0

After Apache upgrade on my shared server, I have been having nightmare issues with the form input on all of my reseller hosting accounts. The clients get 403 (or in case of Wordpress install, 404, which has really confused me) after the simplest, most innocent looking form input. For example "he is having a lot of trouble" in a text field results in 403!

It took almost two weeks to figure out what's going on, as the error seemed random and hard to replicate, but after I asked for exact text from the clients that they were not able to enter, we got to the modsec issue. The answer from tech help was "While checking the issue in detail, we found that a mod_security rule was getting triggered on the server while trying to submit the content as "he is having a lot of trouble". We have whitelisted the rule for the website which resolved the issues.".

My question is - how can I deal with this proactively? Is there a list of rules for mod_security that I can check, test some input, ask for additional whitelisting etc? With about a 100 accounts all having problems, it's enough to want to get out of the hosting business all together.

Natalia
  • 417
  • 3
  • 7
  • 18

1 Answers1

1

I don't understand your scenario or your question. Are you managing the host or not?

It sounds like you are hosting sites on a shared server so do not have access to the full server but are setting hosts up for clients - is that right?

Running a WAF like ModSecurity requires monitoring log files to identify false positives like this. If you do not have access to the log files then you need to ask your hosting provider what there options are for managing this sort of thing? Or will they do nothing until you raise it?

You can also ask to turn off ModSecurity completely. Most sites get on fine without a WAF - though personally I think they do add value and security.

Finally as to what rules are running on your instance only your tech help can answer that. ModSecurity itself is only an engine and comes with no rules. People can write their own, but some, or use free sets of rules like the OWASP Core Rule Set. So depending what you have would depend how you can test this. Most rules are fairly generic in nature so do result in false positives unless tweaked.

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92
  • It looks like the best solution is to turn mod_security off. The client site is extranet and the text fields are only accessed with a user name and password access. So far they continue to have all kinds of issues, for example not being able to enter two phone numbers in the text field in a row! – Natalia Mar 14 '16 at 14:13