Announcement

Collapse
No announcement yet.

Apache2 ModSecurity Whitelist Generartor Script

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Apache2 ModSecurity Whitelist Generartor Script

    For the Apache Users on the forum, and people generally interested in this sort of thing:

    ModSecurity is a Web Application Firewall for Apache. There is a Core Rule Set (CRS) included in the repos for generic nastiness detection, however you may find that you get lots of false positives.

    Therefore, it is necessary to write yourself a whitelist file, which is an absolute PITA to do manually because there are so many false positives. I tried myself, spent a few hours doing it, and then thought it was about time I brushed up on my BASH skills.

    So, here is the result of my labour: a script that will take your Apache error logs and use them to produce a whitelist file, based on the principle that errors caused by requests from a specified set of IP addresses are false positives, and should therefore be whitelisted.

    You can define which locations you want to group into LocationMatch statements. If you don't specify any, a LocationMatch statement will be produced for each and every URI where a friendly user tripped a rule.

    The defaults here are for a site running Wordpress and Webalizer, but you can use the same script to make a separate whitelist for each VirtualHost, and then load each one like this:

    Code:
    <VirtualHost *:80>
    ServerName foo.com
    Include /etc/modsecurity/whitelists/foo.conf
    </VirtualHost>
    
    <VirtualHost *:80>
    ServerName bar.com
    Include /etc/modsecurity/whitelists/bar.conf
    </VirtualHost>
    The script:

    Code:
    #! /bin/bash
    #
    # This is the ModSecurity CRS Whitelist Generator Script version 12/03/2014
    # Not affiliated with the Modsecurity project or the CRS
    # Script by Sam Hobbs http://www.samhobbs.co.uk
    # Licence: public domain
    # Please let me know how you get on so that I can make improvements: leave a
    # comment on my blog or email me at: sam at samhobbs dot co dot uk
    
    # Every installation of Apache with Modsecurity will probably have false positives.
    # This script aims to make writing a whitelist file quicker than doing it manually.
    # Required input is as many error logs as you have available from the relevant virutalhost,
    # with modsecurity set to detect only and all of the CRS enabled 
    
    #===================================== USER INPUT =========================================#
    
    # This script works by assuming that all traffic from a friendly IP address is legitimate
    # and that the resulting errors are false positives.
    
    # Define one or more friendly IP address, separating each IP with a space. If you are
    # hosting at home, a good choice is your router's LAN IP address, since your server sees
    # all traffic from your LAN as originating here.
    # You might also like to add IP addresses of users you know weren't abusing the site, for
    # example people who left legitimate comments. Wordpress tells you the IP address used to
    # post each comment on the comment moderation GUI.
    FRIENDLY_IP="192.168.1.1"
    
    # Define a list of special locations. The matching process uses regex. A LocationMatch
    # statement will be created for each one of these locations, which will be populated with
    # rule IDs for all the locations that match that regex. Leave a space between each location
    # that you enter.
    # There is no need to start each location with "^"; the script adds the character for you.
    # If you don't end the location with a "$" then the script will automatically add an
    # asterisk to the end of the location in the LocationMatch statement so that it will match
    # all files beginning with that path, i.e.
    # <LocationMatch "^/wordpress/wp-admin/*"> matches /wordpress/wp-admin/wp-login.php, but
    # <LocationMatch "^/wordpress/wp-admin/$"> does not.
    
    SPECIAL_LOCATIONS="/webalizer /20[0-9][0-9]/[0-9][0-9] /wordpress/wp-content/uploads/20[0-9][0-9]/[0-9][0-9] /wordpress/wp-content/plugins/akismet /wordpress/wp-content/plugins/syntaxhighlighter /wordpress/wp-content/plugins/jquery-collapse-o-matic /wordpress/wp-includes/js/ /wordpress/wp-includes/css /wordpress/wp-includes/images /wordpress/wp-content/themes/twentyfourteen /wordpress/wp-admin/$"
    
    # Define directory holding the Apache error log files to be processed
    LOG_DIR=~/error
    
    # Define directory for output files:
    OUTPUT_DIR=~/modsec-whitelist 
    
    #===================================== KNOWN BUGS =========================================#
    
    # SecRuleRemoveById 891143 doesn't work. From what I can tell, this is a ModSecurity bug,
    # not a problem with the script; other users have had the same problem:
    #	http://lists.roundcube.net/pipermail/users/2011-October.txt
    
    #==================================== HOUSEKEEPING ========================================#
    
    # Script version 
    VERSION="12/03/2014"
    
    # Create the output directory if it doesn't exist:
    if [ ! -d $OUTPUT_DIR ]
    then
      mkdir $OUTPUT_DIR
      echo "Output directory has been created at $OUTPUT_DIR"
      echo ""
    fi
    
    # Delete the previous output files if they exist
    if [ -d $OUTPUT_DIR ]
    then
      echo -n "Old output files detected, deleting..."
      rm $OUTPUT_DIR/*
      echo "...done"
      echo ""
    fi
    
    # Some files:
    COMBINED_LOG=$OUTPUT_DIR/combined_log
    PROBLEM_LOCATIONS=$OUTPUT_DIR/problem_locations
    ROOT_LOG=$OUTPUT_DIR/root_log
    PROBLEM_LOCATIONS_REMAINING=$OUTPUT_DIR/problem_locations_remaining
    ROOT_IDS=$OUTPUT_DIR/root_ids
    GROUPED_LOCATIONS=$OUTPUT_DIR/grouped_locations
    WHITELIST_FILE=$OUTPUT_DIR/whitelist
    
    # Rules tripped on the root domain will be added as generic exceptions for the whole virtualhost:
    echo "Rules tripped on the root domain will be added as generic exceptions for the whole virtualhost"
    echo ""
    echo "In addition to this, you have selected the following special locations to be grouped into whitelist statements"
    for variable in $SPECIAL_LOCATIONS; do
    echo "> $variable";
    done
    echo ""
    
    # Perform work in temorary files
    TEMPFILE1=$(mktemp)
    TEMPFILE2=$(mktemp)
    TEMPFILE3=$(mktemp)
    TEMPFILE4=$(mktemp)
    
    #==================================== LOG PROCESSING ======================================#
    
    # Read all files in the log file directory and combine them into one long file:
    echo "Processing error logs..."
    for f in $LOG_DIR/*; do
      if [[ "$f" =~ \.gz$ ]]; then
        echo "> reading $f"
        zcat $f >> $TEMPFILE1
      elif [[ "$f" =~ \.log ]]; then
        echo "> reading $f"
        cat $f >> $TEMPFILE1
      else
        echo "File $f not recognised as a log file, skipping"
      fi
    done
    echo ""
    
    echo "Converting logs into a useful format:"
    # Remove any log entries from the file that are not generated by ModSecurity
    echo -n "> Removing entries that were not generated by ModSecurity..."
    grep ModSecurity $TEMPFILE1 > $TEMPFILE2
    echo "...done."
    #echo ""
    
    # Remove log entries from traffic that is not from friendly IP addresses
    echo -n "> Removing errors that were not from friendly IP addresses..."
    for ip in $FRIENDLY_IP; do
    grep "client $ip" $TEMPFILE2 >> $TEMPFILE4
    done
    echo "...done."
    #echo ""
    
    # Write combined log file:
    echo -n "> Generating combined log file..."
    cp $TEMPFILE4 $COMBINED_LOG
    echo "...done ($COMBINED_LOG)."
    #echo ""
    
    # Filter out rules that match the root regex:
    echo -n "> Separating entries that match the root location"
    cat $COMBINED_LOG | grep uri.\"/\" > $ROOT_LOG
    echo "...done ($ROOT_LOG)."
    echo ""
    
    
    # Now generate a list of locations with problems:
    echo -n "Generating a list of all problem locations"
    awk ' { print $(NF-2) }' $COMBINED_LOG | cut -d '"' -f 2 | sort | uniq > $PROBLEM_LOCATIONS
    echo "...done ($PROBLEM_LOCATIONS)."
    echo ""
    
    #==================================== WHITELIST HEADER ====================================#
    
    echo "# This file was created using the ModSecurity CRS Whitelist Generator script, version $VERSION" >> $WHITELIST_FILE
    echo "# Save this file to /etc/modsecurity/modsecurity-whitelist and symlink it into the relevant" >>$WHITELIST_FILE
    echo "# VirtualHost configuration with \"Include /etc/modsecurity/modsecurity-whitelist\"" >> $WHITELIST_FILE
    echo "# See http://www.samhobbs.co.uk for more information" >> $WHITELIST_FILE
    echo "" >> $WHITELIST_FILE
    echo "" >> $WHITELIST_FILE
    
    #==================================== MATCH EVERYWHERE ====================================#
    # Rule matches for the site's root will be whitelisted for the whole site:
    
    echo "Now working on rules to whitelist everywhere"
    # Generate a list of IDs that match the root regex
    echo -n "> Generating a list of rule IDs for the root location"
    echo "##" > $ROOT_IDS
    cat $ROOT_LOG | grep -o 'id \"......\"' | cut -d '"' -f 2 | sort -u >> $ROOT_IDS
    echo "...done."
    echo -n "> Writing LocationMatch statement to whitelist file..."
    cat $ROOT_IDS | while read line; do sed 's/^/SecRuleRemoveById /'>> $WHITELIST_FILE; done
    echo "" >> $WHITELIST_FILE
    echo "...done."
    echo ""
    
    #=================================== SPECIAL LOCATIONS ====================================#
    
    COUNT=1
    for LOCATION in $SPECIAL_LOCATIONS; do
      echo "Now working on the following location: $LOCATION"
      # Generate a list of problem locations for $LOCATION
      echo -n "> Generating a list of matching locations"
      eval "echo "$OUTPUT_DIR/location_${COUNT}" >/dev/null"
      TEMPLOCATION="$OUTPUT_DIR/location_${COUNT}"
      cat $PROBLEM_LOCATIONS | grep "^$LOCATION" >> $TEMPLOCATION
      echo "...done."
    
      # Generate list of rule IDs for $LOCATION
      echo -n "> Generating a list of rule IDs for this location"
      echo "#" > $TEMPFILE3 # just to clear tempfile3
      cat $TEMPLOCATION | while read LINE; do
      grep $LINE $COMBINED_LOG | grep -o 'id \"......\"' | cut -d '"' -f 2 >> $TEMPFILE3
      done
      eval "echo "$OUTPUT_DIR/id_${COUNT}" >/dev/null"
      TEMPIDFILE="$OUTPUT_DIR/id_${COUNT}"
      cat $TEMPFILE3 | sort -u | grep -vxF -f $ROOT_IDS > $TEMPIDFILE
      echo "...done."
      let COUNT=COUNT+1
      
      # Add $LOCATION to whitelist file
      echo -n "> Writing LocationMatch statement to whitelist file"
      # If defined location ends in $ don't add *, if not then do add a *
      if [[ "$LOCATION" =~ \$$ ]]; then
        echo "<LocationMatch \"^$LOCATION\">" >> $WHITELIST_FILE
      else
        echo "<LocationMatch \"^$LOCATION*\">" >> $WHITELIST_FILE
      fi
      cat $TEMPIDFILE | while read line; do sed 's/^/SecRuleRemoveById /'>> $WHITELIST_FILE; done
      echo "</LocationMatch>" >> $WHITELIST_FILE
      echo "" >> $WHITELIST_FILE
      echo "...done."
      echo ""
    done
    
    #================================ REMAINING LOCATIONS LIST ================================#
    
    # Generate a list of all locations that are covered by the group statements
    echo -n "Find locations already covered by the group statements"
    for file in $OUTPUT_DIR/*; do
      if [[ "$file" =~ location_[0-9] ]]; then
      cat $file >> $GROUPED_LOCATIONS
      fi
    done
    echo "...done ($GROUPED_LOCATIONS)."
    
    # Now remove those locations from the master list of problem locations to leave a list of remaining problem locations. Also remove root, since this is dealt with separately.
    echo -n "Remove these locations from the master list"
    grep -vxF -f $GROUPED_LOCATIONS $PROBLEM_LOCATIONS | grep -v ^/$ > $PROBLEM_LOCATIONS_REMAINING
    echo "...done ($PROBLEM_LOCATIONS_REMAINING)."
    
    #================================== REMAINING LOCATIONS ===================================#
    
    # Now write the remaining locations to the whitelist file
    echo -n "Now writing the remaining problem locations to the whitelist file"
    cat $PROBLEM_LOCATIONS_REMAINING | while read line; do
    # since some of these are .php scripts, .php?foo=bar needs to match, so don't add $
      echo "<LocationMatch \"^$line\">" >> $WHITELIST_FILE
      grep $line $COMBINED_LOG | grep -o 'id \"......\"' | cut -d '"' -f 2 | sort -u | grep -vxF -f $ROOT_IDS | sed 's/^/SecRuleRemoveById /'>> $WHITELIST_FILE
      echo "</LocationMatch>" >> $WHITELIST_FILE
      echo "" >> $WHITELIST_FILE
    done
    echo "...done."
    echo ""
    echo "Your whitelist file has been created at $WHITELIST_FILE"
    echo ""
    
    #====================================== CLEAN UP ==========================================#
    
    # Clean up temporary files
    echo -n "Cleaning up..."
    rm -f $TEMPFILE1 $TEMPFILE2 $TEMPFILE3 $TEMPFILE4
    echo "...done"
    Sample terminal output:

    Code:
    feathers-mcgraw@Hobbs-T440s:~$ generate-modsec-whitelist.shOld output files detected, deleting......done
    
    Rules tripped on the root domain will be added as generic exceptions for the whole virtualhost
    
    In addition to this, you have selected the following special locations to be grouped into whitelist statements
    > /webalizer
    > /20[0-9][0-9]/[0-9][0-9]
    > /wordpress/wp-content/uploads/20[0-9][0-9]/[0-9][0-9]
    > /wordpress/wp-content/plugins/akismet
    > /wordpress/wp-content/plugins/syntaxhighlighter
    > /wordpress/wp-content/plugins/jquery-collapse-o-matic
    > /wordpress/wp-includes/js/
    > /wordpress/wp-includes/css
    > /wordpress/wp-includes/images
    > /wordpress/wp-content/themes/twentyfourteen
    > /wordpress/wp-admin/$
    
    Processing error logs...
    > reading /home/feathers-mcgraw/error/error.log
    > reading /home/feathers-mcgraw/error/error.log.1
    > reading /home/feathers-mcgraw/error/error.log.10.gz
    > reading /home/feathers-mcgraw/error/error.log.11.gz
    > reading /home/feathers-mcgraw/error/error.log.12.gz
    > reading /home/feathers-mcgraw/error/error.log.13.gz
    > reading /home/feathers-mcgraw/error/error.log.14.gz
    > reading /home/feathers-mcgraw/error/error.log.15.gz
    > reading /home/feathers-mcgraw/error/error.log.16.gz
    > reading /home/feathers-mcgraw/error/error.log.17.gz
    > reading /home/feathers-mcgraw/error/error.log.18.gz
    > reading /home/feathers-mcgraw/error/error.log.19.gz
    > reading /home/feathers-mcgraw/error/error.log.20.gz
    > reading /home/feathers-mcgraw/error/error.log.21.gz
    > reading /home/feathers-mcgraw/error/error.log.22.gz
    > reading /home/feathers-mcgraw/error/error.log.23.gz
    > reading /home/feathers-mcgraw/error/error.log.2.gz
    > reading /home/feathers-mcgraw/error/error.log.3.gz
    > reading /home/feathers-mcgraw/error/error.log.4.gz
    > reading /home/feathers-mcgraw/error/error.log.5.gz
    > reading /home/feathers-mcgraw/error/error.log.6.gz
    > reading /home/feathers-mcgraw/error/error.log.7.gz
    > reading /home/feathers-mcgraw/error/error.log.8.gz
    > reading /home/feathers-mcgraw/error/error.log.9.gz
    
    Converting logs into a useful format:
    > Removing entries that were not generated by ModSecurity......done.
    > Removing errors that were not from friendly IP addresses......done.
    > Generating combined log file......done (/home/feathers-mcgraw/modsec-whitelist/combined_log).
    > Separating entries that match the root location...done (/home/feathers-mcgraw/modsec-whitelist/root_log).
    
    Generating a list of all problem locations...done (/home/feathers-mcgraw/modsec-whitelist/problem_locations).
    
    Now working on rules to whitelist everywhere
    > Generating a list of rule IDs for the root location...done.
    > Writing LocationMatch statement to whitelist file......done.
    
    Now working on the following location: /webalizer
    > Generating a list of matching locations...done.
    > Generating a list of rule IDs for this location...done.
    > Writing LocationMatch statement to whitelist file...done.
    
    Now working on the following location: /20[0-9][0-9]/[0-9][0-9]
    > Generating a list of matching locations...done.
    > Generating a list of rule IDs for this location...done.
    > Writing LocationMatch statement to whitelist file...done.
    
    Now working on the following location: /wordpress/wp-content/uploads/20[0-9][0-9]/[0-9][0-9]
    > Generating a list of matching locations...done.
    > Generating a list of rule IDs for this location...done.
    > Writing LocationMatch statement to whitelist file...done.
    
    Now working on the following location: /wordpress/wp-content/plugins/akismet
    > Generating a list of matching locations...done.
    > Generating a list of rule IDs for this location...done.
    > Writing LocationMatch statement to whitelist file...done.
    
    Now working on the following location: /wordpress/wp-content/plugins/syntaxhighlighter
    > Generating a list of matching locations...done.
    > Generating a list of rule IDs for this location...done.
    > Writing LocationMatch statement to whitelist file...done.
    
    Now working on the following location: /wordpress/wp-content/plugins/jquery-collapse-o-matic
    > Generating a list of matching locations...done.
    > Generating a list of rule IDs for this location...done.
    > Writing LocationMatch statement to whitelist file...done.
    
    Now working on the following location: /wordpress/wp-includes/js/
    > Generating a list of matching locations...done.
    > Generating a list of rule IDs for this location...done.
    > Writing LocationMatch statement to whitelist file...done.
    
    Now working on the following location: /wordpress/wp-includes/css
    > Generating a list of matching locations...done.
    > Generating a list of rule IDs for this location...done.
    > Writing LocationMatch statement to whitelist file...done.
    
    Now working on the following location: /wordpress/wp-includes/images
    > Generating a list of matching locations...done.
    > Generating a list of rule IDs for this location...done.
    > Writing LocationMatch statement to whitelist file...done.
    
    Now working on the following location: /wordpress/wp-content/themes/twentyfourteen
    > Generating a list of matching locations...done.
    > Generating a list of rule IDs for this location...done.
    > Writing LocationMatch statement to whitelist file...done.
    
    Now working on the following location: /wordpress/wp-admin/$
    > Generating a list of matching locations...done.
    > Generating a list of rule IDs for this location...done.
    > Writing LocationMatch statement to whitelist file...done.
    
    Find locations already covered by the group statements...done (/home/feathers-mcgraw/modsec-whitelist/grouped_locations).
    Remove these locations from the master list...done (/home/feathers-mcgraw/modsec-whitelist/problem_locations_remaining).
    Now writing the remaining problem locations to the whitelist file...done.
    
    Your whitelist file has been created at /home/feathers-mcgraw/modsec-whitelist/whitelist
    
    Cleaning up......done
    Sample whitelist file:

    Code:
    # This file was created using the ModSecurity CRS Whitelist Generator script, version 11/03/2014
    # Save this file to /etc/modsecurity/modsecurity-whitelist and symlink it into the relevant
    # VirtualHost configuration with "Include /etc/modsecurity/modsecurity-whitelist"
    # See http://www.samhobbs.co.uk for more information
    
    
    SecRuleRemoveById 950901
    SecRuleRemoveById 960032
    SecRuleRemoveById 960034
    SecRuleRemoveById 981143
    
    <LocationMatch "^/webalizer*">
    SecRuleRemoveById 970002
    SecRuleRemoveById 981205
    SecRuleRemoveById 981220
    SecRuleRemoveById 981222
    </LocationMatch>
    
    <LocationMatch "^/20[0-9][0-9]/[0-9][0-9]*">
    SecRuleRemoveById 960015
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-content/uploads/20[0-9][0-9]/[0-9][0-9]*">
    SecRuleRemoveById 960015
    SecRuleRemoveById 981172
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-content/plugins/akismet*">
    SecRuleRemoveById 981172
    SecRuleRemoveById 981405
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-content/plugins/syntaxhighlighter*">
    SecRuleRemoveById 981405
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-content/plugins/jquery-collapse-o-matic*">
    SecRuleRemoveById 981172
    SecRuleRemoveById 981405
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-includes/js/*">
    SecRuleRemoveById 981172
    SecRuleRemoveById 981405
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-includes/css*">
    SecRuleRemoveById 981172
    SecRuleRemoveById 981405
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-includes/images*">
    SecRuleRemoveById 981172
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-content/themes/twentyfourteen*">
    SecRuleRemoveById 981172
    SecRuleRemoveById 981401
    SecRuleRemoveById 981405
    SecRuleRemoveById 981407
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-admin/$">
    SecRuleRemoveById 950018
    SecRuleRemoveById 950119
    SecRuleRemoveById 950922
    SecRuleRemoveById 960010
    SecRuleRemoveById 960024
    SecRuleRemoveById 970003
    SecRuleRemoveById 973334
    SecRuleRemoveById 981172
    SecRuleRemoveById 981173
    SecRuleRemoveById 981184
    SecRuleRemoveById 981185
    SecRuleRemoveById 981224
    SecRuleRemoveById 981240
    SecRuleRemoveById 981243
    SecRuleRemoveById 981257
    </LocationMatch>
    
    <LocationMatch "^/about-me/">
    </LocationMatch>
    
    <LocationMatch "^/category/mail-server/">
    </LocationMatch>
    
    <LocationMatch "^/category/raspberry-pi/">
    </LocationMatch>
    
    <LocationMatch "^/category/raspberry-pi/page/2/">
    </LocationMatch>
    
    <LocationMatch "^/diy-raspberry-pi-webserver/">
    SecRuleRemoveById 960015
    </LocationMatch>
    
    <LocationMatch "^/favicon.ico">
    </LocationMatch>
    
    <LocationMatch "^/index.php">
    SecRuleRemoveById 981172
    SecRuleRemoveById 981184
    SecRuleRemoveById 981185
    SecRuleRemoveById 981240
    SecRuleRemoveById 981405
    </LocationMatch>
    
    <LocationMatch "^/raspberry-pi-email-server/">
    SecRuleRemoveById 960015
    </LocationMatch>
    
    <LocationMatch "^/tutorials/">
    </LocationMatch>
    
    <LocationMatch "^/tutorials/page/2/">
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-admin/admin-ajax.php">
    SecRuleRemoveById 960010
    SecRuleRemoveById 960024
    SecRuleRemoveById 973334
    SecRuleRemoveById 981172
    SecRuleRemoveById 981173
    SecRuleRemoveById 981224
    SecRuleRemoveById 981240
    SecRuleRemoveById 981243
    SecRuleRemoveById 981257
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-admin/async-upload.php">
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-admin/comment.php">
    SecRuleRemoveById 981172
    SecRuleRemoveById 981173
    SecRuleRemoveById 981240
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-admin/css/colors.min.css">
    SecRuleRemoveById 981172
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-admin/css/wp-admin.min.css">
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-admin/edit-comments.php">
    SecRuleRemoveById 950922
    SecRuleRemoveById 970003
    SecRuleRemoveById 981172
    SecRuleRemoveById 981240
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-admin/images/spinner-2x.gif">
    SecRuleRemoveById 981172
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-admin/images/wordpress-logo.svg">
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-admin/index.php">
    SecRuleRemoveById 981172
    SecRuleRemoveById 981184
    SecRuleRemoveById 981185
    SecRuleRemoveById 981240
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-admin/load-scripts.php">
    SecRuleRemoveById 981172
    SecRuleRemoveById 981173
    SecRuleRemoveById 981240
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-admin/load-styles.php">
    SecRuleRemoveById 981172
    SecRuleRemoveById 981173
    SecRuleRemoveById 981240
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-admin/plugin-install.php">
    SecRuleRemoveById 970003
    SecRuleRemoveById 981172
    SecRuleRemoveById 981240
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-admin/plugins.php">
    SecRuleRemoveById 981172
    SecRuleRemoveById 981240
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-admin/post-new.php">
    SecRuleRemoveById 981172
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-admin/post.php">
    SecRuleRemoveById 950018
    SecRuleRemoveById 950119
    SecRuleRemoveById 960010
    SecRuleRemoveById 981172
    SecRuleRemoveById 981184
    SecRuleRemoveById 981185
    SecRuleRemoveById 981240
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-admin/update-core.php">
    SecRuleRemoveById 981172
    SecRuleRemoveById 981240
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-admin/update.php">
    SecRuleRemoveById 981172
    SecRuleRemoveById 981173
    SecRuleRemoveById 981240
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-comments-post.php">
    SecRuleRemoveById 959072
    SecRuleRemoveById 960010
    SecRuleRemoveById 960024
    SecRuleRemoveById 981172
    SecRuleRemoveById 981173
    SecRuleRemoveById 981184
    SecRuleRemoveById 981240
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-content/plugins/better-wp-security/images/shield-small.png">
    SecRuleRemoveById 981172
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-cron.php">
    SecRuleRemoveById 960015
    SecRuleRemoveById 981220
    SecRuleRemoveById 981222
    SecRuleRemoveById 981405
    </LocationMatch>
    
    <LocationMatch "^/wordpress/wp-login.php">
    SecRuleRemoveById 960010
    SecRuleRemoveById 981173
    SecRuleRemoveById 981184
    SecRuleRemoveById 981185
    SecRuleRemoveById 981240
    </LocationMatch>
    I need to write one more step to remove the empty LocationMatch statements just so the whitelist file looks cleaner, but other than that it works great.

    I hope someone finds it useful/interesting!

    If I've done silly, inefficient things with BASH (undoubtedly so) then please post your suggestions for improvements.

    Feathers
    samhobbs.co.uk

    #2
    *sniff* my acolyte is growing up!

    Comment


      #3
      Hehe thanks mate. Very interesting to learn about all this! Best way to learn is to get stuck in
      samhobbs.co.uk

      Comment


        #4
        Hahaha I am literally going mad.

        This week I spent ages trying to work out why none of the rules seemed to be turning off on the admin backend as they should, turns out it's because I only included the whitelist file in the HTTP virtualhost, not the SSL version.



        As soon as included it in the SSL version, everything worked fine straight away!

        At least I learned some stuff about regex when I was trying to work out why none of those pages were matching!!
        samhobbs.co.uk

        Comment


          #5
          Latest version of the script, and a write-up, here:

          http://www.samhobbs.co.uk/2014/05/ap...nerator-script

          Now I need to work on an automated way of building a whitelist that isn't such a sledgehammer approach.
          samhobbs.co.uk

          Comment

          Working...
          X