mod_security functionality bypass through .htaccess issue
Posted by assassin85, 05-05-2007, 12:13 PM Hello, I accidently found that it could be available to de-activate mod_security in a particular directory by using a .htaccess like that... I believe it's something related to the "AllowOverride" directive from apache but im not exactly sure, the available arguments for this directive are "AuthConfig, FileInfo, Indexes, Limit, Options", I've tried hardly to find a way to not to disable the usage of .htaccess files and keep it's functionality but also to prevent it from being able to modify through it the functionality of mod_security. I'm sure Anyone here could help me in this issue as it's a big pain for any server running apache in a shared vhosting environment.
Posted by zacharooni, 05-05-2007, 12:34 PM Convenience, or security. Pick.
Posted by assassin85, 05-05-2007, 12:45 PM to security
Posted by Chris_M, 05-05-2007, 12:45 PM When you compiled mod_security did you use this flag, If not, recompile with that flag as it tells mod_security to not pay attention to .htaccess.
Posted by assassin85, 05-05-2007, 12:50 PM I Installed mod_security from Addon Modules in Cpanel should i uninstall and install in from modsecurity.org note : my apache is 1.3.37 unix and i have FC5
Posted by cywkevin, 05-05-2007, 12:51 PM You really shouldn't use cpanel to install mod_security. It uses an old version and doesn't compile against pcre so you take a performance hit.
Posted by assassin85, 05-05-2007, 01:08 PM ok i will uninstall it From Cpanel and install the last Stable release modsecurity-apache_1.9.4.tar.gz so i want to know how can i install it and use this flag thanks for help guys
Posted by SPaReK, 05-05-2007, 01:23 PM This should work if you are on cPanel box and using Apache 1.3.37:
Posted by assassin85, 05-05-2007, 01:34 PM thanks sparek i will try it now...
Posted by assassin85, 05-05-2007, 01:52 PM am i installed the mod_security right?? now when i want to put the rules for mod_security configration will be in right? thanks very much
Posted by assassin85, 05-05-2007, 02:13 PM when i try to restart apache it give me this error any help?
Posted by SPaReK, 05-05-2007, 02:39 PM Edit the file /etc/httpd/conf/httpd.conf and find the section listing all of the Apache Modules. Should have a bunch of lines that start with: LoadModule Make sure the following line is in the list: LoadModule security_module libexec/mod_security.so Then directly below this section is a list of AddModule Make sure the line: AddModule mod_security.c is listed. Add these lines if necessary. Save the configuration and restart Apache.
Posted by assassin85, 05-05-2007, 02:53 PM thank you very much SPaReK and i want another thing i was Edit the rules in mod_securtiy Config in whm Cpanel in add-ons section now how can i added them?... in httpd.config ? between ........ ........ thanks again
Posted by SPaReK, 05-05-2007, 03:07 PM What I would recommend doing is creating a new file and adding your rules there. For example, you might create a file: /usr/local/apache/conf/custom-modsec.conf In that file, I would add an set: . . . In between these two lines add your custom mod_security rules. You will then need to edit your httpd.conf file (/etc/httpd/conf/httpd.conf) and after the AddModule section add: Include "/usr/local/apache/conf/custom-modsec.conf" Which will include the custom written mod_security rules into your Apache configuration. You can add the rules directly into your httpd.conf file, but this way you kind of divide this up, instead of cluttering up your httpd.conf file.