Planned: Install Of Mod-Security on Debian Wheezy

Discussion in 'ISPConfig 3 Priority Support' started by Quaxth, Nov 8, 2013.

  1. Quaxth

    Quaxth Member

    As the title say's!

    Because for that I was like to use an new SATA 3/6GB/s HDD, I was clone the "Master" Server HDD using HD-Clone 4.2 and found that there some parts are missing. So I done the same again on an older HDD which I use for such "test's" and the same outcome. So I checked on the Internet which Apps I could use for that job and got informed that Acronis True Image and CloneZilla would be the best choice.
    As I had Acronis True Image 2014 already, I was try that and that didn't worked. It was impossible for to boot from the cloned HDD. Next I was downloading CloneZilla and tested that, still on my "Test-HDD" and that wokrd well I was able to fully boot the Server HDD Clone. So done again, this time with the new HDD and that was just finish now. Took about 4h with an transfer of app. 6GB/h or 100MB/s

    Now, my question: Using the tuto from: as suggested by Till in the other thread, because the ISPC tuto is quite old and for Debian Squeeze, Is there anything I've to aware about? Or should I just follow that tuto as published?
    I didn't have enough knowledge about Linux and therefore ask for a bit more advice.

    Thanks a lot.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    It is fie to just follow the tutorial from
  3. Quaxth

    Quaxth Member

    OK, thanks for that. Anyway, in case something goes wrong, I still have the fully working server on that old HDD!
  4. Quaxth

    Quaxth Member

    Ok, installed and all seems to work well. Now have to see what will happen the next few days.
  5. Quaxth

    Quaxth Member

    Think, I was a bit to fast with my above comment!

    Problem with connecting to the webmail using, I get Error: 403 Forbidden since the Mod-Security is installed and working! Same happens if like to connect to any domain/website on my sever! Could connect via and but that isn't ok for normal work!

    OK, server isn't in production, yet! But not much time left in 1 week it must work normally.

    How to get the normal work back? Anybody has an suggestion?

    Last edited: Nov 9, 2013
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    All you have to do is to whitelist the rules in mod security that cause this false block. I've descibed that in my tutorial on faqforge:

    Whitelist as few rules globally as possible. Its always better to whitelist the rules in the apache directives of the affected website, so the same rules stay active for other sites. a global whitelisting is only needed for apps that you access trough a global alias like webmail.
  7. Quaxth

    Quaxth Member

    Thanks for that info.

    Please tell me: How I could know what ID I've to place in that conf file?

    And that file:
    vi /etc/apache2/mod-security/modsecurity_crs_99_whitelist.conf
    didn't exist in my server. I installed the newer version as you suggested from and that seems ti differs quite a bit from that older version your tutorial is for!

    The path to modsecurity is /etc/modsecurity/ and contains the following files:

    By the way, since the modsecurity is installed, the local FTP didn't work anymore, even I had set modsecurity to Off!

  8. till

    till Super Moderator Staff Member ISPConfig Developer

    The ID numbers are mentioned in the log entries of mod security in the apache errr.log files. The global apache error.log is /var/log/apache2/error.log (you will check this log for issues in your webmail) for issues in websites, check the error.log of the affected website instead of the global error.log.

    Here an example log line:

    [Mon Nov 11 09:45:59 2013] [error] [client] ModSecurity: Access denied with code 403 (phase 2). Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/apache2/mod-security/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname ""] [uri "/robots.txt"] [unique_id "[email protected]"]

    I marked the ID in bold. To find the right ID that needs to be whitelisted, check the log with:

    tail -f /var/log/apache2/error.log

    on the shell while you are using the webmail (e.g. by logging in with putty on your server or any other ssh client). You will see the relevant log entry on the shell at the same moment when yu see the 403 error in the webbrowser.

    Add a new file:


    were you ca inser the global whitelist rules.

    The FTP issue is not related with od_security.
  9. Quaxth

    Quaxth Member

    Don't have the time for to deep check now, that is something which really need time! May do that tomorrow early morning because that would be the best time for me.

    Anyway, regarding FTP: believe me, that started to be a problem again after I installed ModSecurity, till then FTP was working locally just fine. If I connect via VPN-Tunnel with SecurityKiss, I could use FTP with no problems. Also no problems with RemoteSoftaculous, that I tested as well and installations working well.

  10. till

    till Super Moderator Staff Member ISPConfig Developer

    I believe you that there is a timely coincidence, but this does not mean that the issues are related. mod_security is a module for the apache server, it is only able to filter tcp requests in apache. It is not related to ftp connections at all.

Share This Page