Applicable to:
- Plesk For Windows
- Plesk for Linux
- Plesk for Windows
Question
How to whitelist a single/multiple IP addresses for ModSecurity in Plesk?
Answer
Apply one of the solutions below:
-
Connect to the server via SSH.
- Create/ open for editing ModSecurity file that is used for IP whitelisting:
For Debian based systems (Ubuntu/Debian):
# vi /etc/apache2/modsecurity.d/000ipwhitelist.conf
For RHEL based systems (CentOS/CloudLinux):
# vi /etc/httpd/conf/modsecurity.d/rules/000ipwhitelist.conf
-
Add the following rule in 1 line there:
CONFIG_TEXT: SecRule REMOTE_ADDR "@ipMatch 203.0.113.0/24,192.0.2.2" "id:3,phase:1,t:none,log,pass,ctl:ruleRemoveById=55666"
Where:
55666 - is the existing ModSecurity Rule and it should be replaced with the required rule ID.
203.0.113.0/24 - IP addresses that are required to whitelist. Multiple, comma-separated, addresses can be also specified. - Check Apache syntax:
For Debian based systems (Ubuntu/Debian):
# apache2ctl -t
For RHEL based systems (CentOS/CloudLinux):
# httpd -t
- If, in accordance with step #4, the syntax is not OK, fix it. If it is OK, apply the new configuration:
For Debian based systems (Ubuntu/Debian):
# service apache2 reload
For RHEL based systems (CentOS/CloudLinux):
# service httpd reload
Note: Whitelist rules should be placed before other rules.
For details see: ModSecurity Core Ruleset documentation - Writing Whitelist Modifications
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#ipMatch
-
- Log into the Plesk.
- Go to Tools & Settings > Settings.
-
Add the rule below into the Custom directives field:
CONFIG_TEXT: SecRule REMOTE_ADDR "@ipMatch 203.0.113.0/24,192.0.2.2" "id:3,phase:1,t:none,log,pass,ctl:ruleRemoveById=55666"
Where:
55666 - is the existing ModSecurity Rule and it should be replaced with the required rule ID.
203.0.113.0/24 - IP addresses that are required to whitelist. Multiple, comma-separated, addresses can be also specified. - Press the OK button to apply the changes.
- Via Plesk GUI
- Log into the Plesk.
- Go to Tools & Settings > Settings.
-
Add the rule below into the Custom directives field:
CONFIG_TEXT: SecRule REMOTE_ADDR "@ipMatch 203.0.113.0/24,192.0.2.2" "id:3,phase:1,t:none,log,pass,ctl:ruleRemoveById=55666"
Where:
55666 - is the existing ModSecurity Rule and it should be replaced with the required rule ID.
203.0.113.0/24 - IP addresses that are required to whitelist. Multiple, comma-separated, addresses can be also specified. - Press the OK button to apply the changes.
- Using command-line method
-
Connect to the server via SSH.
-
Create/ open for editing ModSecurity file that is used for IP whitelisting:
For Debian based systems (Ubuntu/Debian):
# vi /etc/apache2/plesk.conf.d/modsecurity.conf
For RHEL based systems (CentOS/CloudLinux):
# vi /etc/httpd/conf/plesk.conf.d/modsecurity.conf
Add the following rule in 1 line there:
CONFIG_TEXT: SecRule REMOTE_ADDR "@ipMatch 203.0.113.0/24,192.0.2.2" "id:3,phase:1,t:none,log,pass,ctl:ruleRemoveById=55666"
Where:
55666 - is the existing ModSecurity Rule and it should be replaced with the required rule ID.
203.0.113.0/24 - IP addresses that are required to whitelist. Multiple, comma-separated, addresses can be also specified.
Check Apache syntax:For Debian based systems (Ubuntu/Debian):
# apache2ctl -t
For RHEL based systems (CentOS/CloudLinux):
# httpd -t
If, in accordance with step #4, the syntax is not OK, fix it. If it is OK, apply the new configuration:
For Debian based systems (Ubuntu/Debian):
# service apache2 reload
For RHEL based systems (CentOS/CloudLinux):
# service httpd reload
Note: Whitelist rules should be placed before other rules.
For details see: ModSecurity Core Ruleset documentation - Writing Whitelist Modifications
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#ipMatch
Comments
13 comments
Would the below rule to whitelist IP and turn off all rules (meaning modsec is turned off for that particular IP) work as well?
@Alban Staehli
Starting from ModSecurity 2.7, IDs became mandatory.
Apart from it, that is also a valid method:
Hi,
Just to expand the query a bit more. two questions are:
1. a portion of the site is not working correctly, modsecurity (tradeoff setting) logs are empty, site access logs show only a generic 404 status code on the query: Where do I find which modsecurity ruleID is blocking the traffic?
2. Can I whitelist an IP for all modsec ruleIDs explicitly?
Thank you in advance for your help on this
@Marius Melinskas
1) Check the error log of the domain (/var/www/vhosts/system/example.com/logs/error_log), it should give you some additional information about 404.
2) Please check https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-Frequently-Asked-Questions-%28FAQ%29#ModSecurity_Rules_Language , it describes the method to whitelist IP address.
Modify log to nolog if you don't want to fill the log with "Access allowed (phase 1)." entries.
Before:
After:
Hello @Emil,
Thank you for the notice, it may be useful for other Pleskians.
hi
is there another way to do this other than SSH?
thanks
The below link in the above article, no longer exists:
ModSecurity Core Ruleset documentation - Writing Whitelist Modifications
Hello @Ehud Ziegelman,
Your link has the following address: https://coreruleset.org/docs/exceptions.html#writing-whitelist-modifications, however, in the article it is used https://github.com/SpiderLabs/OWASP-CRS-Documentation/blob/master/exceptions.rst#writing-whitelist-modifications
Hello @Hussein AbuTaleb,
At the moment solution only via SSH is possible
Does this work for the nginx ruleset too?
Hi Kolja Spyra,
I think, the best way would be just to check it out, adjusting the directory to that one in use on your server.
Note: I'm a Plesk user, and not a part of Plesk support.
Hello @Kolja Spyra,
Yes, the solution is applicable for Apache and Nginx ModSecurity rulesets
Please sign in to leave a comment.