Pablumfication

After my initial post about wordpress and mod_security, I decided to have a bit more of a look around to find what rules other people had needed to disable to get it working.

I found a really good post over at Gray.me.uk – Mod security and wordpress the final config which had a few additional rules mentioned, but did not solve the problems I was having initially. So I thought I would draw on what they had posted and what I have learnt to produce a fully working list of rules that need to be disabled in order for WordPress 2.9.1 and mod_security Core Rules 2.0.3 to work together.

Below follows an example vhost file the important elements of it being the LocationMatch tags containing the SecRuleRemovedById.

<VirtualHost *:80>
    ServerName pablumfication.co.uk
    ServerAlias www.pablumfication.co.uk

    DocumentRoot /var/www/pablumfication.co.uk
    <Directory />
        Options +FollowSymLinks
        AllowOverride FileInfo
    </Directory>

    <LocationMatch "/>
        SecRuleRemoveById 910006 # Google robot activity - Useful in someways but noisy for sites where you want them crawled
        SecRuleRemoveById 960015 # Request Missing an Accept Header -  Allow for Google Reader
    </LocationMatch>

    <LocationMatch "/wp-includes/">
        SecRuleRemoveById 960010 # Request content type is not allowed by policy - Allows for amongst other things spell check to work on admin area
        SecRuleRemoveById 960012 # Require Content-Length to be provided with every POST request - Same as above
    </LocationMatch>

    <LocationMatch "(/wp-admin/|/wp-login.php)">    
        SecRuleRemoveById 950005 # Remote File Access Attempt - This rule probably doesn't need to be disabled by everyone but it stops me putting /etc/ in posts and other such linux paths.
        SecRuleRemoveById 950117 # Remote File Inclusion Attack - Disable to allow http:// to be passed in args
    </LocationMatch>

    <LocationMatch "(/wp-admin/post.php|/wp-admin/options.php|/wp-admin/theme-editor.php|/wp-includes/)">
        SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in args.
    </LocationMatch>
</VirtualHost>

Hi all this my first post of for this new blog and I suppose appropriately about the blog its self.

If your concerned about security or paranoid like me your most likely running Apache mod_security on your server. If your not running mod_security it is what is referred to as a web application firewall, it applies filters and rules to data being submitted to and coming from the web server, using pattern matching it can detect attacks such as SQL injection attacks and either blocks or logs them. I plan to cover this in more detail in my next blog post but that is a very brief explanation for a more indepth explanation see the modsecurity website.

When it came to setting up this blog with wordpress I found that I was unable to use the admin area of the site due to wordpress triggering one of the mod_security rules.

After clicking login and the form being submitted I was greated with a page saying

Method Not Implemented
POST to /wp-login.php not supported.

Checking the mod_security logs /var/log/apache2/mod_security/modsec_debug.log I found this entry

[05/Feb/2010:10:57:21 +0000] [www.pablumfication.co.uk/sid#7f1a39164270][rid#7f1a393ed888][/wp-login.php][1] Access denied with code 501 (phase 2). Pattern match “^(?:ht|f)tp:/” at ARGS:redirect_to. [file "/etc/apache2/conf.d/modsecurity/optional_rules/modsecurity_crs_42_tight_security.conf"] [line "32"] [id "950117"] [msg "Remote File Inclusion Attack"] [severity "CRITICAL"]

the reason this occures is because of the field redirect_to that wordpress is posting from the login page

<input name="redirect_to"type="hidden" value="http://www.pablumfication.co.uk/wp-admin/" />

and the rule that is being triggered is

SecRule ARGS "^(?:ht|f)tp:/" \ "phase:2, t:none, t:htmlEntityDecode, t:lowercase, capture, ctl:auditLogParts=+E, deny, log, auditlog, status:501, msg:'Remote File Inclusion Attack', id:'950117', severity:'2'"

which is matching the http:// part of the argument that is being passed.

So how do we fix this?

Well you could just disable the rule by commenting it out with a # or by using SecRuleRemoveById to disable it globally but this kind of defeats the point. After a bit of playing around I decided the best way to get around it is to add a Location based rule into the virtual host as follows.

<LocationMatch "(/wp-admin/|/wp-login.php)">
    SecRuleRemoveById 950117 # Disable Remote File Inclusion Rule
    SecRuleRemoveById 950005 #Had to add this rule in addition when writing this article as the article contains /etc/ which triggers the "Remote File Access Attempt" rule.
</LocationMatch>

this disables the Remote File Inclusion Attack rule for the /wp-admin/ directory and the /wp-admin.php page.

A full example of how a full vhost file should look would be

<VirtualHost *:80>
    ServerName pablumfication.co.uk
    ServerAlias www.pablumfication.co.uk

    DocumentRoot /var/www/pablumfication.co.uk
    <Directory />
        Options +FollowSymLinks
        AllowOverride FileInfo
    </Directory>

    <LocationMatch "(/wp-admin/|/wp-login.php)">
        SecRuleRemoveById 950117
        SecRuleRemoveById 950005
    </LocationMatch>
</VirtualHost>

Thats all for now short and sweet. Any questions or comments I would love to hear what you think and would be happy to answer any questions. I plan to be posting at least twice a week for a while. My next article will be on setting up mod_security under Gentoo & Ubuntu 9.04 so if your not running mod_security yet please check out the post in the next few days hopefully I’ll convince you its worth your time to use it.