Web Hosting - Web Application Firewall (ModSecurity Protections)

Web Hosting platforms employs the web application firewall ModSecurity (mod_sec web server module) to keep pace with the ever-increasing variety of attacks against open source and custom web applications.

Purpose of ModSecurity

ModSecurity is used to apply a dynamic rule set that protects sensitive website locations and denies access to functions commonly used for malicious purposes such as SQL injection and brute force attacks.

About the Rules

To ensure ease of access for our customers, ModSecurity's restrictions on sensitive administrative locations do not apply to access attempts from UW-Madison IP addresses (see Well-known UW-Madison Campus IP address ranges and hosts), including IPs provided by WiscVPN. As a result, customers who need to perform administrative tasks via a web interface from an off-campus location can do so by first logging in to WiscVPN, which is a recommended security practice for all administrative purposes.

In addition, there are rules in place to block access to the most egregious and obvious functions attempting to compromise a customer web site, such as the xmlrpc.php file for Wordpress. 

How to Exempt Rules

Note: Access from off-campus is limited by ModSecurity for a reason.  If you exempt rules to allow greater access, you are responsible for exposing your web application to greater risk.

LAMP Servers

There maybe situations where you will need to exempt rules that are interfering with legitimate interactions from off campus or other.  You can contact Shared Hosting directly for help with this -or- read on for instructions on how to perform the exemption yourself.

-- Firstly, you will need to access the error_log file for your site.  Please refer to Web Hosting - Log File Access for help with this.

-- Once you have your error_log, you will need to find the ModSecurity event, keeping in mind the time that your error occurred.  It will look similar to this:

[Wed Dec 17 10:37:44 2014] [error] [client] ModSecurity: Access denied with code 403 (phase 2). String match "wp-admin" at REQUEST_FILENAME. [file "/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "18"] [id "200"] [hostname "trial.linux.dwht.doit.wisc.edu"] [uri "/wp-admin"] [unique_id "GE@5aYBoUVAAABRt0owAAAAc"]

Note the "id" field highlighted, this will be used to exempt the rule.

To exempt a single file:

  1. Create or edit the .htaccess file inside the directory that contains the file to be exempted.
  2. Using the "id" found in the error_log, add this line to the .htaccess file and save your changes:

<Files filename.html>
SecRuleRemoveById 200

To exempt an entire directory:

  1. Create or edit the .htaccess file inside the directory to exempt.
  2. Using the "id" found in the error_log, add this line to the .htaccess file and save your changes:

SecRuleRemoveById 200

Windows Servers

To turn off ModSecurity, you can contact Web Hosting Service and we can disable it. 

Conversely, you can add the following to a web.config file or create a web.config file at the within your site.  The <location> directives are optional:

<?xml version="1.0" encoding="UTF-8"?>

<location path="..."/>

            <ModSecurity enabled="false">



This will remove ModSecurity from that directory and its sub-directory.  You can also use the <location> directive to protect only specific files/folders.

Note: If you're working with non-UW collaborators who require access to restricted areas of your site, please see Web Hosting - External Developer Access.

Email webhosting@doit.wisc.edu if you have additional questions or require exceptions to a particular rule set.

Keywords:security, blocking, firewall, attacks, IP, filtering, exploits, protection, code, injection, linux, apache, lamp, wordpress, drupal, phpmyadmin, mod_security, linux, apache, linux/apache, mod_sec, modsecurity, windows, iis   Doc ID:42962
Owner:Jake S.Group:DoIT Web Hosting
Created:2014-08-18 11:18 CSTUpdated:2016-05-16 09:15 CST
Sites:DoIT Web Hosting
Feedback:  0   0