cPanel & WHM Version 80 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!
 

Modsecurity tools: Ability to ignore specific rule ID's per user account

John Hawkins shared this idea 2 years ago
Open Discussion

Currently cPanel's Modsecurity tools only allow for disabling:

  1. Rule ID's server-wide
  2. Modsecurity entirely for a given user account's domain(s)


It would be helpful to be able to ignore specific rule ID's on a per-account basis, so that if a particular rule is causing issues with a single account's CMS, for example, you don't have to chose between:


  1. Removing the security of a particular rule for all server users because it causes issues for a single account
  2. Removing the protections of Modsecurity entirely for a given account just because a single rule has proved problematic


Any exposed UI for ignoring Modsecurity rule ID's per-account/domain would ideally be accessible both within WHM and cPanel.


Thanks for making a great product and for your consideration of this feature!

Comments (6)

photo
2

Thanks so much for this submission! Adding the UI is definitely something we can consider, but I wanted to mention that this can be done on the command line by root on a per-domain basis right now with the use of VirtualHost include files.

photo
1

Great share re: include files - in the meantime, thanks for considering the UI!

photo
photo
2

Until such time as this might be included, you can use CMC to do exactly this:


http://configserver.com/cp/cmc.html


Its a WHM-only UI without a cPanel component, but allows you to ignore modsec rules on a per account or per domain basis.

Personally i'd prefer to see cPanel's time spent on other things given that CMC exists and is part of the standard toolset for many hosts.

photo
2

Thanks for this! Actually we have used CMC for years - and it is fantastic. The problem for us is having multiple automated tools which tinker with the Modsecurity config... and since cPanel has decided to wade into the waters with their own system, we would really prefer to stick with the core solution if possible.

That said, regarding your last statement - we totally agree with your sentiment. We really do wish that when cPanel decides to implement functionality already provided by a prominent third party solution, the feature set would be a little more complete so there is some meaningful migration path. Otherwise it just creates configuration headaches because you have to either balance multiple tools which run the risk of conflicting with one another - or lose significant functionality when using the core-supported cPanel tool.

photo
photo
1

Hi there,


this feature will be certainly helpful for the host provider.


Otherwise I have to disable Mod_Sec in toto for cPanel account

or make an exception for each virtual host :-(


Think a cPanel account who manages over 50 domain and its subdomains: nightmare!


Kind Regards,


V Ricci

photo
2

Indeed great. Today, when customers have a problem with mod security, the only option for them is turning it globally off for that domain.

Turning only that specific rule off is a better security approach. But in order for this to work, cPanel has to add first the option for customers to see the logs or rules they are hitting.