Centos – Disable modsecurity For a Specific Directory

apache-2.2centoshttpdmod-security

How do you disable modsecurity for just a specific directory. I'm getting errors in phpMyAdmin that are caused by modsecurity tripping based on rules. I have the following files set up:

# /etc/httpd/modsecurity.d/modsecurity_crs_15_customrules.conf
<LocationMatch "^/phpMA/">
    SecRuleEngine Off
</LocationMatch>

# /etc/httpd/modsecurity.d/modsecurity_crs_60.custom.conf
<LocationMatch '^/phpMA/*'>
    SecRuleRemoveById 950004
    SecRuleRemoveById 950005
    SecRuleRemoveById 950006
    SecRuleRemoveById 960010
    SecRuleRemoveById 960012
</LocationMatch>

From what I can find the first file should disable it, but it still trips, so I tried adding the rule IDs it is tripping to the 60 file, but it still complains.

I'm running the following packages on CentOS 5.3:

mod_security-2.5.0-jason.2
httpd-2.2.8-jason.3
mod-php5-apache2-zend-ce-5.2.10-65

Best Answer

SecRuleEngine Off must work . Have you tried to put SecRuleEngine inside Directory:

<Directory /var/www/site/phpMA>
SecRuleEngine Off
</Directory>

instead of LocationMatch ?

Related Solutions

Modsecurity inbound_anomaly_score

Are you accessing the machine via IP instead of DNS? This is designed behavior if so, as mod_security is outputting this message in response to the machine being accessed via IP. If you don't want the error you could comment out the rule in the file listed in your error.

For some background info, the reason the rule exists in the default configuration is because in most web sites you have a DNS associated name. So your customer base should be using that name. Lots of malicious bots like to "attack" or find vulnerable machines, by simply incrementing through IP ranges. By blocking these requests by IP at the outset you arguably lower risk. Make sure to remember to restart Apache after the change.

ModSecurity block specific string in request

Which ModSecurity version are you using? ARGS variable only includes QUERY_STRING + POST_PAYLOAD in version 1.X. If you're running version 2.X, with your above rule, testing with a request as below:

http://domain.com/a?b=km0ae9gr6m

you'll see something like this in the audit_log:

[modsecurity] [client x.x.x.x] [domain domain.com] [302] [/20120813/20120813-1226/20120813-122624-70QXqH8AAAEA AEucDbkAAAAA] [file "/etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf"] [line "305"] [msg "Access Denied"] Access denied with code 403 (phase 2). Pattern match "km0ae9gr6m" at ARGS:b.

In ModSecurity 2.x, ARGS expands to individual variables. So, try this:

SecRule REQUEST_URI|ARGS|REQUEST_BODY "km0ae9gr6m" "log,deny,msg:'Access Denied'"

Best Answer

Related Solutions

Modsecurity inbound_anomaly_score

ModSecurity block specific string in request

Related Topic