How to allow some file extension through ModSecurity using .htaccess?

edited July 2022 in Help

hello all

I have a cpanel account and ModSecurity is enabled.
i want to serve for example cfg file but server replies back with 403.
If i disable modesecurity via the cpanel the file gets served ok.

my question How to allow some extension through ModSecurity using .htaccess?

appreciate any guide on how to solve such access problems.

Thanks
ehab

Comments

  • AlwaysSkintAlwaysSkint OGSenpai
    edited July 2022

    I've no idea if you can do what you wish in .htaccess, though it is possible by using a per domain modsecurity conf file. I've looked at the CWP implementation of this - example shown below:

    /usr/local/apache/conf/userdata/account_name/account.domain.tld/modsec.conf

    <IfModule mod_security2.c>
          SecRuleRemoveById 981172
    </IfModule>
    

    Replace the modsec rule ID with your 'offending' one.

    For WHM, if you have top-level access, I recommend Configserver ModSecurity Control. It makes it simple, with a GUI.

    HTH

    Thanked by (1)ehab

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

  • edited July 2022

    @AlwaysSkint, i am a normal user hosting at a cpanel provider.
    I don't have access to any of the modesc conf files.

    my latest attempt was like ----------- .htaccess

    <IfModule mod_security2.c>
    <Files somefile.cfg>
      #SecRuleEngine Off
      #SecFilterEngine Off
      #SecFilterScanPOST Off
    </Files>
    </IfModule>
    

    but not working. i get a 500 response. i just added # for comments

  • AlwaysSkintAlwaysSkint OGSenpai
    edited July 2022

    I'd be surprised if you could defeat modsecurity at a user level - kinda bypasses its' purpose. I'm not surprised that those (commented out) directives trigger a 500 response. Your best bet might be to ask your cPanel provider to exclude the cfg particular rule ID from your domain/account. Given your client IP address and approx. time of access, it'll be easy to spot the rule ID that's being triggered.
    Having said that, I might have a play around, should someone else not chime in. ;)

    Thanked by (1)ehab

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

  • AlwaysSkintAlwaysSkint OGSenpai
    edited July 2022

    In WHM, with the previously mentioned CMC utility, I've discovered two files that are used on a per domain basis:

    /etc/apache2/conf.d/userdata/std/2_4/useraccount/user.domain.tld/modsec.conf
    /etc/apache2/conf.d/userdata/ssl/2_4/useraccount/user.domain.tld/modsec.conf
    

    Without knowing which ModSec Ruleset your provider is using, I can't give you a specific rule ID to add to the whitelist.

    Later:
    https://support.cpanel.net/hc/en-us/articles/4403595742487-How-to-disable-a-mod-security-rule-on-a-per-user-basis-

    Even later:
    I've found a few 'articles' mentioning bypassing modsec. My advice: don't even try - speak to your provider.

    Thanked by (1)ehab

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

  • bikegremlinbikegremlin ModeratorOGContent Writer
    edited July 2022

    On a DirectAdmin reseller hosting account, I was given options to enter a rule ID and set it to ignore, per each DirectAdmin sub-account individually.

    Hell, I was even advised to do so on an occasion (strange 403), which, for that particular problem, I thought was not the best solution.

    Not every provider allows that (with either DirectAdmin or cPanel).

    What it looks like (DirectAdmin):

    Thanked by (1)ehab

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • bikegremlinbikegremlin ModeratorOGContent Writer

    Forgot the "simple solutions" (not seeing the forest from the trees), here are some other ideas:

    a) .zip the file (if it can be just downloaded).

    b) Put it on a separate cPanel account, using a subdomain, and configure ModSecurity for that account differently.

    Thanked by (2)ehab AlwaysSkint

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • i will wait for my ticket reply.

    meanwhile, another provider with cpanel has the modesecurity on but the extension is permissible. So it must be different from provider to another.

    and @bikegremlin yep, there are simpler solutions. i might change the extension all together, lets see ...

  • Note: It's not uncommon to have a range of excluded rules. Each of the control panels usually have a predefined exclusion set, used for the control panel itself, plus often further entries for Wordpress and others.

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

  • i did get a reply to my ticket and extensions were added to rules from the server side and they work now as expected.

    so the only way is server side.

    Thanked by (1)AlwaysSkint
  • @ehab said: ..so the only way is server side.

    As I suspected/expected. ;)

    Thanked by (1)ehab

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

Sign In or Register to comment.