Are you thinking about the ModSecurity whitelist IP option?
ModSecurity can actively search for device threats and avoid malicious activity. However, often these rules trigger even with legitimate requests.
This affects the normal working of the website.
At Bobcares, we often receive requests to whitelist the IP in ModSecurity as part of our Server Management Services.
Today, let’s discuss how our Support Engineers whitelist the IP in ModSecurity.
Need for ModSecurity whitelisting
ModSecurity protects a range of attacks and helps in HTTP traffic monitoring.
As a result, it can potentially block common code injection attacks and thereby strengthen the security of the server.
Almost 75% of server attacks are now carried out over the web application level.
Mod_security always filters the data from the website. Also, it prevents hackers from exploiting the server.
Unfortunately, sometimes Mod_Security rules block valid transactions as well. That’s where we need to whitelist the particular IP from the Modsecurity.
Steps to add IP to whitelist
Now, its time to see the actual steps involved in whitelisting an IP address in ModSecurity. This involves finding the real user access IP address and then adding it to the ModSec configuration.
Let’s take a detailed look at it.
How we find out the IP and ModSecurity Rule?
To whitelist the IP in ModSecurity, first, we find out our IP or our developer’s IP. There are many online tools to find the public IP address from which a user connects.
Then our Dedicated Engineers find the relevant IP entries from the Apache error logs with the following command.
grep ModSec /usr/local/apache/logs/error_log | grep “IP here”(We modify the command with IP in place of “IP here.”):
We get the output like this:
[Sat june 25 23:07:04.177701 2019] [:error] [pid 78007:tid 139708457686784] [client xx.xx.xxx.x:30095]
[client xx.xx.xxx.x] ModSecurity: Access denied with code 406 (phase 2).
Pattern match "Mozilla/(4|5)\\\\.0$" at REQUEST_HEADERS:User-Agent.
[file "/etc/apache2/conf.d/modsec2.xxx.conf"] [line "109"] [id "20000221"]
[hostname "yy.yyy.yyy.yyy"] [uri "/db/index.php"] [unique_id "WwjPWChxvG1CO4kz-D55eQAAACU"]This contains information on the client IP which tripped the rule, ID number of tripped rule within ModSec and the URI, the location where the error started from.
How do we add the IP to ModSecurity?
Till now we saw the importance of the ModSecurity whitelist option. Let’s now check on various ways in which our Support Engineers whitelist the IP in ModSecurity.
1. IP whitelisting
Once we get the correct ModSec error, then we edit the ModSec configuration.
1. If the customer is using Easy Apache 4 we find the configuration file at /etc/apache2/conf.d/modsec2/whitelist.conf
2. Then we open the file with a text editor.
vi /etc/apache2/conf.d/modsec2/whitelist.conf3. After this, we add the following code with the colored sections edited to match the intended IP.
SecRule REMOTE_ADDR "^xx\.xx\.xxx\.x" "phase:1,nolog,allow,ctl:ruleEngine=off,id:20000221"
[ Note: The IP should be added in backslashes (\) and up-carrot (^)]
2. Allow the URL
In some cases, when the IP is dynamic (keep on changing), it is best to whitelist it via URI. To use this, our Dedicated Engineers do:
1. First, open the configuration file using the below command.
vi /etc/apache2/conf.d/whitelist.conf2. Then we add the following text to the configuration file.
<LocationMatch "/db/index.php">
SecRuleRemoveById 20000221
</LocationMatch>/db/index.php = Change this part with the URL
20000221 = Change this ID with the correct code ID.
3. Finally, we ensure that we correctly set up the whitelist. For Easy Apache 4 we run the below command.
apachectl -t4. The command returns “Syntax Ok and after that, we restart the apache.
scripts/restartsrv_httpd
3.Using Modsec Manager icon from Cpanel
Similarly, we can whitelist the IP from the Cpanel >> Modsec manager option too.
For this,
1. We log into the Cpanel
2. Then we click on the Modsec Manager icon.
3. In the Modsec Manager page, we simply copy-paste the IP that we need to whitelist in option: “Your current IP is”.
4. After that, we click on the Add button.
5. The Modsec Manager will provide an alert that the IP has been successfully added to the whitelist.
4. Using WHM
Alternately, WHM also allows whitelisting the IP in ModSecurity.
1. First, we find out which rule is causing this block. We login to your server via SSH.
2. Then we run the command to determine the ModSecurity triggering rules.
3. After finding the rule, then we disable those rules on the server.
4. We log into WHM>> then Navigate to the “Plugins” section.
5. Then click on the “ConfigServer ModSec Control” plugin for whitelisting the rule.
6. Then we add the rule which wishes to whitelist on the box “ModSecurity rule ID list:” >> click >> Save global whitelist” button.
7. After saving the changes, it will redirect to a page like “ModSecurity global whitelist saved”.
8. At the last, Apache service will automatically restart to enable those changes on the server.
5. Using .htaccess
Similarly, .htaccess files also allow whitelisting IP addresses in ModSecurity.
1. We open the .htaccess file with a text editor.
2. Add the following line in .htaccess file.
SetEnvIfNoCase REMOTE_ADDR ^xxx.xxx.xxx.xxx$ MODSEC_ENABLE=Off(Replace xxx.xxx.xxx.xx with the IP.)
This will whitelist the customer’s IP from the ModSecurity rules.
[Need more assistance in ModSecurity whitelist IP? We’ll help you.]
Conclusion
In short, ModSecurity protects a range of attacks and helps in web traffic monitoring. Today’s write-up discussed how our Support Engineers use the ModSecurity whitelist IP option to allow legitimate requests.
How can I whitelist more than one IP address using the syntax below?
SecRule REMOTE_ADDR “^xx\.xx\.xxx\.x” “phase:1,nolog,allow,ctl:ruleEngine=off,id:20000221”
Hi Andy,
You can add multiple ip addresses that required to whitelist by comma separated in the syntax.