Mod_security enable and disable in panel

@smtalk it is now possible to enable and disable modsecurity.

This option is working perfectly.

regra.png

however, the ModSecurity Disabled Rules option does not work, I added a rule, but it does not work with modsecurity enabled.


mod1.png
 
Last edited:
I suppose that is why my etc/modsecurity.d was erased and rewritten again yesterday after an update. :(
Had to remake my additonal rules over again, luckily stored in etc/modsecurity.custom.
Can you at least exclude these files from deletion?
REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

Their default names are *.conf.extra or *.conf.example.
 
Add at the bottom of RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf:
(rename RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.extra or with ending .example to RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf)
Code: 
SecRuleRemoveById  212320

Restart httpd and/or nginx. Check if they are running. If not undo changes.
 
where do i find this?
RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

in my folder modsecurity.d have two files
comodo_rules.conf - comodo_rules.conf.main

inside the file comodo_rules.conf there is nothing, it is blank.

which file or directory should I configure this in?
 
Sorry! You can use 2 types of modsecurity rulesets. OWASP and Comodo. Since I'm using the OWASP ruleset I gave an solution for that. Forgot about Comodo.

Scan your Comodo ruleset (WAF it is called I think) for "SecRuleRemoveById" and try to find a file where you can put in your custom rules.
 
Last edited:
my modsecurity was configured with comodo, when I did the build it was selected, but I don't know where to place the rules.
 
What’s inside /usr/local/directadmin/data/users/username/bessa-consulultores.online.modsecurity_rules file?
 
skym4n said:
inside the file comodo_rules.conf there is nothing, it is blank.
Click to expand...
I would try to put SecRuleRemoveById 212320 in comodo_rules.conf and try if it is working.

As I understand it, in the next release of DA (you're on a pre release now) it will be possible to set rules on a per domain basis.
I hope the old functionality will still remain, because I apply all rules server wide.

@smtalk, please take a look at post 26, https://forum.directadmin.com/threads/mod_security-enable-and-disable-in-panel.62006/post-319310 concerning removing rules with DA/CB updates.
 
smtalk said:
What’s inside /usr/local/directadmin/data/users/username/bessa-consulultores.online.modsecurity_rules file?
Click to expand...

my directory is different from the one informed by you, see
/usr/local/directadmin/data/users/cbessa/domains/bessa-consultores.online.modsecurity_rules

in file bessa-consultores.online.modsecurity_rules

Code: 
SecRuleEngine On
SecRuleRemoveById 212320
SecRuleRemoveById 212340
SecRuleRemoveById 212890


I'm adding the rules, but new ones appear.

This problem occurs in moodle.

rules.png
 
Yes removing 1 id leads to another id. Result hours of removing id's.
Do you alone need to remove these id's? Or are they needed for customer/guests for a working site?

I was sick and tired of hunting id's that keep popping up. So I choose another approach. I whitelisted my ip in modsecurity and now I don't need to remove id's.

Code: 
SecRule REMOTE_ADDR "@ipMatch xxx.xxx.xxx.xxx" \
"id:1000,        phase:1,    pass,    nolog,    ctl:ruleEngine=Off"
 
Wanabo said:
Yes removing 1 id leads to another id. Result hours of removing id's.
Do you alone need to remove these id's? Or are they needed for customer/guests for a working site?

I was sick and tired of hunting id's that keep popping up. So I choose another approach. I whitelisted my ip in modsecurity and now I don't need to remove id's.

Code: 
SecRule REMOTE_ADDR "@ipMatch xxx.xxx.xxx.xxx" \
"id:1000,        phase:1,    pass,    nolog,    ctl:ruleEngine=Off"
Click to expand...
new ids appeared, added and solved.

I didn't get to use the ip, but it's a great tip.
 
Wanabo said:
I would try to put SecRuleRemoveById 212320 in comodo_rules.conf and try if it is working.

As I understand it, in the next release of DA (you're on a pre release now) it will be possible to set rules on a per domain basis.
I hope the old functionality will still remain, because I apply all rules server wide.

@smtalk, please take a look at post 26, https://forum.directadmin.com/threads/mod_security-enable-and-disable-in-panel.62006/post-319310 concerning removing rules with DA/CB updates.
Click to expand...
I think you simply don't have these custom rules in custom/modsecurity/conf/ folder, thus update cleaned the old files up.
 
Learned something today! :)
After your remark I searched the forums and found this: https://forum.directadmin.com/threads/modsecurity-custom-rules.55036/post-281974
Created the needed directories and placed my custom files there and did a ./build modsecurity_rules
My custom files re-appear in modsecurity.d! So that is good.

But there are files I don't want! See picture.
1597436486058.png

I don't have drupal, wordpress etc. on my server. So I delete these rule files for performance and memory gain.
How do I do I make sure that these files don't re-appear?

Edit: Did some thinking. Would empty files do the trick in custom/modsecurity/conf/ ?
To answer my own question. Yes!

1597438947566.png
 
Last edited:
Yes, empty files should do the trick. If they don't - please let me know.
 
You must log in or register to reply here.
Back
Top