How to whitelist an IP address for ModSecurity?

Follow

Comments

4 comments

  • Avatar
    Alban Staehli

    Would the below rule to whitelist IP and turn off all rules (meaning modsec is turned off for that particular IP) work as well?

    SecRule REMOTE_ADDR "^203\.0\.113\2$"
    phase:1,nolog,allow,ctl:ruleEngine=Off
  • Avatar
    Denis Bykov

    @Alban Staehli
    Starting from ModSecurity 2.7, IDs became mandatory.
    Apart from it, that is also a valid method:

    SecRule REMOTE_ADDR "^203\.0\.113\2$"
    id:88888,phase:1,nolog,allow,ctl:ruleEngine=Off
  • Avatar
    Marius Melinskas

    Hi,

    Just to expand the query a bit more. two questions are:

    1. a portion of the site is not working correctly, modsecurity (tradeoff setting) logs are empty, site access logs show only a generic 404 status code on the query: Where do I find which modsecurity ruleID is blocking the traffic?

    2. Can I whitelist an IP for all modsec ruleIDs explicitly?

    Thank you in advance for your help on this

  • Avatar
    Alisa Kasyanova

    @Marius Melinskas

    1) Check the error log of the domain (/var/www/vhosts/system/example.com/logs/error_log), it should give you some additional information about 404.
    2) Please check https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-Frequently-Asked-Questions-%28FAQ%29#ModSecurity_Rules_Language , it describes the method to whitelist IP address.

Please sign in to leave a comment.

Have more questions? Submit a request