Jan 222010
 

There are several ways to disable Mod Security for a specific domain, or location within a domains pages. More often then not, when you add a new domain after installing mod_security, you will see apache 500 errors when you try to post or a client tries to post a response in a forum. This can be tracked back to mod_security and can be verified using

tac /usr/local/apache/logs/error_log |grep 500 |less

this will output something like

[Tue Jan 12 13:53:49 2010] [error] [client 123.116.100.144] ModSecurity: Access denied with code 500 (phase 2). Pattern match "(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z
|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\\(.*from)" at ARGS:comment. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "355"] [id "300016"] [rev "2"]
[msg "Generic SQL injection protection"] [severity "CRITICAL"] [hostname "g33kinfo.com"] [uri "/info/wp-comments-post.php"] [unique_id "S0zFPUPh8qsAAD69EYQAAAAL"]

[Mon Jan 11 09:54:51 2010] [error] [client 74.208.147.13] ModSecurity: Access denied with code 500 (phase 2). Pattern match "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|s
hell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\\(
.*\\)\\;" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "325"] [id "300008"] [rev "1"] [msg "Generic PHP exploit pattern denied"] [severity "CRITICAL"] [ho
stname "67.225.242.173"] [uri "/pma/config/config.inc.php"] [unique_id "S0s7u0Ph8qsAAEbRiZwAAAAL"]

The part of the error code you want to take notice of is the id “300008” or id “300016”. This defines the mod_security rule that is being broken (right before this id number will be the line number where the actual rule resides). Sometimes the silly thing will detect the specific words like ‘select’ and ‘from’ which mysql uses in certain queries and will block a post.

The first way to specifically disable is to create a directory for that domain:

mkdir -p /usr/local/apache/conf/userdata/std/2/USERNAME/DOMAIN.TLD

Then create a mod_security conf file:

touch /usr/local/apache/conf/userdata/std/2/USERNAME/DOMAIN.TLD/mod_security.conf

Using your favorite Linux Text editor such as pico or vi, add the following directive(s) in that file:


SecRuleEngine Off

Save the file and then run:

/scripts/ensure_vhost_includes –user=USERNAME

The second way, which is actually much much better, is to add a specific location of a file that is causing the error to the modsec whitelist.
vim /usr/local/apache/conf/modsec2/whitelist.conf
and add


SecRuleRemoveById 300008 300015 300016 300017 330001


SecRuleRemoveById 300008 300015 300016 300017 330001


SecRuleRemoveById 300008 300015 300016 300017 330001


Notice we are adding the specific rule numbers being broken here to the whitelist. As you can see, when using wordpress and you are trying to add code to a post, rules will be broken and need to added to the whitelist. This is safer than disabling modsec for the domain.

 Posted by at 12:31 am