So I just updated my rules with last months free/delayed rule set.
My whitelist.txt file used to be empty and now suddenly has the following:
.google.com
127.0.0.1
owned-nets.blogspot.com
.progllc.com
.atomicorp.com
.gotroot.com
pastebin.com
pastie.org
goo.gl
bit.ly
doiop.com
tinyurl.com
readthisurl.com
memurl.com
dwarfurl.com
yandex.ru
test.com
h1.ripway.com
badguy.com
attacker.com
example.com
The 00_asl_whiltelist.conf file clearly says:
# Disable rules for hosts on the whitelist
# Be *VERY* careful about whom is whitelisted.
So, why would the latest rules already contain these (and some very well known hacker sites) already in the whitelist.txt file??
Delayed Rules whiltelist.txt file has odd domains in it...
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Delayed Rules whiltelist.txt file has odd domains in it.
whitelist.txt is not used by the rules. Its used by some special functions in ASL.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Delayed Rules whiltelist.txt file has odd domains in it.
Thanks Mike,mikeshinn wrote:whitelist.txt is not used by the rules. Its used by some special functions in ASL.
Isn't it also used within cPanel? That's where I'm using it. and I seem to remember somewhere in the documentation (and this may have changed since then) something like this:
gotroot.com rule 00_asl_whitelist.conf file defaults to: /etc/asl/whitelist
and needs to be changed to whitelist.txt for cPanel.
I changed in the 00_asl_whitelist.conf file
/etc/asl/whitelist to whitelist.txt
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Delayed Rules whiltelist.txt file has odd domains in it.
If you mean cpanel with ASL, yes its used by ASL for something else but its not used by modsecurity. If you mean cpanel without ASL and just modsecurity, no its not used. whitelist.txt is not used by modsecurity. Its only used by ASL.Isn't it also used within cPanel?
That may be someone elses incorrect documentation you are referring to, we dont recommend you do that (nor do you need to, so not sure why anyone would recommend it, thats a pretty unnecessary thing to do).That's where I'm using it. and I seem to remember somewhere in the documentation (and this may have changed since then) something like this:
gotroot.com rule 00_asl_whitelist.conf file defaults to: /etc/asl/whitelist
and needs to be changed to whitelist.txt for cPanel.
I changed in the 00_asl_whitelist.conf file
/etc/asl/whitelist to whitelist.txt
/etc/asl/whitelist only contains IP addresses and CIDRs that you configure for your system. It does not contain domains, nor will domains work in that file. Its also blank, because that file is yours for you to put whatever IPs/ranges you want in it.
whitelist.txt is used by a completely differently element in ASL, it has nothing to do with modsecurity. So maybe thats why you are thinking the two are related. There are not, /etc/asl/whitelist and the whitelist.txt file have nothing to do with each other, so you can ignore the whitelist.txt file that comes with the rules. modsecurity does not use it.
Also, I'd recommend you change the rule back. Never change the rule files, there is no need to do so, and any update is going to really break your configuration if you change the rule files. If you have an issue with the rules you can report it as a false positive and we would be happy to fix it for free the same day its reported. You will find the process for doing that at the URL below, and really do appreciate any reports of False Positives - everyone benefits from better rules:
https://www.atomicorp.com/wiki/index.ph ... _Positives
And finally, a lot of incorrect information is out there on the net about how to configure modsecurity, so if you do have the rules setup as you described thats not from our documentation, so you way have followed someone elses documentaion and therefore may have other issues with your configuration. So please take a look at the URL below for our official documentation about how to configure our rules so that you have both an optimal and secure configuration.
https://www.atomicorp.com/wiki/index.ph ... rity_Rules
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Delayed Rules whiltelist.txt file has odd domains in it.
Thanks Michael,
That cleared up a lot
Regards,
Peter
That cleared up a lot
Regards,
Peter
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Delayed Rules whiltelist.txt file has odd domains in it.
My pleasure. Please dont hesitate to ask for help in the future.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone