ModSecurity uses can help block potential attack attempts from malicious users, but sometimes it can also block legitimate requests.

Note: Using SecRuleEngine Off in your modsecurity configuration, you won’t want to put that in your ModSecurity configuration file. As that completely turns off ModSecurity. The SecRuleRemoveById setting is used instead to only disable one specific rule.

If you are seeing errors in you apache log files for a domain such as:


[Sat Jul 25 16:34:57 2015] [error] [client ??.7.??.??] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "111"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"][severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "domain.com"] [uri "/skin/frontend/base/default/js/cadence/lib/jquery.cookie.js"] [unique_id "VbQdIdg3u9IAAB9DPQkAAAAH"]

Mod _security is doing its job. If this is a valid script, you can make a change and allow it.
Run the following from ssh:

# grep ModSecurity /usr/local/apache/logs/error_log | sed -e 's#^.*\[id "\([0-9]*\).*hostname "\([a-z0-9\-\_\.]*\)"\].*uri "#\1 \2 #' | cut -d\" -f1 | sort -n | uniq -c | sort -n

The results will look like this:

 # 100 1234123404 www.domain.com /skin/frontend/base/default/js/cadence/lib/jquery.cookie.js

ModSecurity rule ID 1234123404 has been triggered at least 100 times when accessing /skin/frontend/base/default/js/cadence/lib/jquery.cookie.js file.

In order to disable just the specific ModSecurity rule for the 1234123404 rule, run the following command:


# echo "SecRuleRemoveById 1234123404" >> /usr/local/apache/conf/userdata/std/2/userna5/domain.com/modsec.conf

You can also search for the rule in WHM/cPanel at Home »Security Center »ModSecurity™ Tools » Rules List

Note the error in the log file – the ID:

# [id "1234123404"]

This is the rule. Search for this at Home »Security Center »ModSecurity™ Tools » Rules List.

rules

You can click disable to allow the script.

disable

Getting an ftp connection error on a plesk server:

15:04:41 Status: Resolving address of 66.226.xx.xx
15:04:41 Status: Connecting to 66.226.72.xx.xx
15:04:41 Status: Connection established, waiting for welcome message...
15:04:48 Status: Initializing TLS...
15:04:50 Status: Verifying certificate...
15:04:53 Status: TLS connection established.
15:04:59 Status: Connected
15:04:59 Status: Retrieving directory listing...
15:05:02 Command: PWD
15:05:02 Response: 257 "/" is the current directory
15:05:02 Command: TYPE I
15:05:02 Response: 200 Type set to I
15:05:02 Command: PASV
15:05:02 Response: 227 Entering Passive Mode (66,226,xx,xx1,46,242).
15:05:02 Command: MLSD
15:05:02 Error: The data connection could not be established: ECONNREFUSED - Connection refused by server
15:05:21 Error: Connection timed out after 20 seconds of inactivity
15:05:21 Error: Failed to retrieve directory listing
15:05:21 Status: Disconnected from server 

Edit your configuration file and comment out MasqueradeAddress:

# nano /etc/proftpd.conf
#MasqueradeAddress 66.226.xx.xx

Restart xinetd

# service xinetd restart

Here is how to install the mailman mailing list on CentOS 6.6.
Install Mailman via yum:


# yum install mailman

Next, edit its Apache configuration file:

# cd /etc/httpd/conf.d
# vi mailman.conf
RedirectMatch ^/mailman[/]*$ http://domain.com/mailman/listinfo

Uncomment the redirect parameter and enter the correct domain name.
Set the site master password:

# /usr/lib/mailman/bin/mmsitepass password

This password can be used to access any list or any page. Edit the Mailman configuration file:


# vi /usr/lib/mailman/Mailman/mm_cfg.py
DEFAULT_URL_HOST = ‘domain.com’
DEFAULT_EMAIL_HOST = ‘domain.com’

The URL host parameter usually matches the domain name from the above Apache configuration file. The email host should match the origin of the mail (i.e. the part after the @ of the email address, whether it is host.domain.com or domain.com).
Check for updates:


# cd /usr/lib/mailman
# bin/update
Upgrading from version 0x0 to 0x2010cf0
getting rid of old source files
no lists == nothing to do, exiting


If you get this error:

# bin/update
Traceback (most recent call last):
  File "bin/update", line 48, in <module>
    from Mailman import mm_cfg
  File "/usr/lib/mailman/Mailman/mm_cfg.py", line 86, in <module>
    DEFAULT_URL_HOST   = coldriverdata.com
NameError: name 'coldriverdata' is not defined

Check that the format is correct with the domains

# vi /usr/lib/mailman/Mailman/mm_cfg.py
DEFAULT_URL_HOST = ‘domain.com’
DEFAULT_EMAIL_HOST = ‘domain.com’

* Notice the “‘”

Create the mailman site list and set up the aliases:


> cd /usr/lib/mailman
> bin/newlist mailman


Enter the email of the person running the list: minh@minhtech.com
Initial mailman password: password
To finish creating your mailing list, you must edit your /etc/aliases (or
equivalent) file by adding the following lines, and possibly running the
`newaliases’ program:

## mailman mailing list
mailman: “|/usr/lib/mailman/mail/mailman post mailman”
mailman-admin: “|/usr/lib/mailman/mail/mailman admin mailman”
mailman-bounces: “|/usr/lib/mailman/mail/mailman bounces mailman”
mailman-confirm: “|/usr/lib/mailman/mail/mailman confirm mailman”
mailman-join: “|/usr/lib/mailman/mail/mailman join mailman”
mailman-leave: “|/usr/lib/mailman/mail/mailman leave mailman”
mailman-owner: “|/usr/lib/mailman/mail/mailman owner mailman”
mailman-request: “|/usr/lib/mailman/mail/mailman request mailman”
mailman-subscribe: “|/usr/lib/mailman/mail/mailman subscribe mailman”
mailman-unsubscribe: “|/usr/lib/mailman/mail/mailman unsubscribe mailman”

Hit enter to notify mailman owner…


> vi /etc/aliases
## mailman mailing list
mailman: “|/usr/lib/mailman/mail/mailman post mailman”
mailman-admin: “|/usr/lib/mailman/mail/mailman admin mailman”
mailman-bounces: “|/usr/lib/mailman/mail/mailman bounces mailman”
mailman-confirm: “|/usr/lib/mailman/mail/mailman confirm mailman”
mailman-join: “|/usr/lib/mailman/mail/mailman join mailman”
mailman-leave: “|/usr/lib/mailman/mail/mailman leave mailman”
mailman-owner: “|/usr/lib/mailman/mail/mailman owner mailman”
mailman-request: “|/usr/lib/mailman/mail/mailman request mailman”
mailman-subscribe: “|/usr/lib/mailman/mail/mailman subscribe mailman”
mailman-unsubscribe: “|/usr/lib/mailman/mail/mailman unsubscribe mailman”


# newaliases

After creating the list, add the listed aliases to the bottom of the aliases file, and then run newaliases.
Finally, restart Apache and start mailman:


# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]

# /etc/init.d/mailman start
Starting mailman: [ OK ]


# chkconfig –level 2345 mailman on

Plesk 9.x

1. Login to Plesk control panel.
2. Click on Modules >> Firewall >> Edit Firewall Configuration.
3. Click on ‘Add Custom Rule’.
4. Enter a name for the rule.
5. Select the option ‘Incoming’ for ‘Match direction’.
6. Select ‘Deny’ for Action.
7. If you wish to add port, you can enter the port or port range in text box beside the option ‘Add port or port range’. Click Add. Select TCP or UDP protocol. If you do not wish to add port, leave it as it is.
8. Add the IP address to be blocked in the text box beside the option ‘Add IP address or network’. Click Add.
9. Click OK.
10. Click Activate.

Plesk 10.x

1. Login to Plesk control panel.
2. Click on Tools & Settings >> Firewall >> Edit Firewall Configuration.
3. Click on ‘Add Custom Rule’.
4. Enter a name for the rule.
5. Select the option ‘Incoming’ for ‘Match direction’.
6. Select ‘Deny’ for Action.
7. If you wish to add port, you can enter the port or port range in text box beside the option ‘Add port or port range’. Click Add. Select TCP or UDP protocol. If you do not wish to add port, leave it as it is.
8. Add the IP address to be blocked in the text box beside the option ‘Add IP address or network’. Click Add.
9. Click OK.
10. Click Activate.

Plesk 12.x

1. Login to Plesk control panel.
2. Click on Tools & Settings >> Firewall
3. Click on Modify Plesk Firewall Rules >> Add Custom Rule
4. Enter a name for the rule.
5. Select the option ‘Incoming’ for ‘Match direction’.
6. Select ‘Deny’ for Action.
7. If you wish to add port, you can enter the port or port range in text box beside the option ‘Add port or port range’. Click Add. Select TCP or UDP protocol. If you do not wish to add port, leave it as it is.
8. Add the IP address to be blocked in the text box beside the option ‘Add IP address or network’. Click Add.
9. Click OK.
10. Apply Changes.