
Thanked 62 Times in 46 Posts
Default

Hi falko

I'm not sure if a tutorial is needed for this, since their is already one on FAQForge on how to install mod_security, also how to whitelist.

Therefor this is really more a collection on useful information for them rather than a guide itself.

However, it might be a good refresher to see it here as a tutorial again - I'll look if I find time...but I hope to be able to test some more popular CMS like typo3, joomla, Drupal etc. first so we have a solid list.

BTW it would be good if you could re-check the WebDAV thing by yourself and add it to ISPConfig by default (like you did completely disable mod_security for ISPConfig's vHost).

Regards
__________________
Rackster Internet Services's presences:
Official | Open Source | Github | Facebook | Twitter
Reply With Quote
The Following User Says Thank You to MaddinXx For This Useful Post:
falko (26th July 2012)
  #4  
Old 26th July 2012, 12:24
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Quote:
Originally Posted by MaddinXx View Post
BTW it would be good if you could re-check the WebDAV thing by yourself and add it to ISPConfig by default (like you did completely disable mod_security for ISPConfig's vHost).
I've added this to our bugtracker.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 26th July 2012, 17:34
MaddinXx MaddinXx is offline
Senior Member
 
Join Date: Jul 2011
Location: Switzerland
Posts: 197
Thanks: 25
Thanked 62 Times in 46 Posts
Default

hmm, it seems that it's not allowed to edit the first post within a topic...
@falko/till. is it possible to activate this? if not, would their a way to give me the 2nd post as well? (which is currently falko's).

Here's another one:


Google's Webmaster Tools
Reason
Verification not working (msg: Request Missing an Accept Header)

Rules
SecRuleRemoveById 950015

Usage
You should place them per-site
__________________
Rackster Internet Services's presences:
Official | Open Source | Github | Facebook | Twitter
Reply With Quote
  #6  
Old 5th August 2012, 19:57
concept21 concept21 is offline
Senior Member
 
Join Date: Dec 2011
Posts: 142
Thanks: 27
Thanked 18 Times in 13 Posts
Default

Hi Mad,
In my Ubuntu 10.04 64 bit OS, I can't see this file:
/etc/apache2/mod-security/modsecurity_crs_99_whitelist.conf


How do you configure your trick in Ubuntu 10.04?
Reply With Quote
  #7  
Old 5th August 2012, 20:01
MaddinXx MaddinXx is offline
Senior Member
 
Join Date: Jul 2011
Location: Switzerland
Posts: 197
Thanks: 25
Thanked 62 Times in 46 Posts
Default

Hi concept21

I don't have an Ubuntu machine to test, but if you have the folder /etc/apache2/mod-security/ I guess you can create the file in there.

If the folder doesn't exist, you could try running:

Code:
find / -name "modsecurity_crs*"
and check where the crs rules are stored (and create the file within this folder if it doesn't exist)
__________________
Rackster Internet Services's presences:
Official | Open Source | Github | Facebook | Twitter
Reply With Quote
  #8  
Old 9th August 2012, 21:09
concept21 concept21 is offline
Senior Member
 
Join Date: Dec 2011
Posts: 142
Thanks: 27
Thanked 18 Times in 13 Posts
Default

I have tried to add
SecRuleRemoveById

to all id appearing in the mod_audit.log, but my software was stilled blocked.

I think it is not so simple. I have read a little bit of the mod-security site's manual. It said simply adding SecRuleRemoveById may not let the software pass 2nd phase.

I don't understand though.
Reply With Quote
  #9  
Old 9th August 2012, 21:18
MaddinXx MaddinXx is offline
Senior Member
 
Join Date: Jul 2011
Location: Switzerland
Posts: 197
Thanks: 25
Thanked 62 Times in 46 Posts
Default

Hmm, for me it worked.

Did you follow the step here: http://www.faqforge.com/linux/apache...n-6-0-squeeze/

Code:
To enable mod-security, edit the file
vi /etc/apache2/mod-security/modsecurity_crs_10_config.conf
and remove the # in front of the line:
SecDefaultAction “phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace”
__________________
Rackster Internet Services's presences:
Official | Open Source | Github | Facebook | Twitter
Reply With Quote
  #10  
Old 17th August 2012, 11:18
mjnet mjnet is offline
Member
 
Join Date: Nov 2011
Posts: 44
Thanks: 2
Thanked 2 Times in 1 Post
 
Default

I needed to add another one today.

Wordpress
Reason
Error 404 - ("Too many arguments in request") when you save bigger posts. Some guys got this error cause of too many revisions. Mine was due to many post attachments.

Rules
SecRuleRemoveById 960335

Usage
You should place them per-site
Reply With Quote
The Following 2 Users Say Thank You to mjnet For This Useful Post:
abintipl (28th May 2013), falko (18th August 2012)
Reply

Bookmarks

Tags
mod_security, rules, security, whitelist

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 00:35.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.