Whitelisting in ModSecurity

Broken down into 2 components our article’s 1st section hits on “how to whitelist IPs or URIs,” for those who area unit somewhat aware of ModSecurity. However need to grasp more concerning the method. Our second section examines why we have a tendency to set up ModSecurity approach to stop the protection of the server from entering into the way of our work. If you’ve got a completely Managed Liquid internet server reach dead set our Heroic Support team for help with whitelisting!

How to Whitelist IPs or URIs

“ModSecurity may be a toolkit for time period internet application observation, logging, and access management.” (modsecurity.org). In straightforward terms, this implies that ModSec, conjointly known asmod_security or ModSecurity, may be a internet application firewall that may actively hunt for attacks to the system and stop malicious activity.

However, generally these rules trigger once legitimate work is happening, block your informatics. And stopping you or your developer’s till you’ll take away the informatics block. The method around for being blocked is understood as whitelisting, that primarily permits for a selected informatics to access the server. There area unit a couple of ways in which to whitelist letter of invitation in ModSec. Either by informatics or by URI (URIs area unit specific pages on the website).

Getting Started

Find your informatics or raise your developer for theirs. (You will realize this by progressing to informatics.liquidweb.com)If you or your developer have a static informatics (one that may not change), a way you’ll whitelist the ModSec rules is by informatics. Find the ModSec error within the Apache error logs with the subsequent command (Be bound to modify the command along with your informatics in site of “IP here.”):

How to Whitelist IPs or URIs

grep ModSec /usr/local/apache/logs/error_log | grep “IP here”.
  1. The output of this command will give you a list of hits for ModSecurity from you or your developer’s IP, which you can see below. While this looks intimidating, you will only want to pay attention to 3 bits of information highlighted.  Please note, the output will not show these colors when you are viewing the files.

Note

Blue = client, the IP which tripped the rule
Red = ID number of tripped rule within ModSec
Green = URI, the location where the error started from

[Fri May 25 23:07:04.178701 2018] [:error] [pid 78007:tid 139708457686784] [client 61.14.210.4:30095] [client 61.14.210.4] ModSecurity: Access denied with code 406 (phase 2). Pattern match "Mozilla/(4|5)\\\\.0$" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec2.liquidweb.conf"] [line "109"] [id "20000221"] [hostname "67.227.209.163"] [uri "/db/index.php"] [unique_id "WwjPWChxvG1CO4kz-D55eQAAACU"]

Whitelist By IP:

  1. Once you have the correct ModSec error, you will need to edit the ModSec configuration. If you are using Easy Apache 4 you will find the configuration file with this path:
    /etc/apache2/conf.d/modsec2/whitelist.conf
  2. Open the file with your favorite text editor, such as vim, nano, or file manager like so:
vim /etc/apache2/conf.d/whitelist.conf
  1. The blue text above will be the IP address that you are whitelisting from the original error. You must keep the backslashes (\) and up-carrot (^) in order for the IP to be read correctly. Thus it will always look something like:

“^192\.168\.896\.321”

For for the id, noted in red, you will change the number after the colon, which will be the Apache error log like we saw above. This will look similar to:

Id:2000221

Add the following code with the colored sections edited to match your intended IP.

SecRule REMOTE_ADDR "^64\.14\.210\.4"
"phase:1,nolog,allow,ctl:ruleEngine=off,id:20000221"

Whitelist By URI:

If your IP is dynamic (changing) and you keep getting blocked in the firewall, it is best to whitelist it via URI, the yellow item in the ModSec error.

  1. Begin by opening the Easy Apache 4 configuration file:
vim /etc/apache2/conf.d/whitelist.conf

2. Add the following text to the configuration. Remember to pay attention to the highlighted parts.  Change the                yellow “/db/index.php” to match your URI and the red id to match the id of your error (Do not use the colon in this one).

<LocationMatch "/db/index.php">
SecRuleRemoveById 20000221
</LocationMatch>

3. The final step for whitelisting, before you finalize the process, is to ensure you have correctly set up the                   whitelist. For Easy Apache 4 you will run the command:

apachectl -t

As long as the command returns Syntax Ok you are safe to make the whitelist active by restarting Apache. Otherwise, review the whitelists to make sure the syntax matches up correctly with the above directions.

  1. Lastly, restart Apache with the following command.
/scripts/restartsrv_httpd

You have successfully whitelisted yourself in ModSec!

Using ModSec

Cyber Security may be a hydra. Once one threat is ending, 2 additional grow back. whereas this can be not a replacement analogy.  It’s vital to grasp as we have a tendency to battle threats to our network, computers, and servers. With all the complexities that escort security, I need to speak regarding adequately configuring ModSec to discourage threats whereas still permitting you to figure on your websites. Often, once it involves server security, an excessive amount of protection will hinder effectiveness.

For example, say you have got the subsequent established on your server:

You do not permit root SSH login to the server utilize dual-factor authentication for any SSH logins use Associate in Nursing SSH key for the sudo user and need different security safeguards While this kind of configuration is secure, it takes longer to log into your system to form a fast edit to your settings, a ambiguous sword; however are you able to keep the server safe whereas not ligature your own hands? a good example of however this plays out is victimization ModSec.

ModSec will block your scientific discipline if it incorrectly flags your work. whereas this module improves system security, you’ll got to remember of properly implementing and “scoping” the technology. Scoping during this sense means that to manage risks, the main focus of what’s vital for security whereas still permitting work on the server with tokenish interference. To tune out legitimate requests to your server, like after you square measure piece of writing your website’s code via a plugin. ModSec has the choices to whitelist rules or IPs and keep your work on the right track.

Whitelisting Associate in Nursing scientific discipline from the principles that ModSec follows may be a nice choice goodbye because the scientific discipline ne’er changes (i.e. a static scientific discipline, see article here to be told additional https://support.google.com/fiber/answer/3547208?hl=en) and is restricted to solely folks you trust.

This methodology prevents ModSec from viewing your requests as malicious and interference your scientific discipline. This follow has the downside that if somebody (say Associate in Nursing sad employee) has access to your network, they currently have the way around ModSec to attack your server.

Whitelisting Rules

With non-static (dynamic) scientific disciplines the issues of whitelisting Associate in Nursing IP square measure promptly apparent. With the continual modification of a dynamic scientific discipline, it creates the potential of exploiting your server, as somebody might use Associate in Nursing previous scientific discipline to access the server. Whitelisting specific rules involves save the day!. After you whitelist by rules, you’ll edit with roughness and limit the principles to explicit domains and URIs. URI’s are protective the remainder of the server from attacks associated with that very same rule!

Example of ModSecurity

ModSec reads a series of rules and applies them to incoming requests being created to the net server. Associate in Nursing example of what a block sounds like is:

[Sat Jun 30 02:21:56.013837 2018] [:error] [pid 79577:tid 139862413879040] [client 120.27.217.223:24397] [client 120.27.217.223] ModSecurity: Access denied with code 406 (phase 2). Pattern match "Mozilla/(4|5)\\\\.0$" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec2.liquidweb.conf"] [line "109"] [id "2000064"] [hostname "67.227.192.139"] [uri "/mysql/index.php"] [unique_id "WzchhAjuZ6wPAzo9AwW1WwAAAE8"]

This error shows Apache stopped a potential attack on a file at /mysql/index.php. This is an error similar to what appears when the code is being written or edited within programs like Drupal or WordPress.

Evaluating ModSecurity:

If you’re persistently being blocked in your firewall whereas engaged on your code, ModSec is that the doubtless offender. The ModSec errors will be found within the Apache error log (in cPanel the trail is /usr/local/apache/logs/error_log). The phrase “ModSec” will be quickly isolated from the log (via the command ‘grep “ModSec” /usr/local/apache/logs/error_log’).

By examination you or your developer(s) IP to the log, you’ll be ready to determine stopped requests that area unit legitimate. Verify these area unit valid requests by double-checking that somebody in your organization created them. Once you have got done therefore, you’ll be able to move forward in fitting a whitelist for the error, per the steps on top of.

Again, we would like to scope to permit the smallest amount of flexibility for an attack and guarantee. That we will keep operating. If you’re unable to possess a trusty static IP, you’ll ought to use the whitelist URI technique, providing the particular page as an exemption. Once completed, take away each whitelisted things from the configuration file, just in case of a real attack.

On a parting note, I encourage you to explore ModSec and learn additional of the ins and outs of the code. Exploring totally different ways of whitelisting will be heaps of for to find out and most significantly helps to tighten server security. As always, our totally Supported Customers will contact our useful Human Support team for help. consider articles on security in our mental object, like this one on Maldet! It’s another glorious thanks to find out about your server and develop an understanding of server security.

Categorized in: