Mod Security – Common known problems

Home Forums BulletProof Security Pro Mod Security – Common known problems

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #33624
    AITpro Admin
    Keymaster

    Edit|Update: We have ModSecurity Proofed most of the critical Forms in BPS Pro 14.1 and BPS free 3.6. BPS forms now use encryption and decryption to evade/bypass ModSecurity CRS rules. Expected new BPS Pro and BPS free version release date: 8-25-2019 – 8-27-2019. We will continue to ModSecurity Proof the rest of the non-critical Forms in BPS and other things that the ModSecurity OWASP CRS ruleset breaks in BPS and release a new version.

    Mod Security is something that is installed on your web host server and can be accessed in your web host control panel if your web host offers that capability.  Mod Security uses SecRules and SecFilters, which are very similar to BPS htaccess security rules.  On some web hosts you can disable and enable individual Mod Security SecRules and SecFilters.  On some web hosts you do not have access to Mod Security at all and will need to contact your web host support folks to fix Mod Security problems. On some web hosts you only have the option to enable or disable Mod Security entirely.  To prevent Mod Security from causing any one of the common known problems below you would either remove/disable the individual Mod Security SecRule or SecFilter in your web host control panel that is causing the problem or if your web host does not offer that capability then you would need to Disable Mod Security in your web host control panel. Or if your web host does not offer Mod Security tools in your web host control panel then you will need to contact your web host support folks and have them fix the problems caused by Mod Security.

    If you are not sure how to disable individual Mod Security SecRules and SecFilters or disable Mod Security entirely in your web host control panel then contact your web host support and ask them to look at your server logs for Mod Security errors.  The Mod Security errors will tell you which Mod Security SecRules and SecFilters are causing problems for WordPress, Plugins, Themes and the BPS and BPS Pro plugins and need to be disabled.

    Explanation for the recent Mod Security issues/problems starting around January 2017:
    cPanel added Mod Security as a new feature back around January 2017. So what we suspect is happening is that as web hosts worldwide upgrade cPanel to the new cPanel version that includes the Mod Security feature then the Mod Security SecRules and/or SecFilters that have been created by default by cPanel for Mod Security are causing various problems for BPS, WordPress, other plugins, themes, etc. What is important to note is that the default SecRules and SecFilters that come with Mod Security do not cause the wide variety of problems for WordPress, Plugins, Themes and the BPS and BPS Pro plugins that we have been seeing for 1+ years now.

    List of common known Mod Security problems:
    Notes:  This is not a complete list of common known Mod Security problems.  We estimate that there are 100’s if not 1,000’s of problems for WordPress, Plugins and Themes caused by the new cPanel Mod Security SecRules and SecFilters that ship with newer versions of cPanel.

    Important Reminder: If you see the BPS Mod Security Module is Loaded|Enabled Dismiss Notice it is does not necessarily mean these problems will occur on your website/server.  The Mod Security problems are caused by certain Mod Security SecRules and/or SecFilters and not Mod Security itself.

    Unable to install plugins or themes using the WordPress Upload Zip installer – 403, 404, 406, 500, ERR_EMPTY_RESPONSE error messages, blank/white page, redirected to your home page (error or no error message) or no errors and nothing works/happens.
    Setup Wizard and/or Pre-Installation Wizard fails/does not complete successfully – 403, 404, 406, 500, ERR_EMPTY_RESPONSE error messages, blank/white page, redirected to your home page (error or no error message) or no errors and nothing works/happens.
    Unable to login or logout of your website – 403, 404, 406, 500, ERR_EMPTY_RESPONSE error messages, blank/white page, redirected to your home page (error or no error message) or no errors and nothing works/happens.
    Unable to access the MScan page or run a scan – 403, 404, 406, 500, ERR_EMPTY_RESPONSE error messages, blank/white page, redirected to your home page (error or no error message) or no errors and nothing works/happens.
    Unable to save Root or wp-admin htaccess custom code using the BPS Custom Code forms – 403, 404, 406, 500, ERR_EMPTY_RESPONSE error messages, blank/white page, redirected to your home page (error or no error message) or no errors and nothing works/happens.
    Unable to save htaccess code using the BPS htaccess File Editor – 403, 404, 406, 500, ERR_EMPTY_RESPONSE error messages, blank/white page, redirected to your home page (error or no error message) or no errors and nothing works/happens.
    Unable to save htaccess code using the My Notes Editor – 403, 404, 406, 500, ERR_EMPTY_RESPONSE error messages, blank/white page, redirected to your home page (error or no error message), unable to view the My Notes page or no errors and nothing works/happens.
    Unable to View, Restore or Delete files in BPS Pro Quarantine – 403, 404, 406, 500, ERR_EMPTY_RESPONSE error messages, blank/white page, redirected to your home page (error or no error message) or no errors and nothing works/happens.
    Various problems with Security Logging – 403, 404, 406, 500, ERR_EMPTY_RESPONSE error messages, blank/white page, redirected to your home page (error or no error message), unable to view the Security Log page or no errors and nothing works/happens.
    Various problems with PHP Error Logging – 403, 404, 406, 500, ERR_EMPTY_RESPONSE error messages, blank/white page, redirected to your home page (error or no error message), unable to view the PHP Error Log page or no errors and nothing works/happens.

    Do not bother with trying to disable Mod Security using this htaccess code below. It will not work.

    <IfModule mod_security.c>
    SecFilterEngine Off
    SecFilterScanPOST Off
    </IfModule>

    or
    Note: In Mod Security 2 you cannot use SecFilterEngine Off. You have to use SecRuleEngine Off and it cannot be added in an htaccess file and MUST be added in the Mod Security .conf file on the server.

    <IfModule mod_security2.c>
    SecFilterEngine Off
    SecFilterScanPOST Off
    </IfModule>

    Related Forum Topics:
    https://forum.ait-pro.com/forums/topic/error-404-page-not-found-on-activation/
    https://forum.ait-pro.com/forums/topic/wp-login-page-redirects-to-403-bps-error-page/
    https://forum.ait-pro.com/forums/topic/403-error-after-upgrading-to-version-49-3/

    #35324
    mike
    Participant

    I been having this problem on all my site! how do I fix it?

    #35325
    AITpro Admin
    Keymaster

    Please read the help info in the beginning of this forum topic for how to fix the Mod Security problems.  Also we have added a new check for Mod Security on the BPS System Info page if you would like to verify/confirm that Mod Security is Loaded|Enabled.

    Apache Modules|Directives|Backward Compatibility(Yes|No)|IfModule(Yes|No): View Visual Test
    403: mod_access_compat is Loaded|Order, Allow, Deny directives are supported|IfModule: Yes
    403: mod_authz_core is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes
    403: mod_authz_host is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes
    200: mod_rewrite Module is Loaded
    403: mod_security2 Module is Loaded|Enabled

    #41824
    keewee
    Participant

    Is it safe to completely disable modsecurity?

    #41825
    AITpro Admin
    Keymaster

    @ keewee – Well yeah it is not ModSecurity itself that is a problem. The ModSecurity default security settings do not cause these types of major problems that are listed above. What causes the major problems are the CRS rulesets created by volunteers that web host techs then use.

    You can try and have the CRS rulesets changed by your web host techs, but to be honest that will most likely not be successful.  😉  So your best option is probably just to disable ModSecurity entirely.  And yes it is fine to disable ModSecurity since BPS Pro provides the equivalent of ModSecurity security plus many additional security features that ModSecurity does not provide.

Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.