There are several ways to disable Mod Security for a specific domain, or location within a domains pages. More often then not, when you add a new domain after installing mod_security, you will see apache 500 errors when you try to post or a client tries to post a response in a forum. This can be tracked back to mod_security and can be verified using
tac /usr/local/apache/logs/error_log |grep 500 |less
this will output something like
[Tue Jan 12 13:53:49 2010] [error] [client 123.116.100.144] ModSecurity: Access denied with code 500 (phase 2). Pattern match "(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z
|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\\(.*from)" at ARGS:comment. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "355"] [id "300016"] [rev "2"]
[msg "Generic SQL injection protection"] [severity "CRITICAL"] [hostname "g33kinfo.com"] [uri "/info/wp-comments-post.php"] [unique_id "S0zFPUPh8qsAAD69EYQAAAAL"]
[Mon Jan 11 09:54:51 2010] [error] [client 74.208.147.13] ModSecurity: Access denied with code 500 (phase 2). Pattern match "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|s
hell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\\(
.*\\)\\;" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "325"] [id "300008"] [rev "1"] [msg "Generic PHP exploit pattern denied"] [severity "CRITICAL"] [ho
stname "67.225.242.173"] [uri "/pma/config/config.inc.php"] [unique_id "S0s7u0Ph8qsAAEbRiZwAAAAL"]
The part of the error code you want to take notice of is the id “300008” or id “300016”. This defines the mod_security rule that is being broken (right before this id number will be the line number where the actual rule resides). Sometimes the silly thing will detect the specific words like ‘select’ and ‘from’ which mysql uses in certain queries and will block a post.
The first way to specifically disable is to create a directory for that domain:
mkdir -p /usr/local/apache/conf/userdata/std/2/USERNAME/DOMAIN.TLD
Then create a mod_security conf file:
touch /usr/local/apache/conf/userdata/std/2/USERNAME/DOMAIN.TLD/mod_security.conf
Using your favorite Linux Text editor such as pico or vi, add the following directive(s) in that file:
SecRuleEngine Off
Save the file and then run:
/scripts/ensure_vhost_includes –user=USERNAME
The second way, which is actually much much better, is to add a specific location of a file that is causing the error to the modsec whitelist.
vim /usr/local/apache/conf/modsec2/whitelist.conf
and add
SecRuleRemoveById 300008 300015 300016 300017 330001
SecRuleRemoveById 300008 300015 300016 300017 330001
SecRuleRemoveById 300008 300015 300016 300017 330001
Notice we are adding the specific rule numbers being broken here to the whitelist. As you can see, when using wordpress and you are trying to add code to a post, rules will be broken and need to added to the whitelist. This is safer than disabling modsec for the domain.
