White file location missing?

Community support forums for the free/delayed modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the delayed modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
cerriex
New Forum User
New Forum User
Posts: 1
Joined: Tue Jul 23, 2013 3:03 pm
Location: United Kingdom

White file location missing?

Unread post by cerriex »

Hi All,

I need to add an exception associated with a rule id but cannot find the whitelist file people describe on other posts.

I have tried all the usual search methods.

Can anyone assist?

--

My Issue: WHMCS Submit Support Ticket produces 500 error.

$ tail -f /var/log/httpd/ssl_error_log
[Tue Jul 23 18:20:20 2013] [error] [client x.x.x.x] ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "39"] [id "200003"] [msg "Multipart parser detected a possible unmatched boundary."] [hostname "www.domain.com"] [uri "/supporttickets.php"] [unique_id "Ue7JZE1KwwUAABVnInUAAAAF"]

Solution???:

Ad an exception associated with this id.

Edit "/etc/apache2/modsecurity/conf/whitelist.conf" and add:

<LocationMatch "/supporttickets.php">
SecRuleRemoveById 200003
</LocationMatch>

Problem: I cannot locate whitelist.conf or anything like it.

My OS - CentOS 6.4

Thanks!
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: White file location missing?

Unread post by prupert »

On CentOS 6 the Apache configuration files can be found at:
- /etc/httpd/conf/httpd.conf - main configuration file
- /etc/httpd/conf.d/ - folder with seperate configuration files for extra installed software
- perhaps other locations that are included specific for your setup (depending on the use of a control panel or other management software)

The preferred way to disable this rule is to place it inside the VirtualHost-container for the specific domain you are having trouble with. Where this configuration is located depends on your setup. If you are not using a control panel and you are not using Virtual Hosts at all, you could create your own /etc/httpd/conf.d/my_disabled_secrules file (the name is just an example) and place the SecRuleRemoveById lines there.

I doubt however that this event is actually a false positive. An explanation can be found at https://www.atomicorp.com/wiki/index.php/WAF_330792 which concerns a similar rule that is part of the Atomic Secured Linux mod_security configuration.
Lemonbit Internet Dedicated Server Management
Post Reply