Adding exceptions for Apache mod_sec 2.5

I have some developers working on a site on a cPanel/WHM CentOS 5 server which has Apache running with the mod_security or mod_sec module running. This is a module that prevents several types of attacks against the server. It is sometimes referred to as an open source intrusion detection and prevention engine for web applications, or web application firewall.

To make a long story short, you can place rules in a configuration file, and if those rules are triggered during an HTTP request, the client is refused, usually with an HTTP 406 error.

Anyway, the developer’s IP address was getting added to the blocked list the CSF firewall, which basically blocked any type of access to the server from their IP addresss (HTTP, SSH, FTP, etc.)

Looking in the mod_security log, I could see what was happening.
HTTP Request

/sites/all/modules/code_attributes/admin_save_code_attributes_ajax.php?aid=1,2,3,4,5,6,7,8,9,10&dec=Major%20genre,Minor%20genre,Rating,Beat,Energy,BPM,Adjective%20-%20Feel,Adjective%20-%20Color,Adjective%20-%20Dynamic,Adjective%20-%20Mood&sel=S,S,S,S,S,M,M,S,S,M&leftm=35,40,104,110,114,10,70,0,0,0&it=checkbox,checkbox,select,checkbox,select,checkbox,checkbox,checkbox,checkbox,checkbox&sec=1,2,3,3,3,3,4,5,5,5&iid=genre1,genre2,rating,beat,energy,bpm,adjFeel,adjColor,adjDynamic,adjMood&dw=95%,95%,17%,35%,20%,24%,90%,33%,33%,33%&vior=5,5,1,2,1,1,5,2,2,2&dbn=tracks_ownership.majorGenreID,tracks_ownership.minorGenreID,tracks_ownership.ratingID,tracks_ownership.beat,,tracks_ownership.bpm,user_selected_values.attributeValueID,user_selected_values.attributeValueID,user_selected_values.attributeValueID,user_selected_values.attributeValueID&itv=—-,—-,—-,—-,—-,numeric,—-,—-,—-,—- HTTP/1.1

Mod Security Message

Access denied with code 406 (phase 2). Pattern match “\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})” at ARGS:dw. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "20"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"]

Apache error_log

[Mon Sep 27 09:06:36 2010] [error] [client] ModSecurity: Access denied with code 406 (phase 2). Pattern match “\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})” at ARGS:dw. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "20"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname ""] [uri "/sites/all/modules/code_attributes/admin_save_code_attributes_ajax.php"] [unique_id "TKCW3EKT7zoAAD8UHh0AAAAK"]

Actual Mod_sec rule

# Check decodings
“chain, deny,log,auditlog,msg:’URL Encoding Abuse Attack Attempt’,id:’950107′,severity:’4′”

I could remove the whole rule, which is not recommended especially since it is a core mod_security 2.5 rule, but the best thing to do is to create a localrules exception.

This is done by creating a file in /etc/httpd/modsecurity.d/modsecurity_localrules.conf
Adding these lines to the files – NOTE that the rule ID has been used:
# Exceptions for

SecRuleRemoveByID 950107

You should also add an include in /etc/httpd/conf/modsec2.conf/ that looks like this:

Include “/usr/local/apache/modsecurity.d/modsecurity_localrules.conf”

It should be included within the mod_security2.c ifmodule statement like so.

SecRuleEngine On
# See
# “Add the rules that will do exactly the same as the directives”
# SecFilterCheckURLEncoding On
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction “phase:2,deny,log,status:406″
SecRule REMOTE_ADDR “^$” nolog,allow
Include “/usr/local/apache/conf/modsec2.user.conf”
Include “/usr/local/apache/modsecurity.d/modsecurity_localrules.conf”

Note that /usr/local/apache/ is symlinked with /etc/httpd/

You can stop and start or restart Apache with the following commands:
> service httpd stop
> service httpd start
or just
> service httpd restart

You should take a look at the apache error_log to make sure that there are not errors. If there is something wrong with your modsecurity configuration, Apache will more than likely not start.

You can tell which version of mod_security you are using by stopping and starting Apache and taking a look at the error_log.
> tail /etc/httpd/logs/error_log
[Mon Sep 27 15:57:37 2010] [notice] ModSecurity for Apache/2.5.12 ( configured.
[Mon Sep 27 15:57:38 2010] [notice] Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 configured — resuming normal operations

Leave a Reply


I'm currently available
for Lotus Notes / Domino consulting engagements.


Connect with me: