Solved ModSecurity Rules: Global or for Hostname?

castris

castris

Verified User
Joined
Apr 16, 2021
Messages
74
Location
Arcenillas
Hello

I have a problem with Roundcube where, if the user uses the user account as an email, when accessing Roundcube, 6 Paranoia Level 1 rules —which have very few false positives but are of high importance— must be disabled for Roundcube.

Since Roundcube is located at , the first thing I did was navigate to that location.

However, in ModSecurity, there was no entry for the hostname under Domain search text box.

So I searched and found that the rules were in /usr/local/directadmin/data/admin/modsecurity_rules.

From what I understand, this means disabling the rules for the entire server instead of just for the hostname.

  1. Is it possible to disable rules only for the hostname?
  2. If not, is it possible to disable them only for a specific path?​
Best regards.
 
O

Post in thread 'How can I disable mod_security for phpMyAdmin?'

if you know where's to put the rules, just put this in somewhere relate to modsecurity conf
Code: 
SecRule REQUEST_URI "@beginsWith /phpMyAdmin/" "id:1,ctl:ruleEngine=Off"

ensure rules will work correctly
Code: 
nginx -t

###if above command return correct config, just restart webserver
service nginx restart


this is my sample to disable on phpmyadmin.
since I use comodo rules, so there have a plugins to add custom rules via UI page.
 
it's weird, it should show in Extra Feature menu.

Code: 
/evo/admin/plugins/comodo_waf?path=index.html

This plugins will automatics install when you're installing comodo rules.
 
ahh I just see this "owasp".

owasp don't have any plugins, so you need to find the config file to put some custom rules.
 
Hi.

A lot of thanks for efforts.


After read embebed response, I think is not correct way.

I thin that is correct.

Apache config: 
<VirtualHost *:443>
    ServerName HOSTANAME
    . . .

    <LocationMatch "^/roundcube">
        <IfModule security2_module>
            SecRuleRemoveById RuleIDNumber
            ... others RuleId
        </IfModule>
    </LocationMatch>
</VirtualHost>





But I see configuration in /etc/nginx/webapps.ssl.conf and /etc/nginx/webapps.conf with perfect site for write this




Apache config: 
location ^~ /roundcube {
                root /var/www/html/;
                index index.php index.html index.htm;
                location ~ ^/roundcube/ {
                        access_log off;
                set $my_server_addr $server_addr;
                if ($server_addr ~ ^[0-9a-fA-F:]+$) { set $my_server_addr [$server_addr]; }
                        proxy_pass https://$my_server_addr:8081;
                        proxy_set_header X-Client-IP      $remote_addr;
                        proxy_set_header X-Accel-Internal /roundcube/nginx_static_files;
                        proxy_set_header Host        $host;
                        proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
                        proxy_hide_header Upgrade;
                }
                location ~ ^/roundcube/nginx_static_files/ {
                        access_log  /var/log/nginx/access_log_proxy;
                        alias       /var/www/html/;
                        internal;
                }or modify
        }
        location ^~ /phpMyAdmin {
                root /var/www/html/;
                index index.php index.html index.htm;
                location ~ ^/phpMyAdmin/ {
                        access_log off;
                set $my_server_addr $server_addr;
                if ($server_addr ~ ^[0-9a-fA-F:]+$) { set $my_server_addr [$server_addr]; }
                        proxy_pass https://$my_server_addr:8081;
                        proxy_set_header X-Client-IP      $remote_addr;
                        proxy_set_header X-Accel-Internal /phpMyAdmin/nginx_static_files;
                        proxy_set_header Host        $host;
                        proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
                        proxy_hide_header Upgrade;
                }
                location ~ ^/phpMyAdmin/nginx_static_files/ {
                        access_log  /var/log/nginx/access_log_proxy;
                        alias       /var/www/html/;
                        internal;
                }
        }

But I understand that if I modify that, the configuration will be destroyed in the next rebuild.

Anybody know a best place for add `webapps.ssl.conf` valid for next rebuilds ?

best regards.
 
There have many ways to disable, but for me.... just disable all of them to prevent any issued later.
 
I found the correct solution which involves using the file /etc/modsecurity.d/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example

We will create it as modsecurity.d/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
NGINX: 
SecRule REQUEST_FILENAME "@beginsWith /roundcube" \
"id:1001,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveById=911100,\
ctl:ruleRemoveById=932260,\
ctl:ruleRemoveById=920340,\
ctl:ruleRemoveById=932235,\
ctl:ruleRemoveById=941100,\
ctl:ruleRemoveById=941130,\
ctl:ruleRemoveById=941160,\
ctl:ruleRemoveById=941170,\
ctl:ruleRemoveById=949110,\
ctl:ruleRemoveById=980130"


Check nginx
Bash: 
> nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful


Reload nginx
Bash: 
systemctl reload nginx

Workaround with Directadmin

Directadmin when run da build rewrite_confs try to remove al files in directory /etc/modsecurity.d/.

Bash: 
[activating module `aclr' in /etc/httpd/conf/httpd.conf]
mod_aclr2 has been installed successfully.
Restarting apache.
rm: cannot remove '/etc/modsecurity.d/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf': Operation not permitted
Installing OWASP Core Rule Set for ModSecurity...
download_cached: using cached '/usr/local/directadmin/custombuild/cache/owasp-modsecurity-crs-4.5.0.tar.gz' file
Installation of ModSecurity Rule Set has been finished.

For me the best way is block delete file via chattr
Bash: 
chattr +i /etc/modsecurity.d/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf


More explain at my wiki (in spanish language) Mod Security. Desactivación global de reglas por path

Best regards and thanks
 
You must log in or register to reply here.
Back
Top