WholesaleDialup
Verified User
Fresh DA server install on AlmaLinux.
I followed this guide as part of my task to secure the new server:
Regarding item number 8:
I did enable mod_security but any form submissions inside the only website which is using Wordpress on this server fail and generate errors similar to the one shown below UNLESS I disable modsecurity for the domain in question.
I would prefer to leave it on for obvious reasons but I am not sure how to make changes to mod_security to allow form submissions in Wordpress to work while leaving mod_security on for the domain. Thanks in advance for any advice on this, it's been a while since I setup a new DA server. Trying to keep things as secure as possible and of course that doesn't go well with ease of use or convenience LOL.
Error from log:
[Thu Oct 14 19:29:02.215562 2021] [:error] [pid 302331:tid 140119856326400] [client <IP HIDDEN>:50869] [client <IP HIDDEN>] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?i?:[\\"'`](?:;?\\\\s*?(?:having|select|union)\\\\b\\\\s*?[^\\\\s]|\\\\s*?!\\\\s*?[\\"'`\\\\w])|(?:c(?nnection_id|urrent_user)|database)\\\\s*?\\\\([^\\\\)]*?|u(?:nion(?:[\\\\w(\\\\s]*?select| select @)|ser\\\\s*?\\\\([^\\\\)]*?)|s(?:chema\\\\s*?\\\\([^\\\\)]*?|elect.*?\\\\w?user\\\\()|in ..." at ARGS:formData. [file "/etc/modsecurity.d/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "183"] [id "942190"] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: \\x22Select a found within ARGS:formData: {\\x22id\\x22:\\x226\\x22,\\x22fields\\x22:{\\x2225\\x22:{\\x22value\\x22:\\x22\\x22,\\x22id\\x22:25},\\x2226\\x22:{\\x22value\\x22:\\x22Todd\\x22,\\x22id\\x22:26},\\x2227\\x22:{\\x22value\\x22:\\x22Routhier\\x22,\\x22id\\x22:27},\\x2228\\x22:{\\x22value\\x22:\\x22210-245-4900\\x22,\\x22id\\x22:28},\\x2229\\x22:{\\x22value\\x22:\\x22<EMAIL HIDDEN>\\x22,\\x22id\\x22:29},\\x2230\\x22:{\\x22value\\x22:\\x22\\x22,\\x22id\\x22:30},\\x2231\\x22:{\\x22value\\x22:\\x22\\x22,\\x22id\\x22:31},\\x2232\\x22:{\\x22value\\x..."] [se [hostname "<HOSTNAMEHIDDEN"] [uri "/wp-admin/admin-ajax.php"] [unique_id "YWiE_l5XD5Z0ctpf0rfauQAAUBI"], referer:<REFERRER HIDDEN>
I followed this guide as part of my task to secure the new server:
Regarding item number 8:
- Enable mod_security.open in new window See the CustomBuild Faqopen in new window for available rulesets and options.
I did enable mod_security but any form submissions inside the only website which is using Wordpress on this server fail and generate errors similar to the one shown below UNLESS I disable modsecurity for the domain in question.
I would prefer to leave it on for obvious reasons but I am not sure how to make changes to mod_security to allow form submissions in Wordpress to work while leaving mod_security on for the domain. Thanks in advance for any advice on this, it's been a while since I setup a new DA server. Trying to keep things as secure as possible and of course that doesn't go well with ease of use or convenience LOL.
Error from log:
[Thu Oct 14 19:29:02.215562 2021] [:error] [pid 302331:tid 140119856326400] [client <IP HIDDEN>:50869] [client <IP HIDDEN>] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?i?:[\\"'`](?:;?\\\\s*?(?:having|select|union)\\\\b\\\\s*?[^\\\\s]|\\\\s*?!\\\\s*?[\\"'`\\\\w])|(?:c(?nnection_id|urrent_user)|database)\\\\s*?\\\\([^\\\\)]*?|u(?:nion(?:[\\\\w(\\\\s]*?select| select @)|ser\\\\s*?\\\\([^\\\\)]*?)|s(?:chema\\\\s*?\\\\([^\\\\)]*?|elect.*?\\\\w?user\\\\()|in ..." at ARGS:formData. [file "/etc/modsecurity.d/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "183"] [id "942190"] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: \\x22Select a found within ARGS:formData: {\\x22id\\x22:\\x226\\x22,\\x22fields\\x22:{\\x2225\\x22:{\\x22value\\x22:\\x22\\x22,\\x22id\\x22:25},\\x2226\\x22:{\\x22value\\x22:\\x22Todd\\x22,\\x22id\\x22:26},\\x2227\\x22:{\\x22value\\x22:\\x22Routhier\\x22,\\x22id\\x22:27},\\x2228\\x22:{\\x22value\\x22:\\x22210-245-4900\\x22,\\x22id\\x22:28},\\x2229\\x22:{\\x22value\\x22:\\x22<EMAIL HIDDEN>\\x22,\\x22id\\x22:29},\\x2230\\x22:{\\x22value\\x22:\\x22\\x22,\\x22id\\x22:30},\\x2231\\x22:{\\x22value\\x22:\\x22\\x22,\\x22id\\x22:31},\\x2232\\x22:{\\x22value\\x..."] [se [hostname "<HOSTNAMEHIDDEN"] [uri "/wp-admin/admin-ajax.php"] [unique_id "YWiE_l5XD5Z0ctpf0rfauQAAUBI"], referer:<REFERRER HIDDEN>
Last edited: