Mod Security whitelist issue

Mod_security issue.

I was able to whitelist the pattern match for a domain with a rule ID or whitelist the domain completely using either of the following added to /usr/local/apache/conf/whitelist.conf

SecRule SERVER_NAME “domain.com” phase:1,nolog,allow,ctl:ruleRemoveById=600161

SecRule SERVER_NAME “domain.com” phase:1,nolog,allow,ctl:ruleEngine=off

Nowadays, after adding it, when you restart httpd, if you are getting an error as follows,

Syntax error on line 12 of /usr/local/apache/conf/whitelist.conf:
ModSecurity: No action id present within the rule

You need to add something like this,

SecRule SERVER_NAME “domain.com” phase:1,nolog,allow,id:445000,ctl:ruleEngine=off, —> This will whitelist the domain completely in Mod Security

or

SecRule SERVER_NAME “domain.com” phase:1,nolog,allow,id:445000,ctl:ruleRemoveById=600161 —> This will whitelist the domain for a specific rule ID, say 600161.

instead of

SecRule SERVER_NAME “domain.com” phase:1,nolog,allow,ctl:ruleEngine=off, or

SecRule SERVER_NAME “domain.com” phase:1,nolog,allow,ctl:ruleRemoveById=600161

You can refer the details at http://cpanel.net/modsecurity-changes/

You can use the ID range, 440.000-599,999(which is unreserved)

You can get the details on ID’s athttp://docs.cpanel.net/twiki/bin/view/AllDocumentation/EasyapacheModsecurity

If the ID already exists for any other rule, you need to change it with a new unused one, otherwise the ModSecurity along with apache will not get start.

Thank you.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s