How to whitelist an IP address for ModSecurity?

Follow

Comments

6 comments

  • Avatar
    Alban Staehli

    Would the below rule to whitelist IP and turn off all rules (meaning modsec is turned off for that particular IP) work as well?

    SecRule REMOTE_ADDR "^203\.0\.113\2$"
    phase:1,nolog,allow,ctl:ruleEngine=Off
    0
    Comment actions Permalink
  • Avatar
    Denis Bykov

    @Alban Staehli
    Starting from ModSecurity 2.7, IDs became mandatory.
    Apart from it, that is also a valid method:

    SecRule REMOTE_ADDR "^203\.0\.113\2$"
    id:88888,phase:1,nolog,allow,ctl:ruleEngine=Off
    0
    Comment actions Permalink
  • Avatar
    Marius Melinskas

    Hi,

    Just to expand the query a bit more. two questions are:

    1. a portion of the site is not working correctly, modsecurity (tradeoff setting) logs are empty, site access logs show only a generic 404 status code on the query: Where do I find which modsecurity ruleID is blocking the traffic?

    2. Can I whitelist an IP for all modsec ruleIDs explicitly?

    Thank you in advance for your help on this

    0
    Comment actions Permalink
  • Avatar
    Alisa Kasyanova

    @Marius Melinskas

    1) Check the error log of the domain (/var/www/vhosts/system/example.com/logs/error_log), it should give you some additional information about 404.
    2) Please check https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-Frequently-Asked-Questions-%28FAQ%29#ModSecurity_Rules_Language , it describes the method to whitelist IP address.

    0
    Comment actions Permalink
  • Avatar
    Emil Stahl Pedersen

    Modify log to nolog if you don't want to fill the log with "Access allowed (phase 1)." entries.

    Before:

    phase:1,log,allow,ctl:ruleEngine=Off,id:55666

    After:

    phase:1,nolog,allow,ctl:ruleEngine=Off,id:55666
    1
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Emil,

    Thank you for the notice, it may be useful for other Pleskians.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request