Articles in this section

How to whitelist IP addresses for ModSecurity in Plesk?

Yulia Minenkova
Updated
Plesk for Windows kb: how-to Plesk for Linux ABT: Group B

Applicable to:

  • Plesk For Windows
  • Plesk for Linux
  • Plesk for Windows

Question

How to whitelist a single/multiple IP addresses for ModSecurity in Plesk?

Answer

Apply one of the solutions below:

For OWASP ruleset on Linux

  1. Connect to the server via SSH.

  2. Create/ open for editing ModSecurity file that is used for IP whitelisting:

    For Debian based systems (Ubuntu/Debian):

    # vi /etc/apache2/modsecurity.d/000ipwhitelist.conf

    For RHEL based systems (CentOS/CloudLinux):

    # vi /etc/httpd/conf/modsecurity.d/rules/000ipwhitelist.conf

  3. Add the following rule in 1 line there:

    CONFIG_TEXT: SecRule REMOTE_ADDR "@ipMatch 203.0.113.0/24,192.0.2.2" "id:3,phase:1,t:none,log,pass,ctl:ruleRemoveById=55666"

    Where:
    55666 - is the existing ModSecurity Rule and it should be replaced with the required rule ID.
    203.0.113.0/24 - IP addresses that are required to whitelist. Multiple, comma-separated, addresses can be also specified.  
  4. Check Apache syntax:

    For Debian based systems (Ubuntu/Debian):

    # apache2ctl -t

    For RHEL based systems (CentOS/CloudLinux):

    # httpd -t

  5. If, in accordance with step #4, the syntax is not OK, fix it. If it is OK, apply the new configuration:

    For Debian based systems (Ubuntu/Debian):

    # service apache2 reload

    For RHEL based systems (CentOS/CloudLinux):

    # service httpd reload

Note: Whitelist rules should be placed before other rules.
For details see: ModSecurity Core Ruleset documentation - Writing Whitelist Modifications 
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#ipMatch

For OWASP ruleset on Windows
    1. Log into the Plesk.
    2. Go to Tools & Settings > Web Application Firewall (ModSecurity) >Settings.
    3.  Add the rule below into the Custom directives field:

      CONFIG_TEXT: SecRule REMOTE_ADDR "@ipMatch 203.0.113.0/24,192.0.2.2" "id:3,phase:1,t:none,log,pass,ctl:ruleRemoveById=55666"

      Where:
      55666 - is the existing ModSecurity Rule and it should be replaced with the required rule ID.
      203.0.113.0/24 - IP addresses that are required to whitelist. Multiple, comma-separated, addresses can be also specified.  

    4. Press the OK button to apply the changes.
For Comodo ruleset
  • Via Plesk GUI
  1. Log into the Plesk.
  2. Go to Tools & Settings > Web Application Firewall (ModSecurity) > Settings.
  3.  Add the rule below into the Custom directives field:

    CONFIG_TEXT: SecRule REMOTE_ADDR "@ipMatch 203.0.113.0/24,192.0.2.2" "id:3,phase:1,t:none,log,pass,ctl:ruleRemoveById=55666"

    Where:
    55666 - is the existing ModSecurity Rule and it should be replaced with the required rule ID.
    203.0.113.0/24 - IP addresses that are required to whitelist. Multiple, comma-separated, addresses can be also specified.  

  4. Press the OK button to apply the changes.

 

  • Using command-line method

  1. Connect to the server via SSH.

  2. Create/ open for editing ModSecurity file that is used for IP whitelisting:

    For Debian based systems (Ubuntu/Debian):

    # vi /etc/apache2/plesk.conf.d/modsecurity.conf

    For RHEL based systems (CentOS/CloudLinux):

    # vi /etc/httpd/conf/plesk.conf.d/modsecurity.conf

    Add the following rule in 1 line there:

    CONFIG_TEXT: SecRule REMOTE_ADDR "@ipMatch 203.0.113.0/24,192.0.2.2" "id:3,phase:1,t:none,log,pass,ctl:ruleRemoveById=55666"

    Where:
    55666 - is the existing ModSecurity Rule and it should be replaced with the required rule ID.
    203.0.113.0/24 - IP addresses that are required to whitelist. Multiple, comma-separated, addresses can be also specified.  
    Check Apache syntax:

    For Debian based systems (Ubuntu/Debian):

    # apache2ctl -t

    For RHEL based systems (CentOS/CloudLinux):

    # httpd -t

    If, in accordance with step #4, the syntax is not OK, fix it. If it is OK, apply the new configuration:

    For Debian based systems (Ubuntu/Debian):

    # service apache2 reload

    For RHEL based systems (CentOS/CloudLinux):

    # service httpd reload

    Note: Whitelist rules should be placed before other rules.
    For details see:     ModSecurity Core Ruleset documentation - Writing Whitelist Modifications 
    https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#ipMatch

Was this article helpful?

Comments

2 comments
Date Votes
  • Avatar
    WebCodePoet

    You missed NGINX here. We use NGINX Hosting.

    0
  • Avatar
    B3 Support

    If you want to whitelist IP addresses and totally disable ModSecurity, the approach above doesn't work!

    Entering the exception under WAF --> Settings --> Custom directives does not work, as the settings are written to /etc/apache2/plesk.conf.d/modsecurity.conf. However, this file is only loaded by Apache after the files from /etc/apache2/modsecurity.d. are processed. As a result, the rule never takes effect!
    Instead, we can create a file /etc/apache2/modsecurity.d/custom_rules.conf.

    #Do not filter
#With log for debugging
SecRule REMOTE_ADDR “@IPMatch 1.2.3.4” “id:1,phase:1,t:none,pass,log,ctl:ruleEngine=Off”
#Without log for production
SecRule REMOTE_ADDR “@IPMatch 1.2.3.4” “id:1,phase:1,t:none,pass,nolog,ctl:ruleEngine=Off”

    A reload must then be performed for Apache:

    systemctl reload apache2.service

    0

Please sign in to leave a comment.