web analytics

Blog

How to disable mod_sec2 for a domain in cPanel Server

Tags: ApachecPanelmod_security

Published on: September 17, 2014 by Vipin R.N

How to disable mod_sec2 for a domain in cPanel Server

Scenario:

Disable Mod security for an account was easier in Mod_security v 1.x, you just had to add the following lines in the .htaccess file for that account’s public_html directory :

SecFilterEngine Off
SecFilterScanPost Off

This will no longer work as Mod_security 2.x was been started to use in newer WHM/cPanel versions. In this article, we are going to review such a case and its solution

Case

A user was trying to copy an article (which was including certain URLs) and paste it in their Online Discussion forums. The following error were shown when they were trying to submit the post :

errorlive

When the content was Plain formatted (which means no type of formatting involved in it – no links embedded and such – just like plain text) they could submit it. Obviously, this is something with Apache and hence the error_log has to be checked :

root@server:~ [/home]#tail -f /usr/local/apache/logs/error_log | grep 1xxx.174.208.127

[Mon Jan 07 17:14:11 2013] [error] [client 1xx.174.208.127] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(< ?(?:(?:java|vb)?script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|” ?> ?<|” ?[a-z]+ ?<.*>|> ?”? ?(>|<)|< ?/?i?frame|\\%env)” at ARGS:quot;” style. [file “/usr/local/apache/conf/modsec_rules/10_asl_rules.conf”] [line “903”] [id “340147”] [rev “81”] [msg “Atomicorp.com – FREE UNSUPPORTED DELAYED FEED – WAF Rules: Generic XSS filter”] [data “3990”] [severity “CRITICAL”] [hostname “my_domain.com”] [uri “/ko/portal/apps/discussions/creatediscussionview.php”] [unique_id “WQyvlUPkwtoAADKsDMwAAAAv”]
[Mon Jan 07 17:14:11 2013] [error] [client 1xxx.174.208.127] File does not exist: /home/sysbc/public_html/my_domain.com/403.shtml, referer: http://my_domain.com/ko/portal/home.php?main=discussview

 

A pattern in the URL is triggering the Mod_security rule. In this case, client demanded disabling it for his account, otherwise, we wouldn’t have done it for security purposes.

Solution

Disable Mod security  is the solution but remember for this account only. Let us take a look at the VirtualHost section of this domain :

<VirtualHost xx.xx.xx.xx:80>
ServerName my_domain.com
ServerAlias www.my_domain.com my_domain.com www
DocumentRoot /home/sysbc/public_html/mdom
ServerAdmin webmaster@my_domain.com
UseCanonicalName Off
CustomLog /usr/local/apache/domlogs/my_domain.com combined
CustomLog /usr/local/apache/domlogs/my_domain.com-bytes_log “%{%s}t %I .\n%{%s}t %O .”
## User sysprobc # Needed for Cpanel::ApacheConf
<IfModule mod_suphp.c>
suPHP_UserGroup ysb ysb
</IfModule>
<IfModule concurrent_php.c>
php4_admin_value open_basedir “/home/sysbc:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp”
php5_admin_value open_basedir “/home/sysbc:/usr/lib/php:/usr/local/lib/php:/tmp”
</IfModule>
<IfModule !concurrent_php.c>
<IfModule mod_php4.c>
php_admin_value open_basedir “/home/sysbc:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp”
</IfModule>
<IfModule mod_php5.c>
php_admin_value open_basedir “/home/sysbc:/usr/lib/php:/usr/local/lib/php:/tmp”
</IfModule>
<IfModule sapi_apache2.c>
php_admin_value open_basedir “/home/sysbc:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp”
</IfModule>
</IfModule>
<IfModule !mod_disable_suexec.c>
<IfModule !mod_ruid2.c>
SuexecUserGroup sysbc ysbc
</IfModule>
</IfModule>
<IfModule mod_ruid2.c>
RUidGid sysprobc sysprobc
</IfModule>
ScriptAlias /cgi-bin/ /home/ysbc/public_html/mdom/cgi-bin/

# To customize this VirtualHost use an include file at the following location
# Include “/usr/local/apache/conf/userdata/std/2/sysbc/my_domain.com/*.conf”

 

Take a look at the last 2 lines :

# To customize this VirtualHost use an include file at the following location
# Include “/usr/local/apache/conf/userdata/std/2/sysbc/my_domain.com/*.conf”

By default,the location /usr/local/apache/conf/userdata/std/2 exists. You will have to create the remaining path ysbc/my_domain.com

# mkdir -p  /usr/local/apache/conf/userdata/std/2/ysbc/my_domain.com

Create a file vhost.conf and add the following lines :


&lt;IfModule mod_security2.c&gt;

    SecRuleEngine Off
&lt;/IfModule&gt;

After this, you need to rebuild the Virtual hosts using the following command :

 

/scripts/ensure_vhost_includes --user= &lt;cPanel username&gt;

Here it is

# /scripts/ensure_vhost_includes –user=sysbc

Alternatives

The above explained method entirely disable mod security for a particular account, which is not recommended and safe. However, there are other methods to do the trick.

root@server:~ [/home]#tail -f /usr/local/apache/logs/error_log | grep xx.xx.xx.xx

[Mon Jan 07 17:14:11 2013] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(< ?(?:(?:java|vb)?script|about|applet|activex|chrome)   ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|” ?> ?<|” ?[a-z]+ ?<.*>|> ?”? ?(>|<)|< ?/?i?frame|\\%env)” at ARGS:quot;” style. [file  “/usr/local/apache/conf/modsec_rules/10_asl_rules.conf”] [line “903”] [id “340147“] [rev “81”] [msg “Atomicorp.com – FREE UNSUPPORTED DELAYED FEED – WAF Rules: Generic XSS filter”]  [data “3990”] [severity “CRITICAL”] [hostname “my_domain.com”] [uri “/ko/portal/apps/discussions/creatediscussionview.php”] [unique_id “WQyvlUPkwtoAADKsDMwAAAAv”]
[Mon Jan 07 17:14:11 2013] [error] [client xx.xx.xx.xx] File does not exist: /home/sysbc/public_html/mdom/403.shtml, referer:  http://my_domain.com/ko/portal/home.php?main=discussview

 

You can disable the rule only by adding the rule in .htaccess

<LocationMatch “.*”>
SecRuleRemoveById 340147
</LocationMatch>

Category : Apache, Howtos, Security, Troubleshooting

Vipin R.N

Vipin R.N

Vipin is a no-nonsense, disciplined guy who ensures that everything is carried out with the highest level of perfection. Apart from his great coding skills, he is quite interested in advanced server administration, issue analysis, documentation and training. In-depth knowledge in international politics, ammunition and automobiles makes this hard core Manchester United fan, one of the most referenced personalities in the entire team.

You may also read:

Comments

Add new commentSIGN IN

Let's Connect

Get new updates

Categories

$0.000 items