Web Hosting - Web Application Firewall (ModSecurity Protections)

Web Hosting platforms employs the web application firewall ModSecurity (mod_sec web server module) to keep pace with the ever-increasing variety of attacks against open source and custom web applications.

Purpose of ModSecurity

ModSecurity is used to apply a dynamic rule set that protects sensitive website locations and denies access to functions commonly used for malicious purposes such as SQL injection and brute force attacks.

About the Rules

RHEL 7 LAMP Platform:

ModSecurity's restrictions on the newer RedHat 7 LAMP platforms make use of an improved rule set OWASP 3.0, which does much better at eliminating common false positives, especially for WordPress, Drupal and other applications.

With this change, we no longer maintain a blanket whitelisting for all UW-Madison IP addresses (see Well-known UW-Madison Campus IP address ranges and hosts), including IPs provided by WiscVPN.  

In other words, if Mod Security detects what it believes to be attack it will block it whether you are on a Campus IP address or not.

RHEL 6 LAMP and Windows/IIS Platforms:

ModSecurity's restrictions will not block if you are on a Campus IP address or WiscVPN.

Special Protections:

There are special protections/restrictions on sensitive administrative locations from off campus attempts but are allowed from UW-Madison IP addresses (see Well-known UW-Madison Campus IP address ranges and hosts), including IPs provided by WiscVPN.

These rules are in place to block access to the most egregious and obvious functions attempting to compromise a customer web site, such as the xmlrpc.php file and the sensitive administrative login areas for Wordpress. 

As a result, customers who need to perform administrative tasks via a web interface from an off-campus location can do so by first logging in to WiscVPN, which is a recommended security practice for all administrative purposes.

How to Exempt Rules

When ModSecurity performs a block it will be shown in the form of a 403 forbidden error.

Note: Access from off-campus is limited by ModSecurity for a reason.  If you exempt rules to allow greater access, you are responsible for exposing your web application to greater risk.

LAMP Servers

There maybe situations where you will need to exempt rules that are interfering with legitimate interactions. 

*** You will need to contact Shared Hosting directly for help with this on RHEL 7 platforms as the exceptions can no longer reside in a .htaccess file within the site ***

To find what exemptions that maybe required you are able to check the logs.

-- Firstly, you will need to access the error_log file for your site.  Please refer to Web Hosting - Log File Access for help with this.

-- Once you have your error_log, you will need to find the ModSecurity event, keeping in mind the time that your error occurred.  It will look similar to this:

[Wed Dec 17 10:37:44 2014] [error] [client] ModSecurity: Access denied with code 403 (phase 2). String match "wp-admin" at REQUEST_FILENAME. [file "/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "18"] [id "200"] [hostname "trial.linux.dwht.doit.wisc.edu"] [uri "/wp-admin"] [unique_id "GE@5aYBoUVAAABRt0owAAAAc"]

Note the "id" field highlighted, this will be used to exempt the rule.

For RHEL 6 Platforms only:

Exempt a single file:

  1. Create or edit the .htaccess file inside the directory that contains the file to be exempted.
  2. Using the "id" found in the error_log, add this line to the .htaccess file and save your changes:

<Files filename.html>
SecRuleRemoveById 200

To exempt an entire directory:

  1. Create or edit the .htaccess file inside the directory to exempt.
  2. Using the "id" found in the error_log, add this line to the .htaccess file and save your changes:

SecRuleRemoveById 200

For Windows/IIS Servers only:

To turn off ModSecurity, you can contact Web Hosting Service and we can disable it. 

Conversely, you can add the following to a web.config file or create a web.config file at the within your site.  The <location> directives are optional:

<?xml version="1.0" encoding="UTF-8"?>

<location path="..."/>

            <ModSecurity enabled="false">



This will remove ModSecurity from that directory and its sub-directory.  You can also use the <location> directive to protect only specific files/folders.

Note: If you're working with non-UW collaborators who require access to restricted areas of your site, please see Web Hosting - External Developer Access.

Email webhosting@doit.wisc.edu if you have additional questions or require exceptions to a particular rule set.

Keywords:security, blocking, firewall, attacks, IP, filtering, exploits, protection, code, injection, linux, apache, lamp, wordpress, drupal, phpmyadmin, mod_security, linux, apache, linux/apache, mod_sec, modsecurity, windows, iis   Doc ID:42962
Owner:Jake S.Group:DoIT Web Hosting
Created:2014-08-18 12:18 CDTUpdated:2018-08-20 08:08 CDT
Sites:DoIT Web Hosting
Feedback:  0   0