Difference between revisions of "Mod security"
m (→Disable Mod_security rule for a specific application in a single domain) |
m |
||
Line 38: | Line 38: | ||
Step 3) Restart apache | Step 3) Restart apache | ||
service httpd restart | service httpd restart | ||
+ | |||
+ | == Disable Mod_security for an IP address == | ||
+ | |||
+ | In ASL, just click the "Whitelist" button. | ||
+ | |||
+ | If you are not using ASL, simply add your IP address to the file: | ||
+ | |||
+ | /etc/asl/whitelist | ||
+ | |||
+ | And restart Apache. | ||
+ | |||
+ | Note: For this rule to work, in ASL you must have the MODSEC_00_WHITELIST ruleset enabled. | ||
+ | |||
+ | If you are not using ASL, then you must have the 00_asl_whitelist.conf ruleset loaded. | ||
+ | |||
+ | |||
+ | == Whitelist an IP == | ||
+ | |||
+ | See above, "Disable Mod_security for an IP address" | ||
== Disable a Mod_security rule (or rules) for all applications in a single domain == | == Disable a Mod_security rule (or rules) for all applications in a single domain == |
Revision as of 10:35, 6 April 2011
Disabling Mod_Security Globally
Step 1) Disable config file
mv /etc/httpd/conf.d/00_mod_security.conf /etc/httpd/conf.d/00_mod_security.conf.disabled
Step 2) Restart Apache
service httpd restart
Disabling Mod_security per domain
Step 1) Edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
Step 2) Add the following
<IfModule mod_security2.c> SecRuleEngine Off </IfModule>
Step 3) Add vhost.conf to domain config
/usr/local/psa/admin/bin/websrvmng -a
Step 4) Restart Apache
service httpd restart
Disable Mod_security on a global URL
Step 1) Create a global exclude file
vim /etc/httpd/modsecurity.d/00_asl_custom_exclude.conf
Step 2) Add the LocationMatch for the url to exclude. Example: /server.php
<LocationMatch /server.php> <IfModule mod_security2.c> SecRuleEngine Off </IfModule> </LocationMatch>
Step 3) Restart apache
service httpd restart
Disable Mod_security for an IP address
In ASL, just click the "Whitelist" button.
If you are not using ASL, simply add your IP address to the file:
/etc/asl/whitelist
And restart Apache.
Note: For this rule to work, in ASL you must have the MODSEC_00_WHITELIST ruleset enabled.
If you are not using ASL, then you must have the 00_asl_whitelist.conf ruleset loaded.
Whitelist an IP
See above, "Disable Mod_security for an IP address"
Disable a Mod_security rule (or rules) for all applications in a single domain
If you have ASL installed, you only need to run one command:
asl -dr RULE_ID --vhost www.example.com
Replace RULE_ID with the ID of the rule you want to disable for the domain.
If you do not have ASL installed you will have to do this manually:
Step 1) Edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005
<LocationMatch .*> <IfModule mod_security2.c> SecRuleRemoveById 950005 </IfModule> </LocationMatch>
If you want to disable multiple rules:
Step 2) Add the LocationMatch for the rule to exclude. Example, ruleids 950005 and 950006
<LocationMatch .*> <IfModule mod_security2.c> SecRuleRemoveById 950005 SecRuleRemoveById 950006 </IfModule> </LocationMatch>
Disable Mod_security rule for a specific application in a single domain
Step 1) Edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005
<LocationMatch /URL/path/to/application.php> <IfModule mod_security2.c> SecRuleRemoveById 950005 </IfModule> </LocationMatch>
Disable Mod_security rule for all domains
Use ASL utility to disable rule by ID. Example: 950005
asl --disable-signature 950005
Note: This requires that Atomic Secured Linux be installed.
If you do not have Atomic Secured Linux you can disable a rule globally manually by adding a rule like this:
<LocationMatch .*> <IfModule mod_security2.c> SecRuleRemoveById 340000 </IfModule> </LocationMatch>
Disable Mod_security rules globally for a specific application
Add this to either you vhost.conf file, or if your want to make this global make sure this exclusion is loaded after your rules are loaded. A good place to add this in the 999_asl_user_exclude.conf file. If you don't have this file, just create it. The system is smart enough to know to load it.
<LocationMatch /url/to/your/application> <IfModule mod_security2.c> SecRuleRemoveById 1234567 SecRuleRemoveById 9999999 </IfModule> </LocationMatch>
Whats important to remember is that the LocationMatch variable must match the URL, not the path on the system.
Disable Mod_security rules by domain, for a specific application, for a list of IPs
Step 1) Edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
Step 2) Add the LocationMatch for the rule to exclude.
<LocationMatch /foo/bar.php> <IfModule mod_security2.c> SecRule REMOTE_ADDR "@pmFromFile /etc/asl/whitelist" "nolog,phase:1,allow" </IfModule> </LocationMatch>
Step 3) Add IP to /etc/asl/whitelist
echo "10.11.12.13" >> /etc/asl/whitelist
Or:
If you want to create a special whitelist for just that application:
Step 1) Edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
Step 2) Add the LocationMatch for the rule to exclude.
<LocationMatch /foo/bar.php> <IfModule mod_security2.c> SecRule REMOTE_ADDR "@pmFromFile /path/to/your/custom/whitelist_for_this_application" "nolog,phase:1,allow" </IfModule> </LocationMatch>
Step 3) Create your custom whitelist and add IP to /etc/asl/whitelist
echo "10.11.12.13" >> /path/to/your/custom/whitelist_for_this_application
Keep in mind these custom lists are *not* managed by ASL, so if you want to add IPs to these lists you will need to do it from the command line.
Customizing a rule
If you need to customize a rule do not change the asl*conf files. These files will be overwritten by updates. If you need to change a rule because it is incorrectly blocking something we recommend you report it to use as a False Postive, using the Reporting_False_Positives procedure. If you simply want to modify a rule to perform different actions, then copy the entire rule into your own rule file, and make sure you tell mod_security not to enable the original ASL rule. You can do that by using the mod_security action SecRuleRemoveById. Here is a simple example:
If you had an original rule like this:
SecRule REQUEST_URI "/foo" "t:normalisePath,id:9000000,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Block /foo'"
And you want it to block "bar" instead of "foo", then you would copy the entire rule into your own custom rule file. If you are using our rules we recommend you use the filename 99_asl_zzz_custom.confm and change the id: field to an unused ID.
SecRuleRemoveById 9000000 SecRule REQUEST_URI "/bar" "t:normalisePath,id:9999999,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Block /foo'"
These are the reserved ranges:
* 1-99,999; reserved for local (internal) use. Use as you see fit but do not use this range for rules that are distributed to others. * 100,000-199,999; reserved for internal use of the engine, to assign to rules that do not have explicit IDs. * 200,000-299,999; reserved for rules published at modsecurity.org. * 300,000-399,999; reserved for rules published at gotroot.com. * 400,000-419,999; unused (available for reservation). * 420,000-429,999; reserved for ScallyWhack. * 430,000-699,999; unused (available for reservation). * 700,000-799,999; reserved for Ivan Ristic. * 900,000-999,999; reserved for the Core Rules project. * 1,000,000 and above; unused (available for reservation).
Configuring and Setting up mod_security
If you are running ASL you do not need to do this. ASL will setup and manage mod_security for you. The page linked to below is only for non-ASL customers that must setup mod_security manually.
To setup and configured modsecurity, please see the Atomic_ModSecurity_Rules wiki page.