0

Running a shared hosting service, a client contacted me if I could disable mod_security for their webapp. The thing is, there is this patchwork webshop CMS called Prestashop with some hair-raising solutions (I'm not here to complain about that), and for it to function properly one of its technical requirements is that you must not use mod_security at all.

I was instantly thinking, if I really had to do this, I'd need to change everything, like put all websites into isolated docker containers running different webservers and put an nginx reverse proxy in front of all this, this would be a huge job. Is there any other solution to achieve that malicious requests get filtered on this specific installation without having to make in-depth changes to the server and expose prestashop as a single point of failure?

Rápli András
  • 2,124
  • 11
  • 24

2 Answers2

1

Updates mod_security and its rules.

Get help from the pros and their specific community: https://modsecurity.org/help.html

While you wait for a response try some of these things.

http://www.inmotionhosting.com/support/website/modsecurity/find-and-disable-specific-modsecurity-rules

grep ModSecurity /usr/local/apache/logs/error_log | sed -e 's#^.*\[id "\([0-9]*\).*hostname "\([a-z0-9\-\_\.]*\)"\].*uri "#\1 \2 #' | cut -d\" -f1 | sort -n | uniq -c | sort -n

Results in 

129 990011 example.com /feed/
4668 950004 example.com /wp-content/themes/drone/jquery.cookie.js
29070 950004 www.example.com /wp-content/themes/drone/jquery.cookie.js

echo "SecRuleRemoveById 950004" >> /usr/local/apache/conf/userdata/std/2/userna5/example.com/modsec.conf

Obviously the paths won't be the same on your server.

I would also recommend trying to modify the rules before disabling them.

Additionally, you can also use snort to monitor your traffic.

https://www.tipsandtricks-hq.com/apache-mod-security-update-how-to-fix-error-406-or-not-acceptable-issue-259

Apparently you can modify the config with unique .htaccess in each folder. Therefore, you could disable it for per site. However, I recommend investigating modifying option 2.

cybernard
  • 518
  • 2
  • 10
  • Specific rules or even the whole Mod Security module can be disabled for specific sites e.g. SecRule SERVER_NAME "www.client.com" "id:1,phase:1,nolog,pass,ctl:ruleEngine=Off" – void_in Jan 02 '17 at 05:04
0

That's scarry and very bad security practice, you may change modsec engine into DetectionOnly mode which will not interfere but will help catching attacks and other bad stuff

Manuel Spartan
  • 67
  • 5