[Collection] mod_security Whitelists

Discussion in 'Server Operation' started by MaddinXx, Jul 24, 2012.

  1. MaddinXx

    MaddinXx Member HowtoForge Supporter

    Hello everyone

    Some of you might have mod_security installed on their server, so do I.

    Since the rules are sometimes very strict, you often have to disable rules for specific applications.

    I thought that it might be a good idea to create a little collection of what rules you have to disable for what application.

    General
    I assume you have mod_security installed like described here: http://www.faqforge.com/linux/apache-mod-security-installation-on-debian-6-0-squeeze/

    How to whitelist?
    You should choose one of these methods:
    • server-wide deactivation
      Code:
      nano /etc/apache2/mod-security/modsecurity_crs_99_whitelist.conf
    • per-site deactivation
      In ISPConfig -> Sites -> domain.tld -> Options -> Apache Directives
      Code:
      <ifModule mod_security2.c>
          (paste the rules here)
      </ifModule>

    Applications
    Here are the per-application specific rules you should disable if you encounter problems running them.

    IP based access
    Reason
    Accessing a website by it's IP isn't allowed

    Rules
    SecRuleRemoveById 960017

    Usage
    You should place this rule within the global whitelist

    ------------------------------------------------

    ionizeCMS
    Reason
    the built-in flash uploader doesn't work

    Rules
    SecRuleRemoveById 960015

    Usage
    You should place them per-site

    ------------------------------------------------

    WebDAV
    Reason
    You'll get an 405 - Method not allowed when connecting with a WebDAV client

    Rules
    SecRuleRemoveById 960015
    SecRuleRemoveById 960032

    Usage
    You should place them per-site or within the custom vhost (WebDAV block)

    ------------------------------------------------

    Wordpress
    Reason
    pasting iFrames within the editor gets blocked as well as selecting images

    Rules
    SecRuleRemoveById 950001
    SecRuleRemoveById 950004

    Usage
    You should place them per-site

    Summary
    If you have rulesets by yourself, we would appreciate it if you would share them too :)

    Regards,
    MaddinXx
     
  2. falko

    falko Super Moderator ISPConfig Developer

    Great post! :) Do you think you could create a little tutorial from it?
     
  3. MaddinXx

    MaddinXx Member HowtoForge Supporter

    Hi falko

    I'm not sure if a tutorial is needed for this, since their is already one on FAQForge on how to install mod_security, also how to whitelist.

    Therefor this is really more a collection on useful information for them rather than a guide itself.

    However, it might be a good refresher to see it here as a tutorial again - I'll look if I find time...but I hope to be able to test some more popular CMS like typo3, joomla, Drupal etc. first so we have a solid list.

    BTW it would be good if you could re-check the WebDAV thing by yourself and add it to ISPConfig by default (like you did completely disable mod_security for ISPConfig's vHost).

    Regards
     
  4. falko

    falko Super Moderator ISPConfig Developer

    I've added this to our bugtracker.
     
  5. MaddinXx

    MaddinXx Member HowtoForge Supporter

    hmm, it seems that it's not allowed to edit the first post within a topic...
    @falko/till. is it possible to activate this? if not, would their a way to give me the 2nd post as well? (which is currently falko's).

    Here's another one:


    Google's Webmaster Tools
    Reason
    Verification not working (msg: Request Missing an Accept Header)

    Rules
    SecRuleRemoveById 950015

    Usage
    You should place them per-site
     
  6. concept21

    concept21 Member

    Hi Mad,
    In my Ubuntu 10.04 64 bit OS, I can't see this file:
    /etc/apache2/mod-security/modsecurity_crs_99_whitelist.conf


    How do you configure your trick in Ubuntu 10.04?
     
  7. MaddinXx

    MaddinXx Member HowtoForge Supporter

    Hi concept21

    I don't have an Ubuntu machine to test, but if you have the folder /etc/apache2/mod-security/ I guess you can create the file in there.

    If the folder doesn't exist, you could try running:

    Code:
    find / -name "modsecurity_crs*"
    and check where the crs rules are stored (and create the file within this folder if it doesn't exist)
     
  8. concept21

    concept21 Member

    I have tried to add
    SecRuleRemoveById

    to all id appearing in the mod_audit.log, but my software was stilled blocked.

    I think it is not so simple. I have read a little bit of the mod-security site's manual. It said simply adding SecRuleRemoveById may not let the software pass 2nd phase.

    I don't understand though.
     
  9. MaddinXx

    MaddinXx Member HowtoForge Supporter

  10. mjnet

    mjnet New Member

    I needed to add another one today.

    Wordpress
    Reason
    Error 404 - ("Too many arguments in request") when you save bigger posts. Some guys got this error cause of too many revisions. Mine was due to many post attachments.

    Rules
    SecRuleRemoveById 960335

    Usage
    You should place them per-site
     
  11. sageman

    sageman New Member

    Here are some more that helped me today:

    Joomla 2.5.x - Akeeba Backup (after installation)

    Reason
    PHP source code leakage

    Rule
    SecRuleRemoveById 970015

    ------------------------------------------------

    Joomla 2.5.x - JCE Editor (saving configuration)

    Reason
    Too many arguments in request

    Rule
    SecRuleRemoveById 960335

    ------------------------------------------------

    Menalto Gallery 3 - Uploader stops processing images

    Reason
    Request Missing an Accept Header

    Rule
    SecRuleRemoveById 960015

    ------------------------------------------------

    Usage
    You should place this rule within the global whitelist
     
    Last edited: Mar 10, 2013
  12. SpeedyB

    SpeedyB Member HowtoForge Supporter

    Remoting is not working with mod-security installed

    This is due to an "Request Missing an Accept Header" error.

    to fix this add the following code to the 000-ispconfig.vhost (at the bottom)
    Code:
    <LocationMatch "/remote/index.php">
      SecRuleRemoveById 960015 
    </LocationMatch>

    ==================

    Since I only want to enable rules for the PHP files which need to be excluded I have the following ruleset for WordPress:

    Code:
    <LocationMatch "/">
      SecRuleRemoveById 910006 # Google robot activity - Useful in someways but noisy for sites where you want them crawled
      SecRuleRemoveById 960015 # Request Missing an Accept Header -  Allow for Google Reader
    </LocationMatch>
    
    <LocationMatch "/wp-admin/post.php">
      SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
      SecRuleRemoveById 950004 # Disable XSS 
    </LocationMatch>
    
    <LocationMatch "/wp-admin/admin-ajax.php">
      SecRuleRemoveById 950004 # Disable XSS 
    </LocationMatch>
    
    <LocationMatch "(/wp-admin/|/wp-login.php)">
      SecRuleRemoveById 950005 # Remote File Access Attempt - Probably no need to be disabled by everyone; it allows me putting /etc/ and other linux paths in posts.
      SecRuleRemoveById 950117 # Remote File Inclusion Attack - Disable to allow http:// to be passed in args
    </LocationMatch>
    
    <LocationMatch "(/wp-admin/options.php|/wp-admin/theme-editor.php|/wp-content/plugins/)">
      SecRuleRemoveById 950907 # System Command Injection
      SecRuleRemoveById 950005 # Remote File Access Attempt - Probably no need to be disabled by everyone; it allows me putting /etc/ and other linux paths in posts.
      SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
      SecRuleRemoveById 959006 # SQL Injection Attack -
      SecRuleRemoveById 960008 # Request Missing a Host Header
      SecRuleRemoveById 960011 # GET or HEAD requests with bodies
      SecRuleRemoveById 960904 # Request Containing Content, but Missing Content-Type header
    
      SecRuleRemoveById phpids-17 # Detects JavaScript object properties and methods
      SecRuleRemoveById phpids-20 # Detects JavaScript language constructs
      SecRuleRemoveById phpids-21 # Detects very basic XSS probings
      SecRuleRemoveById phpids-30 # Detects common XSS concatenation patterns 1/2
      SecRuleRemoveById phpids-61 # Detects url injections and RFE attempts
    </LocationMatch>
    
    <LocationMatch "/wp-includes/">
      SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
      SecRuleRemoveById 959006 # SQL Injection Attack -
      SecRuleRemoveById 960010 # Request content type is not allowed by policy - Allows for amongst other things spell check to work on admin area
      SecRuleRemoveById 960012 # Require Content-Length to be provided with every POST request - Same as above
    
      SecRuleRemoveById phpids-17 # Detects JavaScript object properties and methods
      SecRuleRemoveById phpids-20 # Detects JavaScript language constructs
      SecRuleRemoveById phpids-21 # Detects very basic XSS probings
      SecRuleRemoveById phpids-30 # Detects common XSS concatenation patterns 1/2
      SecRuleRemoveById phpids-61 # Detects url injections and RFE attempts
    </LocationMatch>
     
  13. manarak

    manarak New Member

    I'm currently also looking at this issue from a seo point of view focusing on search engine crawlers.
    Google is not the only search engine.

    I think what's needed is a collection of tightly-defined whitelisting rules which disable certain rules for certain IPs/user agents of search engines.

    People could then use these rules in the global mod_security 00_whitelist.conf or inside the individual site's settings.
     
  14. manarak

    manarak New Member

    What has always been very irritating about Mod_security is that there is so few simple documentation about it and that most of the support chatter is done via mailing list rather than forum.

    Try to google "mod_security whitelist IP ranges" to see what I mean...

    This makes any custom rules exercise rather difficult.

    Anyway, here is how far I progressed:

    I added a file "modsecurity_crs_15_whitelist.conf" in /etc/apache2/modsecurity
    (that can be another directory, depending on where you put your rules)

    And I began to design a rule file for whitelisting bots.

    Here is a non-working example
    Code:
    SecRule REMOTE_ADDR "^192\.168\.[0-1]{1}\.[0-9]{1,3}$" chain
    SecRule REMOTE_HOST googlebot.com$ chain
    SecRule REQUEST_HEADERS:User-Agent "Googlebot" phase:1,log,allow,id:999999999,ctl:ruleEngine=off
    
    I want the rules to check the IP and the USER-Agent and if performance permits the Remote Host (don't know if this requires a DNS request or not).
    As you see, the regex allows to check for simple ranges.

    Some questions I would like to ask persons that are knowledgable about mod_security rules:
    1- the above rules chain rules in an "AND" mode, i.e. if this AND that, then allow. Question: how to introduce an OR ? i.e. if the IP address is this OR that, then allow? Would the following work?
    Code:
    SecRule REMOTE_ADDR "^192\.168\.[0-1]{1}\.[0-9]{1,3}$¦^193\.168\.[0-1]{1}\.[0-9]{1,3}$¦^194\.168\.[0-1]{1}\.[0-9]{1,3}$"
    2- I want to give matching requests a pass on one or more specific rules only, not turn off the secrule engine completely. How can this be done?
     

Share This Page