Web Hosting - Web Application Firewall (ModSecurity Protections)
DoIT's Web Hosting service platforms employ web application firewalls (ModSecurity) to keep pace with the ever-increasing variety of attacks against open source and custom web applications.
Purpose of ModSecurity
ModSecurity is used to apply a dynamic rule set that protects websites and denies access to functions commonly used for malicious purposes such as SQL injection and brute force attacks.
About the Rules
ModSecurity's restrictions on our platforms make use of various rule sets, which attempt to eliminate common false positives, especially for WordPress, Drupal, and other applications.
However, if Mod Security detects what it believes to be an attack it will block it.
How to Exempt Rules
When ModSecurity performs a block it will be shown in the form of a 403 forbidden error in the browser and you can also check your web logs for more details.
Linux/Apache Servers
There may be situations where you will need to exempt rules that are interfering with legitimate interactions.
*** You will need to contact Shared Hosting directly for help as the exceptions cannot reside in a .htaccess file within the site ***
To find what exemptions that maybe required you are able to check the logs.
-- Firstly, you will need to access the log files file for your site. Please refer to Web Hosting - Log File Access for help with this.
-- Once you access your logs you will need to find the ModSecurity event(s), keeping in mind the time that your error occurred. It will look similar to this:
[Wed Dec 17 10:37:44 2014] [error] [client 67.159.5.242] ModSecurity: Access denied with code 403 (phase 2). String match "wp-admin" at REQUEST_FILENAME. [file "/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "18"] [id "200"] [hostname "trial.linux.dwht.doit.wisc.edu"] [uri "/wp-admin"] [unique_id "GE@5aYBoUVAAABRt0owAAAAc"]
Note the "id" field highlighted, this will be used to exempt the rule for particular locations and can be provided to the service admins in order to craft an exemption.
NOTE: If a rule is exempted it will not block but still log a 403.
For Windows/IIS Servers:
Conversely, you can configure the following in your web.config file within your site. The <location> directives are optional:
<?xml version="1.0" encoding="UTF-8"?>
<configuration><location path="..."/>
<system.webServer>
<ModSecurity enabled="false">
</system.webServer></location>
</configuration>
This will remove ModSecurity from that directory and its sub-directory. You can also use the <location> directive to protect only specific files/folders.
Email webhosting@doit.wisc.edu if you have additional questions or require exceptions to a particular ruleset.