top of page
Search

Modsecurity

  • knowledgediary4min
  • Mar 3, 2020
  • 2 min read

Mod-security

---------------

Disable mod_security for an individual account

Mod_security is an open source Apache module. This can be considered as firewall for web applications. It secures the system from the attackers. We use mod_security1 for Apache1.x and Apache 2.x uses mod_security2. In case of mod_security1, we can disable it for a domain using the .htaccess file.

If you want to disable mod_sec for one domain then add the following Line in .htaccess

-----

SecFilterEngine Off

-----

We can’t block mod_security2 via .htaccess on domain basis.

The following steps can be used to disable mod_security2 rule for one domain in cPanel servers.

1. Make the directory “/usr/local/apache/conf/userdata/std/2_2/username/domain.com”

2. Create a file “vhost.conf” in the above location

modsec.conf

mod_security.conf

3. Add the following lines :

———-

<IfModule mod_security2.c>

SecRuleEngine Off

</IfModule>

———-

To disable mod_security for a particular location :

———

<LocationMatch specify_the_path_here>

<IfModule mod_security2.c>

SecRuleEngine Off

</IfModule>

</LocationMatch>

———

To disable a particular mod_secuirty rule :

———

<IfModule mod_security2.c>

SecRuleRemoveById give_ruleID_here

</IfModule>

———

Please make sure run the following script after making the changes.

———

/scripts/ensure_vhost_includes –user=username

———

This script will uncomment the following line in apache configuration. It will customise the virtual host to use the particular include file and will restart apache.

Include “/usr/local/apache/conf/userdata/std/2/username/domain.com/*.conf”

Another method

How to disable mod_security for an individual account ?

For apache 1.3:

****************

If you are receiving the error message “access denied with error code 403″ for a domain in Apache error logs due to mod_security, you can disable the mod_security for that account by adding a simple code in his .htaccess

===========

SecFilterEngine Off

SecFilterScanPOST Off

===========

For apache 2.X:

***************

In modsec2 version SecFilterEngine Off cannot be used. You have to use SecRuleEngine Off.

You cannot directly add the rule in .htaccess, you have to add the entries in the file

===

/usr/local/apache/conf/modsec2/whitelist.conf.

===

Below is a sample entry for the domain example.com:

==============================================

SecRule SERVER_NAME “example.com” phase:1,nolog,allow,ctl:ruleEngine=off

SecRule SERVER_NAME “www.example.com” phase:1,nolog,allow,ctl:ruleEngine=off

==============================================

This is a new functionality added to increase security in the server and also to make sure the sites work fine when there is problem with mod_security.

Another Method

In httpd.conf under the domain add the below lines : please check the id for the error in apache errorlog is correct

==========================

<IfModule mod_security2.c>

<LocationMatch “/administrator/index.php”>

SecRuleRemoveById 950001 950004 950013

</LocationMatch>

</IfModule>

==========================

For Error:-

[Fri Feb 22 23:08:12 2013] [error] [client 115.254.69.82] ModSecurity: Input filter: Failed to delete temporary file: /tmp/attractaseo.It1985/20130222-230810-USf6WUPc0YgAADTur-8AAAAM-request_body-8t21Cz [hostname “skaysolutions.com.es”] [uri “/unidiversidad/wp-admin/async-upload.php”] [unique_id “USf6WUPc0YgAADTur-8AAAAM”]

Fix:-

vi /etc/httpd/conf/modsec2.user.conf

SecUploadDir /tmp

SecTmpDir /tmp



Block Access to xmlrpc.php Server Wide

Why you would want to do this? https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html xmlrpc.php is way more attractive than wp-login when it comes to a dictionary attack.

Blocking xmlrpc.php access will break Jetpack. A lot of customers and their respective clients use it. Don't blindly redirect all requests to xmlrpc.php without checking with them first (or go ahead and block it if it's causing a big problem, and then let them know what you did and how it can affect their sites!).

Step-by-step guide

Edit /usr/local/apache/conf/includes/pre_main_global.conf

Add the following to the bottom of this include file:

<IfModule mod_alias.c>

RedirectMatch 301 ^.*/xmlrpc.php$ http://127.0.0.1/

</IfModule>

Restart httpd. (service httpd restart)

Test accessing xmlrpc.php on a WordPress site on the server. (e.g. www.example.org/xmlrpc.php)

 
 
 

Recent Posts

See All
clear script

#!/bin/bash rm -f ./cleanspace.sh bold=$(tput bold) normal=$(tput sgr0) TIMESTAMP=$(date +%d-%m-%Y-%H-%M) LOGFILE="/root/cleardisk-$TIME...

 
 
 
innodb restore

Create a new folder: mkdir /var/lib/mysql2 From R1: Restore from the /var/lib/mysql folder: + The folder which is called the db name...

 
 
 
Scripts

#not wordpress site grep shop2vizag.com /var/log/messages | awk '{print $6}' | cut -d: -f1 |sort -n |uniq -c |sort -n #Domains using...

 
 
 

Comments

  • White Facebook Icon
  • White Twitter Icon
  • White Instagram Icon
  • White YouTube Icon

© 2023 by Knowledge4mind. Proudly created with Wix.com

bottom of page