Whitelist a Rule ID, IP, or URI in ModSecurity via CLI in CWP

Taoufik E.
  • Updated
Follow

Whitelisting in ModSecurity may be necessary, sometimes, to allow legitimate transactions. This guide provides example processes to whitelist a rule ID, IP, or URI via the command line.

Related Articles

SSH into VPS or Dedicated Servers
Enable/Disable ModSecurity In CWP
Check Apache Error Log

Review the logs

  1. SSH into the server as root

  2. Grep the relevant items in log errors to extract the rule ID, IP, or URI

    grep ModSecurity /usr/local/apache/domlogs/*error.log | grep domain.com|$IP

    REPLACE: domain.com with the actual domain name and $IP with the relevant IP if it's used instead.
    EXAMPLE: The rule ID in the example below is 13052, the IP address is 555.66.777.88, and the URI is "/wp-login.php".
     

    [Wed Nov 13 xx:xx:xx.xx xxxx] [:error] [pid 27189] [client 555.66.777.88:xxxxx]
[client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2).
Operator GE matched 1 at TX:brute. [file "/etc/apache2/conf.d/imh-modsec/40_wordpress.conf"]
[line "27"] <strong>[id "13052"]</strong> [msg "POST to wp-login.php without redirect_to"]
[severity "WARNING"] [tag "WEB_ATTACK/SHELL ACCESS"] [hostname "domain.com"]
[uri "/wp-login.php"] [unique_id "Xcw0ipq6HORiGQf95hXF2gAAAAs"], referer:
https://domain.com/wp-login.php

Whitelist By Rule ID

  1. SSH into the server as root
  2. Identify the rule ID in /usr/local/apache/logs/error_log

  3. Execute the following

    echo; read -ep "Rule ID: " ID; read -ep "CWP user: " USER; read -ep "Domain: " DOMAIN; sed -i '$i'"$(echo "SecRuleRemoveById $ID")" /usr/local/apache/conf/userdata/$USER/$DOMAIN/modsec.conf && systemctl restart httpd

Whitelist By IP

  1. SSH into the server as root
  2. Identify the IP in /usr/local/apache/logs/error_log

  3. Execute the following

    echo; read -ep "IP Adress: " IP; read -ep "CWP user: " USER; read -ep "Domain: " DOMAIN; sed -i '$i'"$(echo "SecRule REMOTE_ADDR \"^$(echo $IP | sed 's/\./\\./g')\" phase:1,log,allow,ctl:ruleEngine=Off,id:999945")" /usr/local/apache/conf/userdata/$USER/$DOMAIN/modsec.conf && systemctl restart httpd

    IMPORTANT: Make sure the ID after id: does not exist.

Whitelist By URI

  1. SSH into the server as root
  2. Identify the URI in question from /usr/local/apache/logs/error_log
    Append the following in /usr/local/apache/conf/userdata/userna5/$DOMAIN/modsec.conf
  3. <LocationMatch "/wp-login.php">
SecRuleRemoveById 999945
</LocationMatch>

    REPLACE: "/wp-login.php" with the actual URI in question and userna5 with the CWP username.
    TIP: To Disable/whitelist a rule, IP, or URI on the server level, apply these changes to /usr/local/apache/modsecurity-cwaf/global/disabled_rules.conf instead of the modsec.conf at the domain level.

Comments

0 comments

Article is closed for comments.