A website is not accessible for users and search engine bots when OWASP ModSecurity rule-set is enabled in Plesk

Follow

Comments

3 comments

  • Avatar
    Carlos Ivan Castillo Moya

    Hello!

    I have presented precisely this same error and when applying the solution explained here it does not work for me.

    apart from this tag: "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT" there are also some others...

    WASCTC/WASC-21
    OWASP_TOP_10/A7
    ICP/6.5.10

    Do we have to deactivate them or can we look at something else?

    0
    Comment actions Permalink
  • Avatar
    Francisco Garcia

    Hi Carlos Ivan Castillo Moya,

    Yes, it's needed to deactivate all those rules blocking the application, otherwise, your app won't work.

    0
    Comment actions Permalink
  • Avatar
    Nerque

    The best thing you can do to customize the active rules of the owasp, is

    1. configure them as passive, only to monitor, for a few days, or weeks, during the customization phase
    2. check all records in /var/log/modsec_audit.log* for
    • your personal ips are not on the list. If they are, then you must disable the related rules (including your own ip, the ip of another of your servers, your remote ips, ips of known customers... Maybe the ips of the docker containers?)
    • the "good" bots aren't on the list. If they are, like googlebot.com, then you must disable the related rules. But pay attention, and don't trust all agents, because potential attackers can inject the agent's field with any text, and if you trust them, you will have a possible security risk. It's better to use reverse dns to be sure than an IP is from some specific bot (dig -x <ip> +short)
    • once you disable all the rules that can disrupt your production applications, you must analyze one by one all the disabled rules to be sure that it is really necessary to disable them. Sometimes retries may be allowed and the rule may not be applied.

    So, first check that your system accepts normal incoming traffic by disabling rules as little as possible, and then try to enable the rules again to allow timely service, or accept that sometimes something will be blocked (as I said before, it could be that on a given attempt something will be blocked, but then it will be accessible).

    That's all (and you can do it with a script)

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request