2

I never activated before the mod_security or edit Virtual Hosts, so it's a new challenge for me, I tried to follow this tutorial but seems that most of the tutorials around the web are not reflecting my situation. I have an EC2 instance running Apache 2 on Ubuntu 14.04, I don't have a file called httpd, however inside my /etc/apache2/sites-available folder I have the file called 000-default.conf: 

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        <IfModule security2_module>
            SecRuleEngine Off
        </IfModule>
        <Directory /var/www >
            AllowOverride All
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

and this is my security2.conf located into /etc/apache2/mods-available

<IfModule security2_module>
        SecDataDir /var/cache/modsecurity
        Include "/usr/share/modsecurity-crs/*.conf"
        Include "/usr/share/modsecurity-crs/activated_rules/*.conf"
        IncludeOptional /etc/modsecurity/*.conf
</IfModule>

I wish to enable the mod_security but right now I cannot because inside ../html folder (the folder of my wesite) I have Wordpress and phpMyAdmin (so if I remove SecRuleEngine Off, it gives me error permission denied on all the website). From the tutorial mentioned above I know that I need to use this code for exclude a specific directory:

<Directory "/var/www/wp-admin">
    <IfModule security2_module>
        SecRuleEngine Off
    </IfModule>
</Directory>

What I don't understand is: do I need to create a new .conf file inside /sites-available? For example, how it should looks like the .conf file to exclude phpMyAdmin directory located into /usr/share/phpmyadmin?

dr house
  • 65
  • 1
  • 7
  • Is there an explicit config for mod_security under /etc/apache2/ ? – anup Feb 19 '15 at 12:45
  • Is there an explicit config for mod_security under /etc/apache2/ ? I do not have Ubuntu so cannot verify the same. Usually, there is a separate configuration for mod_security as 'mod_security.conf'. If not, then it could be in /etc/apache2/apache2.conf – anup Feb 19 '15 at 12:53
  • @anup yes I have `/etc/apache2/mods-available/security2.conf`with correct configuration – dr house Feb 19 '15 at 13:11
  • @anup what I don't know is how to exclude only a directory, not the whole website – dr house Feb 19 '15 at 13:13

1 Answers1

3

[This was too long for a comment, so posted it as an answer. Hope it helps]

It seems you have not configured Virtual Hosts. Instead have just one main DocumentRoot and you call sites with http://ip-address/site-folder url.

Let's say its two virtual hosts: One in /var/www/html/wordpress and the other /var/www/html/phpmyadmin.
If you need to disable for phpmyadmin, then under the virtual host configuration of phpmyadmin, add the line that you stated in the latter half:

<VirtualHost *:80>
  ..
  ..
  ..
    <Directory "/var/www/html/phpmyadmin">
      <IfModule security2_module>
          SecRuleEngine Off
      </IfModule>
    </Directory>
  ..
  ..
</VirtualHost>

And to disable it for wordpress admin, add the same under wordpress site's virtual host configuration: ie. 

<virtualhost *:80>
  ..
  ..
  ..
     <Directory "/var/www/html/wordpress/wp-admin">
      <IfModule security2_module>
         SecRuleEngine Off
      </IfModule>
    </Directory>
  ..
  ..
</VirtualHost>

Source: https://www.digitalocean.com/community/tutorials/how-to-set-up-mod_security-with-apache-on-debian-ubuntu

If there is no VirtualHost configuration, then you can try adding the directive: <Directory>..</Directory> for both phpmyadmin and wp-admin in the mod_security config file: '/etc/apache2/mods-available/security2.conf'

Test the syntax with apachectl -t before reloading it.

anup
  • 657
  • 4
  • 8
  • 19
  • how to exclude sec2 inside a page of wordpress (wp-admin/post.php?post=330&action=edit) ? – dr house Aug 02 '15 at 16:21
  • 1
    Hmm. That's tricky because wordpress has this page under a query parameter. So, the rules given above will not be useful to deal with it. Location and LocationMatch do not take query parameter. I think it will be useful, if you can look in to Mod_Security rules (and their forums) for help. Start with logging mod_security's actions in to an isolated log file. And then look for the reason why it was blocked. Perhaps you can either look for wordpress-safe-rules for mod_security or raise another question on serverfault or Mod_Security forums for guidance. – anup Aug 03 '15 at 06:02
  • Infact I already did it...in my virtualhost I set `SecRuleEngine DetectionOnly` for the moment – dr house Aug 04 '15 at 11:34