Web Hosting - Web Application Firewall (ModSecurity Protections)

DoIT's Web Hosting service platforms employ web application firewalls (ModSecurity) to keep pace with the ever-increasing variety of attacks against open source and custom web applications.

Purpose of ModSecurity

ModSecurity is used to apply a dynamic rule set that protects websites and denies access to functions commonly used for malicious purposes such as SQL injection and brute force attacks.

About the Rules

ModSecurity's restrictions on our platforms make use of various rule sets, which attempt to eliminate common false positives, especially for WordPress, Drupal and other applications.

However, if Mod Security detects what it believes to be attack it will block it.

How to Exempt Rules

When ModSecurity performs a block it will be shown in the form of a 403 forbidden error in the browser and you can also check your web logs for more details.

Linux/Apache Servers

There maybe situations where you will need to exempt rules that are interfering with legitimate interactions. 

*** You will need to contact Shared Hosting directly for help as the exceptions cannot reside in a .htaccess file within the site ***

To find what exemptions that maybe required you are able to check the logs.

-- Firstly, you will need to access the log files file for your site.  Please refer to Web Hosting - Log File Access for help with this.

-- Once you access your logs you will need to find the ModSecurity event(s), keeping in mind the time that your error occurred.  It will look similar to this:

[Wed Dec 17 10:37:44 2014] [error] [client 67.159.5.242] ModSecurity: Access denied with code 403 (phase 2). String match "wp-admin" at REQUEST_FILENAME. [file "/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "18"] [id "200"] [hostname "trial.linux.dwht.doit.wisc.edu"] [uri "/wp-admin"] [unique_id "GE@5aYBoUVAAABRt0owAAAAc"]

Note the "id" field highlighted, this will be used to exempt the rule for particular locations and can be provided to the service admins in order to craft an exemption.

NOTE:  If a rule is  exempted it will not block but still log a 403.

For Windows/IIS Servers:

To disable ModSecurity, you can contact the Web Hosting Service and we can disable it. 

Conversely, you can configure the following in your web.config file within your site.  The <location> directives are optional:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>

<location path="..."/>

     <system.webServer>
            <ModSecurity enabled="false">
     </system.webServer>

</location>

</configuration>

This will remove ModSecurity from that directory and its sub-directory.  You can also use the <location> directive to protect only specific files/folders.

Email webhosting@doit.wisc.edu if you have additional questions or require exceptions to a particular rule set.




Keywords:security, blocking, firewall, attacks, IP, filtering, exploits, protection, code, injection, linux, apache, lamp, wordpress, drupal, phpmyadmin, mod_security, linux, apache, linux/apache, mod_sec, modsecurity, windows, iis   Doc ID:42962
Owner:Jake S.Group:DoIT Web Hosting
Created:2014-08-18 11:18 CSTUpdated:2021-08-19 06:23 CST
Sites:DoIT Web Hosting
Feedback:  0   0