Difference between revisions of "Mod security"

From Atomicorp Wiki
Jump to: navigation, search
(Disable a Mod_security rule (or rules) for all applications in a single domain)
m (Disable a Mod_security rule (or rules) for all applications in a single domain)
Line 41: Line 41:
 
== Disable a Mod_security rule (or rules) for all applications in a single domain ==
 
== Disable a Mod_security rule (or rules) for all applications in a single domain ==
  
If you have ASL installed, you only need to run one command:
+
'''If you have ASL installed''', you only need to run one command:
 +
 
 +
 
 +
  asl -dr RULE_ID --vhost www.example.com
  
asl -dr RULE_ID --vhost www.example.com
 
  
 
Replace RULE_ID with the ID of the rule you want to disable for the domain.
 
Replace RULE_ID with the ID of the rule you want to disable for the domain.
  
If you do not have ASL installed you will have to do this manually:
+
 
 +
'''If you do not have ASL installed''' you will have to do this manually:
  
 
Step 1) Edit the vhost/vhost_ssl.conf for the domain
 
Step 1) Edit the vhost/vhost_ssl.conf for the domain

Revision as of 18:03, 21 June 2010

Contents

Disabling Mod_Security Globally

Step 1) Disable config file

mv /etc/httpd/conf.d/00_mod_security.conf /etc/httpd/conf.d/00_mod_security.conf.disabled

Step 2) Restart Apache

service httpd restart

Disabling Mod_security per domain

Step 1) Edit the vhost/vhost_ssl.conf for the domain

 vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf

Step 2) Add the following

<IfModule mod_security2.c>
  SecRuleEngine Off
</IfModule>

Step 3) Add vhost.conf to domain config

/usr/local/psa/admin/bin/websrvmng -a

Step 4) Restart Apache

service httpd restart

Disable Mod_security on a global URL

Step 1) Create a global exclude file

vim /etc/httpd/modsecurity.d/00_asl_custom_exclude.conf

Step 2) Add the LocationMatch for the url to exclude. Example: /server.php

<LocationMatch /server.php>
  <IfModule mod_security2.c>
    SecRuleEngine Off 
  </IfModule>
</LocationMatch>

Step 3) Restart apache

service httpd restart

Disable a Mod_security rule (or rules) for all applications in a single domain

If you have ASL installed, you only need to run one command:


 asl -dr RULE_ID --vhost www.example.com


Replace RULE_ID with the ID of the rule you want to disable for the domain.


If you do not have ASL installed you will have to do this manually:

Step 1) Edit the vhost/vhost_ssl.conf for the domain

vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf

Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005

<LocationMatch .*>
  <IfModule mod_security2.c>
    SecRuleRemoveById 950005
  </IfModule>
</LocationMatch>

If you want to disable multiple rules:

Step 2) Add the LocationMatch for the rule to exclude. Example, ruleids 950005 and 950006

<LocationMatch .*>
  <IfModule mod_security2.c>
    SecRuleRemoveById 950005
    SecRuleRemoveById 950006
  </IfModule>
</LocationMatch>

Disable Mod_security rule for a specific application in a single domain

Step 1) Edit the vhost/vhost_ssl.conf for the domain

vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf

Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005

<LocationMatch /URL/path/to/application.php>
  <IfModule mod_security2.c>
    SecRuleRemoveById 950005
  </IfModule>
</LocationMatch>

Disable Mod_security rule for all domains

Use ASL utility to disable rule by ID. Example: 950005

asl --disable-signature 950005

Note: This requires that Atomic Secured Linux be installed.

If you do not have Atomic Secured Linux you can disable a rule globally manually by adding a rule like this:

<LocationMatch .*>
  <IfModule mod_security2.c>
    SecRuleRemoveById 340000
  </IfModule>
</LocationMatch>

Disable Mod_security rules globally for a specific application

Add this to either you vhost.conf file, or if your want to make this global make sure this exclusion is loaded after your rules are loaded. A good place to add this in the 999_asl_user_exclude.conf file. If you don't have this file, just create it. The system is smart enough to know to load it.

<LocationMatch /url/to/your/application>
  <IfModule mod_security2.c>
    SecRuleRemoveById 1234567
    SecRuleRemoveById 9999999
  </IfModule>
</LocationMatch>

Whats important to remember is that the LocationMatch variable must match the URL, not the path on the system.

Disable Mod_security rules by domain, for a specific application, for a list of IPs

Step 1) Edit the vhost/vhost_ssl.conf for the domain

vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf

Step 2) Add the LocationMatch for the rule to exclude.

<LocationMatch /foo/bar.php>
  <IfModule mod_security2.c>
    SecRule REMOTE_ADDR "@pmFromFile /etc/asl/whitelist" "nolog,phase:1,allow"
  </IfModule>
</LocationMatch>

Step 3) Add IP to /etc/asl/whitelist

echo "10.11.12.13" >> /etc/asl/whitelist

Or:

If you want to create a special whitelist for just that application:

Step 1) Edit the vhost/vhost_ssl.conf for the domain

vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf

Step 2) Add the LocationMatch for the rule to exclude.

<LocationMatch /foo/bar.php>
  <IfModule mod_security2.c>
    SecRule REMOTE_ADDR "@pmFromFile /path/to/your/custom/whitelist_for_this_application" "nolog,phase:1,allow"
  </IfModule>
</LocationMatch>

Step 3) Create your custom whitelist and add IP to /etc/asl/whitelist

echo "10.11.12.13" >> /path/to/your/custom/whitelist_for_this_application

Keep in mind these custom lists are *not* managed by ASL, so if you want to add IPs to these lists you will need to do it from the command line.

Configuring and Setting up mod_security

If you are running ASL you do not need to do this. ASL will setup and manage mod_security for you. The page linked to below is only for non-ASL customers that must setup mod_security manually.

To setup and configured modsecurity, please see the Atomic_ModSecurity_Rules wiki page.

Personal tools