Jump to content

Add some info about mod_security and suPHP in ACP


Jaymez

Recommended Posts

Posted

I suggest adding info in the ACP about the caveats that mod_security and suPHP may present if end user has them in use, and what to do to address them. CHMOD 777 will "break" suPHP. mod_security can potentially "break" the sql tool box, screenshots (idm), upload progress (idm), dynamic images, large posts, posts with the word select in them, or posts with url paths in them. A heads up on what to white list may save some time in the support ticket arena. Thanks!

  • 4 years later...
Posted

For your information, somebody might be able to use the following info:

We had quite some false positives using ModSecurity. We've commented the following entries by now:

# Check decodings
# SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUrlEncoding" 
# "chain, deny,log,auditlog,msg:'URL Encoding Abuse Attack Attempt',id:'1234123440',severity:'4'"
# SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"


# SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,msg:'UTF8 Encoding Abuse Attack Attempt',id:'1234123439',severity:'4'"

(...)

# allow request methods
# SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" 
#    "phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'1234123435',tag:'POLICY/METHOD_NOT_ALLOWED'"

After this ModSec is still blacklisting IP's, but almost none from the countries where most of our users reside (responsible for 99% of traffic).

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...