Mod-security with default rules blocking

Discussion in 'Server Operation' started by Jun27, Oct 4, 2007.

  1. Jun27

    Jun27 New Member

    I just installed the latest mod security on CentOs, and I noticed the generic attacks conf file blocks the use of awstats.

    I'd rather not disable this conf, because it's the one I actually care about the most (being a forum based site).

    Is there any way to make an exception for It gives me a:

    Method Not Implemented.
    GET to /awstats/ not supported.

    I'm not too concerned with it because I have an IP ban and also password protection on this directory, and it's located on a different IP/domain.

    I'm pretty much up to date on everything.

    Also, can I place directives like SecFilterSelective directly in httpd.conf?

    I care a lot about security, as my server gets hit a lot, but I don't want measures that will create too many false positives or obstruct my users. Which are the most important rule sets to include with mod_security?

    ...and while I'm at it, any good ways of preventing DDOS attacks? For instance limiting max bandwidth and connections per ip (baring images etc). I can't find any up to date and well documented/supported modules that allow this. I'm also afraid of blocking aol users etc. I've been dos attacked a couple times recently.

    I would also like something for bandwidth because I'm using almost 50gb a day and don't want to pay through the nose for overages at the end of the month.
  2. falko

    falko Super Moderator ISPConfig Developer

    Can you post your mod_security configuration here?

    This might be interesting:
  3. robbo007

    robbo007 New Member


    Did you manage to get this sorted? I have the same problem and see the error comes from the rule:

    SecRule REQUEST_BASENAME "\.(?:c(?:eek:(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:eek:urces|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" \
    "phase:2,t:none,t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED'"

    How can I only exclude AWSTAT? I don't really want to comment out the entire rule.



Share This Page