Mod Security errors

tstrand

Great that Mod Security has been added to Enhance. But it seem like it's giving some errors in the logfiles.
And I suspect it's also preventing some legitimate users from logging in to wp-admin

[remote xxx.xxx.xxx.xxx:58306] [client xxx.xxx.xxx.xxx] ModSecurity: Rule 7efc4812fc08 [id \"-\"][file \"/etc/modsecurity.d/owasp/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf\"][line \"92\"] - Execution error - PCRE limits exceeded (-8): (null). [hostname \"xxxxxxx.xxx\"] [uri \"/wp-admin/index.php\"] [unique_id \"ZRqIb1K1gfGe93mjJx7LPgAAkQM\"], referer: https://xxxxxxx.xxx/partnerarea/\n","stream":"stderr","time":"2023-10-02T09:07:59.967588549Z"}

[client xxx.xxx.xxx.xxx] ModSecurity: collections_remove_stale: Failed to access DBM file \"/tmp/modsecurity/data/webserver-global\": Permission denied [hostname \"xxxxxxxx.xxx\"] [uri \"/wp-content/themes/xxxxxx/style.css\"] [unique_id \"ZRqJ0CEckpt8LP7J9Vl2agAAygw\"], referer: https://www.xxxxxxxx.xxx/\n","stream":"stderr","time":"2023-10-02T09:13:52.887247306Z"}

Adam

You can customise the owasp rules - have a look in /etc/modsecurity.d/owasp, you can also add excludes to the main mod security file.

You can increase SecPcreMatchLimit and SecPcreMatchLimitRecursion via the mod security config in the UI or by editing /etc/modsecurity.d/modsec.customisations.conf.

Lastly you can completely disable mod_security on a particular domain from the website dashboard whilst still leaving it enabled globally.

We're going to try to reproduce the DBM permissions error. This should definitely not be happening. Feel free to raise a support ticket.

manu

Hi Adam I guess enhance should relook at the ModSecurity Implementation esp for WordPress... Maybe guide us to implement this -> https://github.com/fastly/waf_testbed/blob/master/templates/default/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf.erb

Couple of errors faced are unable to upload to Media Library which was solved and now updating posts results in 403 in Nginx.

tstrand

I noticed that the wordpress exclusion rules was already in the owasp directory /etc/modsecurity.d/owasp/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf

But I think it needs to be activated in the file /etc/modsecurity.d/owasp/crs-setup.conf

Under the SecAction example under line: 363 I added

SecAction \
"id:900130,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.crs_exclusions_wordpress=1"

Also while I as poking around I made some changes the file /etc/modsecurity.d/modsec.customisations.conf

SecPcreMatchLimit 550000
SecPcreMatchLimitRecursion 550000

Then apache/nginx need to be reloaded/restarted. I just rebooted the server since it was In need of it anyways.
So far the tests I did with WordPress (especially with Elementor installed) now works.

I'm not sure if these changes will be persistent when the next Enhance update comes along.

Adam

tstrand I'm not sure if these changes will be persistent when the next Enhance update comes along.

They will persist. We knew that customers would want to heavily customise mod_security so we built the feature to make this possible.