Difference between revisions of "Mod security"

From Atomicorp Wiki
Jump to: navigation, search
(Add guards to see if mod_security2.c is loaded)
Line 2: Line 2:
  
 
Step 1) Disable config file
 
Step 1) Disable config file
  mv /etc/httpd/conf.d/00_mod_security.conf /etc/httpd/conf.d/00_mod_security.conf.disabled
+
mv /etc/httpd/conf.d/00_mod_security.conf /etc/httpd/conf.d/00_mod_security.conf.disabled
  
 
Step 2) Restart Apache
 
Step 2) Restart Apache
  service httpd restart
+
service httpd restart
  
 
== Disabling Mod_security per domain ==
 
== Disabling Mod_security per domain ==
  
Step 1) edit the vhost/vhost_ssl.conf for the domain
+
Step 1) Edit the vhost/vhost_ssl.conf for the domain
 
   vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
 
   vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
  
 
Step 2) Add the following
 
Step 2) Add the following
 
  <IfModule mod_security2.c>
 
  <IfModule mod_security2.c>
SecRuleEngine Off
+
  SecRuleEngine Off
 
  </IfModule>
 
  </IfModule>
  
 
Step 3) Add vhost.conf to domain config
 
Step 3) Add vhost.conf to domain config
  /usr/local/psa/admin/bin/websrvmng -a
+
/usr/local/psa/admin/bin/websrvmng -a
  
 
Step 4) Restart Apache
 
Step 4) Restart Apache
  /etc/init.d/httpd restart
+
service httpd restart
 
+
 
+
  
 
== Disable Mod_security on a global URL ==
 
== Disable Mod_security on a global URL ==
  
 
Step 1) Create a global exclude file
 
Step 1) Create a global exclude file
  vim /etc/httpd/modsecurity.d/00_asl_custom_exclude.conf
+
vim /etc/httpd/modsecurity.d/00_asl_custom_exclude.conf
  
 
Step 2) Add the LocationMatch for the url to exclude. Example: /server.php
 
Step 2) Add the LocationMatch for the url to exclude. Example: /server.php
  <LocationMatch /server.php>
+
 
      SecRuleEngine Off
+
<LocationMatch /server.php>
  </LocationMatch>
+
  <IfModule mod_security2.c>
 +
    SecRuleEngine Off  
 +
  </IfModule>
 +
</LocationMatch>
  
 
Step 3) Restart apache
 
Step 3) Restart apache
  /etc/init.d/httpd restart
+
service httpd restart
 
+
 
+
  
 
== Disable a Mod_security rule (or rules) for all applications in a single domain ==
 
== Disable a Mod_security rule (or rules) for all applications in a single domain ==
  
Step 1) edit the vhost/vhost_ssl.conf for the domain
+
Step 1) Edit the vhost/vhost_ssl.conf for the domain
  vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
+
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
  
Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005
+
Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005
  <LocationMatch .*>
+
<LocationMatch .*>
        SecRuleRemoveById 950005
+
  <IfModule mod_security2.c>
  </LocationMatch>
+
    SecRuleRemoveById 950005
 +
  </IfModule>
 +
</LocationMatch>
  
 
If you want to disable multiple rules:
 
If you want to disable multiple rules:
  
 
Step 2)  Add the LocationMatch for the rule to exclude. Example, ruleids 950005 and 950006
 
Step 2)  Add the LocationMatch for the rule to exclude. Example, ruleids 950005 and 950006
  <LocationMatch .*>
+
<LocationMatch .*>
        SecRuleRemoveById 950005
+
  <IfModule mod_security2.c>
        SecRuleRemoveById 950006
+
    SecRuleRemoveById 950005
  </LocationMatch>
+
    SecRuleRemoveById 950006
 +
  </IfModule>
 +
</LocationMatch>
  
 
== Disable Mod_security rule for a specific application in a single domain ==
 
== Disable Mod_security rule for a specific application in a single domain ==
  
Step 1) edit the vhost/vhost_ssl.conf for the domain
+
Step 1) Edit the vhost/vhost_ssl.conf for the domain
  vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
+
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
  
Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005
+
Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005
  <LocationMatch /URL/path/to/application.php>
+
<LocationMatch /URL/path/to/application.php>
        SecRuleRemoveById 950005
+
  <IfModule mod_security2.c>
  </LocationMatch>
+
    SecRuleRemoveById 950005
 +
  </IfModule>
 +
</LocationMatch>
  
 
== Disable Mod_security rule for all domains ==
 
== Disable Mod_security rule for all domains ==
  
 
Use ASL utility to disable rule by ID. Example: 950005
 
Use ASL utility to disable rule by ID. Example: 950005
  asl --disable-signature 950005
+
asl --disable-signature 950005
  
Note: This requires that [[Atomic Secured Linux]] be installed.
+
Note: This requires that [[Atomic Secured Linux]] be installed.
  
 
If you do not have [[Atomic Secured Linux]] you can disable a rule globally manually by adding a rule like this:
 
If you do not have [[Atomic Secured Linux]] you can disable a rule globally manually by adding a rule like this:
  
 
+
<LocationMatch .*>
  <LocationMatch .*>
+
  <IfModule mod_security2.c>
  SecRuleRemoveById 340000
+
    SecRuleRemoveById 340000
  </LocationMatch>
+
  </IfModule>
 +
</LocationMatch>
  
 
== Disable Mod_security rules globally for a specific application ==
 
== Disable Mod_security rules globally for a specific application ==
Line 86: Line 92:
 
Add this to either you vhost.conf file, or if your want to make this global make sure this exclusion is loaded after your rules are loaded.  A good place to add this in the 999_asl_user_exclude.conf file.  If you don't have this file, just create it.  The system is smart enough to know to load it.
 
Add this to either you vhost.conf file, or if your want to make this global make sure this exclusion is loaded after your rules are loaded.  A good place to add this in the 999_asl_user_exclude.conf file.  If you don't have this file, just create it.  The system is smart enough to know to load it.
  
  <LocationMatch /url/to/your/application>
+
<LocationMatch /url/to/your/application>
  SecRuleRemoveById 1234567
+
  <IfModule mod_security2.c>
  SecRuleRemoveById 9999999
+
    SecRuleRemoveById 1234567
  </LocationMatch>
+
    SecRuleRemoveById 9999999
 +
  </IfModule>
 +
</LocationMatch>
  
 
Whats important to remember is that the LocationMatch variable must match the URL, not the path on the system.
 
Whats important to remember is that the LocationMatch variable must match the URL, not the path on the system.
Line 95: Line 103:
 
== Disable Mod_security rules by domain, for a specific application, for a list of IPs ==
 
== Disable Mod_security rules by domain, for a specific application, for a list of IPs ==
  
Step 1) edit the vhost/vhost_ssl.conf for the domain
+
Step 1) Edit the vhost/vhost_ssl.conf for the domain
  vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
+
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
  
 
Step 2) Add the LocationMatch for the rule to exclude.
 
Step 2) Add the LocationMatch for the rule to exclude.
  <LocationMatch /foo/bar.php>
+
<LocationMatch /foo/bar.php>
        SecRule REMOTE_ADDR "@pmFromFile /etc/asl/whitelist" "nolog,phase:1,allow"
+
  <IfModule mod_security2.c>
  </LocationMatch>
+
    SecRule REMOTE_ADDR "@pmFromFile /etc/asl/whitelist" "nolog,phase:1,allow"
 +
  </IfModule>
 +
</LocationMatch>
  
 
Step 3) Add IP to /etc/asl/whitelist
 
Step 3) Add IP to /etc/asl/whitelist
  echo "10.11.12.13" >> /etc/asl/whitelist
+
echo "10.11.12.13" >> /etc/asl/whitelist
  
 
Or:
 
Or:
Line 110: Line 120:
 
If you want to create a special whitelist for just that application:
 
If you want to create a special whitelist for just that application:
  
Step 1) edit the vhost/vhost_ssl.conf for the domain
+
Step 1) Edit the vhost/vhost_ssl.conf for the domain
  vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
+
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
  
 
Step 2) Add the LocationMatch for the rule to exclude.
 
Step 2) Add the LocationMatch for the rule to exclude.
  <LocationMatch /foo/bar.php>
+
<LocationMatch /foo/bar.php>
        SecRule REMOTE_ADDR "@pmFromFile /path/to/your/custom/whitelist_for_this_application" "nolog,phase:1,allow"
+
  <IfModule mod_security2.c>
  </LocationMatch>
+
    SecRule REMOTE_ADDR "@pmFromFile /path/to/your/custom/whitelist_for_this_application" "nolog,phase:1,allow"
 +
  </IfModule>
 +
</LocationMatch>
  
 
Step 3) Create your custom whitelist and add IP to /etc/asl/whitelist
 
Step 3) Create your custom whitelist and add IP to /etc/asl/whitelist
  echo "10.11.12.13" >> /path/to/your/custom/whitelist_for_this_application
+
echo "10.11.12.13" >> /path/to/your/custom/whitelist_for_this_application
  
 
Keep in mind these custom lists are *not* managed by ASL, so if you want to add IPs to these lists you will need to do it from the command line.
 
Keep in mind these custom lists are *not* managed by ASL, so if you want to add IPs to these lists you will need to do it from the command line.

Revision as of 16:40, 30 November 2009

Contents

Disabling Mod_Security Globally

Step 1) Disable config file

mv /etc/httpd/conf.d/00_mod_security.conf /etc/httpd/conf.d/00_mod_security.conf.disabled

Step 2) Restart Apache

service httpd restart

Disabling Mod_security per domain

Step 1) Edit the vhost/vhost_ssl.conf for the domain

 vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf

Step 2) Add the following

<IfModule mod_security2.c>
  SecRuleEngine Off
</IfModule>

Step 3) Add vhost.conf to domain config

/usr/local/psa/admin/bin/websrvmng -a

Step 4) Restart Apache

service httpd restart

Disable Mod_security on a global URL

Step 1) Create a global exclude file

vim /etc/httpd/modsecurity.d/00_asl_custom_exclude.conf

Step 2) Add the LocationMatch for the url to exclude. Example: /server.php

<LocationMatch /server.php>
  <IfModule mod_security2.c>
    SecRuleEngine Off 
  </IfModule>
</LocationMatch>

Step 3) Restart apache

service httpd restart

Disable a Mod_security rule (or rules) for all applications in a single domain

Step 1) Edit the vhost/vhost_ssl.conf for the domain

vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf

Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005

<LocationMatch .*>
  <IfModule mod_security2.c>
    SecRuleRemoveById 950005
  </IfModule>
</LocationMatch>

If you want to disable multiple rules:

Step 2) Add the LocationMatch for the rule to exclude. Example, ruleids 950005 and 950006

<LocationMatch .*>
  <IfModule mod_security2.c>
    SecRuleRemoveById 950005
    SecRuleRemoveById 950006
  </IfModule>
</LocationMatch>

Disable Mod_security rule for a specific application in a single domain

Step 1) Edit the vhost/vhost_ssl.conf for the domain

vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf

Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005

<LocationMatch /URL/path/to/application.php>
  <IfModule mod_security2.c>
    SecRuleRemoveById 950005
  </IfModule>
</LocationMatch>

Disable Mod_security rule for all domains

Use ASL utility to disable rule by ID. Example: 950005

asl --disable-signature 950005

Note: This requires that Atomic Secured Linux be installed.

If you do not have Atomic Secured Linux you can disable a rule globally manually by adding a rule like this:

<LocationMatch .*>
  <IfModule mod_security2.c>
    SecRuleRemoveById 340000
  </IfModule>
</LocationMatch>

Disable Mod_security rules globally for a specific application

Add this to either you vhost.conf file, or if your want to make this global make sure this exclusion is loaded after your rules are loaded. A good place to add this in the 999_asl_user_exclude.conf file. If you don't have this file, just create it. The system is smart enough to know to load it.

<LocationMatch /url/to/your/application>
  <IfModule mod_security2.c>
    SecRuleRemoveById 1234567
    SecRuleRemoveById 9999999
  </IfModule>
</LocationMatch>

Whats important to remember is that the LocationMatch variable must match the URL, not the path on the system.

Disable Mod_security rules by domain, for a specific application, for a list of IPs

Step 1) Edit the vhost/vhost_ssl.conf for the domain

vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf

Step 2) Add the LocationMatch for the rule to exclude.

<LocationMatch /foo/bar.php>
  <IfModule mod_security2.c>
    SecRule REMOTE_ADDR "@pmFromFile /etc/asl/whitelist" "nolog,phase:1,allow"
  </IfModule>
</LocationMatch>

Step 3) Add IP to /etc/asl/whitelist

echo "10.11.12.13" >> /etc/asl/whitelist

Or:

If you want to create a special whitelist for just that application:

Step 1) Edit the vhost/vhost_ssl.conf for the domain

vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf

Step 2) Add the LocationMatch for the rule to exclude.

<LocationMatch /foo/bar.php>
  <IfModule mod_security2.c>
    SecRule REMOTE_ADDR "@pmFromFile /path/to/your/custom/whitelist_for_this_application" "nolog,phase:1,allow"
  </IfModule>
</LocationMatch>

Step 3) Create your custom whitelist and add IP to /etc/asl/whitelist

echo "10.11.12.13" >> /path/to/your/custom/whitelist_for_this_application

Keep in mind these custom lists are *not* managed by ASL, so if you want to add IPs to these lists you will need to do it from the command line.

Personal tools