Mod Security whitelistening

gintautas Linux

White-List or Remove the Rule on the Basis of the Rule ID
Every rule in Mod Security is identified by the Rule ID. We will use this ID to white-list the rule. Let’s look into the rule ID for the following error log which was generated by Mod Security.

Now, we will add the following lines in the end of the file for white-listing the rule.

# Remove Mod Security Rules
<LocationMatch .*>
<IfModule mod_security2.c>
    SecRuleRemoveById 960017
</IfModule>
</LocationMatch>
Example:
<LocationMatch auth.php>
<IfModule mod_security2.c>
    SecRuleRemoveById 960017
</IfModule>
</LocationMatch>
  • The SecRuleRemoveById directive is used to remove a rule according to rule ID. The rule ID can be seen in the Mod Security error log. We can also define the multiple rule IDs separated by a comma, or we can also give the rule range. For example, if we want to white-list all the rules that fall between 400 and 500, we can write SecRuleRemoveByID “400-600”.

White-List or Remove the Rule on the Basis of Error Messages
We can see the message “Host Header is a Numeric IP Address” in the error log. Thos type of error message comes when the website is accessed through the IP address. Let us white-list this rule.
We can white-list this rule by the SecRuleRemoveByMsg directive. It will white-list the rule according to the error Message. Add the following lines in the whitelist.conf file.

<LocationMatch .*>
<IfModule mod_security2.c>
     SecRuleRemoveByMsg "Host header is a numeric IP address"
</IfModule>
</LocationMatch>

Disable Mod Security Firewall on a URL
Sometimes there are situations in which we need to disable the firewall on a particular URL. Let us suppose in a website we have a file upload.php in the upload folder. We can white-list this file by adding the following lines of code.

<LocationMatch /upload/upload.php>
<IfModule mod_security2.c>
    SecRuleEngine Off
</IfModule>
</LocationMatch>
  1. LocationMatch is the directive which is used to match the particular location file or folder location on the server. Here, we are defining the location /DVWA/setup.php file.
  2. This directive is used to disable Mod Security in the location which is defined in the above line. Here, we have set it as off. It means that whatever functionality is working on this file, it will not be blocked or logged into the Mod Security error log. We can also set other options as per the requirement with the directive.

There are so many other rules which can be created according to the requirement.