One of our clients reported an issue with loading their domain. On checking we could see a mod security rule (ID: id "1234123413") has been triggered and which caused the issue. We have then whitelisted the rule in the server, but upon checking we could see that the rule was not whitelisted properly and triggered again.
Logs shown in apache error logs are.
-------------------
[error] [client IP] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\b(\\\\d+) ?= ?\\\\1\\\\b|[\\\\'\\"](\\\\w+)[\\\\'\\"] ?= ?[\\\\'\\"]\\\\2\\\\b" at
REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "103"] [id "1234123413"] [msg "SQL Injection Attack"] [data "1=1"] [severity "CRITICAL"]
[tag "WEB_ATTACK/SQL_INJECTION"] [hostname "domain"] [uri "/"] [unique_id "WMw3F63B3j4AAG1KQXUAAAAd"]
[error] [client IP] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\b(\\\\d+) ?= ?\\\\1\\\\b|[\\\\'\\"](\\\\w+)[\\\\'\\"] ?= ?[\\\\'\\"]\\\\2\\\\b" at
REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "103"] [id "1234123413"] [msg "SQL Injection Attack"] [data "1=1"] [severity "CRITICAL"]
[tag "WEB_ATTACK/SQL_INJECTION"] [hostname "domain"] [uri "/favicon.ico"] [unique_id "WMw3GK3B3j4AAHKuiisAAAAC"]
------------------
Apache version : Apache/2.2.31
PHP Version : 5.4.45
Issue with whitelisting Mod_security rule in cPanel
-
curriertech
- Junior Member
- Posts: 21
- Joined: 07 Aug 2007, 20:29
Re: Issue with whitelisting Mod_security rule in cPanel
I'm seeing this behavior recently as well, lots of IPs getting blocked in CSF for rules that are whitelisted in CMC.
-
curriertech
- Junior Member
- Posts: 21
- Joined: 07 Aug 2007, 20:29
Re: Issue with whitelisting Mod_security rule in cPanel
I may have found the issue on my server...sharing in case it helps.
My modsec2.conf includes user.conf, (which includes whitelist.conf) and cpanel.conf. So whitelist.conf was being parsed before cpanel.conf. I've added a line to modsec2.conf to include whitelist.conf after user.conf and cpanel.conf and so far I'm not seeing any blocks caused by whitelisted rules.
My modsec2.conf includes user.conf, (which includes whitelist.conf) and cpanel.conf. So whitelist.conf was being parsed before cpanel.conf. I've added a line to modsec2.conf to include whitelist.conf after user.conf and cpanel.conf and so far I'm not seeing any blocks caused by whitelisted rules.
-
yorodriguez
- Junior Member
- Posts: 18
- Joined: 04 Jan 2017, 09:29
Re: Issue with whitelisting Mod_security rule in cPanel
Same problem here. I whitelisted rules for several users and they are applied anyway.
-
yorodriguez
- Junior Member
- Posts: 18
- Joined: 04 Jan 2017, 09:29
Re: Issue with whitelisting Mod_security rule in cPanel
Finally I found that my issue is with user defined rules using <locationmatch>. In this post I explain the workaround: viewtopic.php?f=31&t=10108&p=28474#p28474
I hope that ConfigServer see this and fix the issue.
I hope that ConfigServer see this and fix the issue.