Difference between revisions of "Mod security"
(Add guards to see if mod_security2.c is loaded) |
|||
Line 2: | Line 2: | ||
Step 1) Disable config file | Step 1) Disable config file | ||
− | + | mv /etc/httpd/conf.d/00_mod_security.conf /etc/httpd/conf.d/00_mod_security.conf.disabled | |
Step 2) Restart Apache | Step 2) Restart Apache | ||
− | + | service httpd restart | |
== Disabling Mod_security per domain == | == Disabling Mod_security per domain == | ||
− | Step 1) | + | Step 1) Edit the vhost/vhost_ssl.conf for the domain |
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf | vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf | ||
Step 2) Add the following | Step 2) Add the following | ||
<IfModule mod_security2.c> | <IfModule mod_security2.c> | ||
− | + | SecRuleEngine Off | |
</IfModule> | </IfModule> | ||
Step 3) Add vhost.conf to domain config | Step 3) Add vhost.conf to domain config | ||
− | + | /usr/local/psa/admin/bin/websrvmng -a | |
Step 4) Restart Apache | Step 4) Restart Apache | ||
− | + | service httpd restart | |
− | + | ||
− | + | ||
== Disable Mod_security on a global URL == | == Disable Mod_security on a global URL == | ||
Step 1) Create a global exclude file | Step 1) Create a global exclude file | ||
− | + | vim /etc/httpd/modsecurity.d/00_asl_custom_exclude.conf | |
Step 2) Add the LocationMatch for the url to exclude. Example: /server.php | Step 2) Add the LocationMatch for the url to exclude. Example: /server.php | ||
− | + | ||
− | + | <LocationMatch /server.php> | |
− | + | <IfModule mod_security2.c> | |
+ | SecRuleEngine Off | ||
+ | </IfModule> | ||
+ | </LocationMatch> | ||
Step 3) Restart apache | Step 3) Restart apache | ||
− | + | service httpd restart | |
− | + | ||
− | + | ||
== Disable a Mod_security rule (or rules) for all applications in a single domain == | == Disable a Mod_security rule (or rules) for all applications in a single domain == | ||
− | Step 1) | + | Step 1) Edit the vhost/vhost_ssl.conf for the domain |
− | + | vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf | |
− | Step 2) | + | Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005 |
− | + | <LocationMatch .*> | |
− | + | <IfModule mod_security2.c> | |
− | + | SecRuleRemoveById 950005 | |
+ | </IfModule> | ||
+ | </LocationMatch> | ||
If you want to disable multiple rules: | If you want to disable multiple rules: | ||
Step 2) Add the LocationMatch for the rule to exclude. Example, ruleids 950005 and 950006 | Step 2) Add the LocationMatch for the rule to exclude. Example, ruleids 950005 and 950006 | ||
− | + | <LocationMatch .*> | |
− | + | <IfModule mod_security2.c> | |
− | + | SecRuleRemoveById 950005 | |
− | + | SecRuleRemoveById 950006 | |
+ | </IfModule> | ||
+ | </LocationMatch> | ||
== Disable Mod_security rule for a specific application in a single domain == | == Disable Mod_security rule for a specific application in a single domain == | ||
− | Step 1) | + | Step 1) Edit the vhost/vhost_ssl.conf for the domain |
− | + | vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf | |
− | Step 2) | + | Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005 |
− | + | <LocationMatch /URL/path/to/application.php> | |
− | + | <IfModule mod_security2.c> | |
− | + | SecRuleRemoveById 950005 | |
+ | </IfModule> | ||
+ | </LocationMatch> | ||
== Disable Mod_security rule for all domains == | == Disable Mod_security rule for all domains == | ||
Use ASL utility to disable rule by ID. Example: 950005 | Use ASL utility to disable rule by ID. Example: 950005 | ||
− | + | asl --disable-signature 950005 | |
− | Note: | + | Note: This requires that [[Atomic Secured Linux]] be installed. |
If you do not have [[Atomic Secured Linux]] you can disable a rule globally manually by adding a rule like this: | If you do not have [[Atomic Secured Linux]] you can disable a rule globally manually by adding a rule like this: | ||
− | + | <LocationMatch .*> | |
− | + | <IfModule mod_security2.c> | |
− | + | SecRuleRemoveById 340000 | |
− | + | </IfModule> | |
+ | </LocationMatch> | ||
== Disable Mod_security rules globally for a specific application == | == Disable Mod_security rules globally for a specific application == | ||
Line 86: | Line 92: | ||
Add this to either you vhost.conf file, or if your want to make this global make sure this exclusion is loaded after your rules are loaded. A good place to add this in the 999_asl_user_exclude.conf file. If you don't have this file, just create it. The system is smart enough to know to load it. | Add this to either you vhost.conf file, or if your want to make this global make sure this exclusion is loaded after your rules are loaded. A good place to add this in the 999_asl_user_exclude.conf file. If you don't have this file, just create it. The system is smart enough to know to load it. | ||
− | + | <LocationMatch /url/to/your/application> | |
− | + | <IfModule mod_security2.c> | |
− | + | SecRuleRemoveById 1234567 | |
− | + | SecRuleRemoveById 9999999 | |
+ | </IfModule> | ||
+ | </LocationMatch> | ||
Whats important to remember is that the LocationMatch variable must match the URL, not the path on the system. | Whats important to remember is that the LocationMatch variable must match the URL, not the path on the system. | ||
Line 95: | Line 103: | ||
== Disable Mod_security rules by domain, for a specific application, for a list of IPs == | == Disable Mod_security rules by domain, for a specific application, for a list of IPs == | ||
− | Step 1) | + | Step 1) Edit the vhost/vhost_ssl.conf for the domain |
− | + | vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf | |
Step 2) Add the LocationMatch for the rule to exclude. | Step 2) Add the LocationMatch for the rule to exclude. | ||
− | + | <LocationMatch /foo/bar.php> | |
− | + | <IfModule mod_security2.c> | |
− | + | SecRule REMOTE_ADDR "@pmFromFile /etc/asl/whitelist" "nolog,phase:1,allow" | |
+ | </IfModule> | ||
+ | </LocationMatch> | ||
Step 3) Add IP to /etc/asl/whitelist | Step 3) Add IP to /etc/asl/whitelist | ||
− | + | echo "10.11.12.13" >> /etc/asl/whitelist | |
Or: | Or: | ||
Line 110: | Line 120: | ||
If you want to create a special whitelist for just that application: | If you want to create a special whitelist for just that application: | ||
− | Step 1) | + | Step 1) Edit the vhost/vhost_ssl.conf for the domain |
− | + | vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf | |
Step 2) Add the LocationMatch for the rule to exclude. | Step 2) Add the LocationMatch for the rule to exclude. | ||
− | + | <LocationMatch /foo/bar.php> | |
− | + | <IfModule mod_security2.c> | |
− | + | SecRule REMOTE_ADDR "@pmFromFile /path/to/your/custom/whitelist_for_this_application" "nolog,phase:1,allow" | |
+ | </IfModule> | ||
+ | </LocationMatch> | ||
Step 3) Create your custom whitelist and add IP to /etc/asl/whitelist | Step 3) Create your custom whitelist and add IP to /etc/asl/whitelist | ||
− | + | echo "10.11.12.13" >> /path/to/your/custom/whitelist_for_this_application | |
Keep in mind these custom lists are *not* managed by ASL, so if you want to add IPs to these lists you will need to do it from the command line. | Keep in mind these custom lists are *not* managed by ASL, so if you want to add IPs to these lists you will need to do it from the command line. |
Revision as of 17:40, 30 November 2009
Disabling Mod_Security Globally
Step 1) Disable config file
mv /etc/httpd/conf.d/00_mod_security.conf /etc/httpd/conf.d/00_mod_security.conf.disabled
Step 2) Restart Apache
service httpd restart
Disabling Mod_security per domain
Step 1) Edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
Step 2) Add the following
<IfModule mod_security2.c> SecRuleEngine Off </IfModule>
Step 3) Add vhost.conf to domain config
/usr/local/psa/admin/bin/websrvmng -a
Step 4) Restart Apache
service httpd restart
Disable Mod_security on a global URL
Step 1) Create a global exclude file
vim /etc/httpd/modsecurity.d/00_asl_custom_exclude.conf
Step 2) Add the LocationMatch for the url to exclude. Example: /server.php
<LocationMatch /server.php> <IfModule mod_security2.c> SecRuleEngine Off </IfModule> </LocationMatch>
Step 3) Restart apache
service httpd restart
Disable a Mod_security rule (or rules) for all applications in a single domain
Step 1) Edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005
<LocationMatch .*> <IfModule mod_security2.c> SecRuleRemoveById 950005 </IfModule> </LocationMatch>
If you want to disable multiple rules:
Step 2) Add the LocationMatch for the rule to exclude. Example, ruleids 950005 and 950006
<LocationMatch .*> <IfModule mod_security2.c> SecRuleRemoveById 950005 SecRuleRemoveById 950006 </IfModule> </LocationMatch>
Disable Mod_security rule for a specific application in a single domain
Step 1) Edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005
<LocationMatch /URL/path/to/application.php> <IfModule mod_security2.c> SecRuleRemoveById 950005 </IfModule> </LocationMatch>
Disable Mod_security rule for all domains
Use ASL utility to disable rule by ID. Example: 950005
asl --disable-signature 950005
Note: This requires that Atomic Secured Linux be installed.
If you do not have Atomic Secured Linux you can disable a rule globally manually by adding a rule like this:
<LocationMatch .*> <IfModule mod_security2.c> SecRuleRemoveById 340000 </IfModule> </LocationMatch>
Disable Mod_security rules globally for a specific application
Add this to either you vhost.conf file, or if your want to make this global make sure this exclusion is loaded after your rules are loaded. A good place to add this in the 999_asl_user_exclude.conf file. If you don't have this file, just create it. The system is smart enough to know to load it.
<LocationMatch /url/to/your/application> <IfModule mod_security2.c> SecRuleRemoveById 1234567 SecRuleRemoveById 9999999 </IfModule> </LocationMatch>
Whats important to remember is that the LocationMatch variable must match the URL, not the path on the system.
Disable Mod_security rules by domain, for a specific application, for a list of IPs
Step 1) Edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
Step 2) Add the LocationMatch for the rule to exclude.
<LocationMatch /foo/bar.php> <IfModule mod_security2.c> SecRule REMOTE_ADDR "@pmFromFile /etc/asl/whitelist" "nolog,phase:1,allow" </IfModule> </LocationMatch>
Step 3) Add IP to /etc/asl/whitelist
echo "10.11.12.13" >> /etc/asl/whitelist
Or:
If you want to create a special whitelist for just that application:
Step 1) Edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
Step 2) Add the LocationMatch for the rule to exclude.
<LocationMatch /foo/bar.php> <IfModule mod_security2.c> SecRule REMOTE_ADDR "@pmFromFile /path/to/your/custom/whitelist_for_this_application" "nolog,phase:1,allow" </IfModule> </LocationMatch>
Step 3) Create your custom whitelist and add IP to /etc/asl/whitelist
echo "10.11.12.13" >> /path/to/your/custom/whitelist_for_this_application
Keep in mind these custom lists are *not* managed by ASL, so if you want to add IPs to these lists you will need to do it from the command line.