Disable domains - not working

Hedloff · March 7, 2016, 8:24pm

Hello,

This is not the first time I have seen that disable domains are not working so I want to report it.
The server I’m on now is using your WHM plugin, Cloudlinux/cPanel/Litespeed 5.0.13 version.

Is this something you could check and fix in the next agent release?

TDmitry · March 9, 2016, 8:39am

We will check this issue and get back here…

akabakov · March 9, 2016, 12:41pm

Hello.

Please, check, if there is a file /var/cpanel/cwaf/etc/httpd/domains/000_exclude_domain.name:port_number.conf or not.

erwee · March 10, 2016, 8:22am

We have experienced the same issue, running the same server, Litespeed, Cloudlinux with the following rules:

============
Current rules version: 1.39 Rules
CWAF plugin version: 2.16 (Latest version)
Web Platform: LiteSpeed
LiteSpeed version: 5.0.13 Enterprise
Mod_security compatible: yes
Mod_security loaded: yes

I have replaced the actual domain with domain.co.za and the IP address with xx.xx.xx.xx. The file that you mentioned, does exist, and it appears in my list of blocked domains:

============
./cwaf-cli.pl -dl
list of disabled domains:
domain.co.za

The account still gets flagged:

[Sat Feb 27 11:13:56 2016] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403, [Rule: 'ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/' '(?i:[\"'].{0,}?[,].{0,}(((v|(\\\\u0076)|(\\166)|(\\x76))[^a-z0-9]{0,}(a|(\\\\u0061)|(\\141)|(\\x61))[^a-z0-9]{0,}(l|(\\\\u006C)|(\\154)|(\\x6C))[^a-z0-9]{0,}(u|(\\\\u0075)|(\\165)|(\\x75))[^a-z0-9]{0,}(e|(\\\\u0065)|(\\145)|(\\x65))[^a-z0-9]{0,}(O|(\\\\u004F)|(\\117)|(\\x4F))[^a-z0-9]{0,}(f|(\\\\u0066)|(\\146)|(\\x66)))|((t|(\\\\u0074)|(\\164)|(\\x74))[^a-z0-9]{0,}(o|(\\\\u006F)|(\\157)|(\\x6F))[^a-z0-9]{0,}(S|(\\\\u0053)|(\\123)|(\\x53))[^a-z0-9]{0,}(t|(\\\\u0074)|(\\164)|(\\x74))[^a-z0-9]{0,}(r|(\\\\u0072)|(\\162)|(\\x72))[^a-z0-9]{0,}(i|(\\\\u0069)|(\\151)|(\\x69))[^a-z0-9]{0,}(n|(\\\\u006E)|(\\156)|(\\x6E))[^a-z0-9]{0,}(g|(\\\\u0067)|(\\147)|(\\x67)))).{0,}?:)'] [id "213020"] [msg "COMODO WAF: IE XSS Filters - Attack Detected."]
2016-02-27 11:13:56.363 [NOTICE] [xx.xx.xx.xx:63146] Content len: 16702, Request line: 'POST /includes/create/save-campaign.php?i=38 HTTP/1.1'
2016-02-27 11:13:56.363 [INFO] [xx.xx.xx.xx:63146] Cookie len: 197, PHPSESSID=f11f60bae735be4af77b8654201b59c4; logged_in=b03d45fef0a905f0bd89bc12c442915aa1a1b4a5293e043b81e1e7e28ee501136378bb131ad7fa7d44740e915e627d4aa4de13e655c4e2a6c3e3d1b3622d2a4d; version=2.0.7

This occurred while the user was posting a new campaign in his Email Marketing software using Sendy. We keep having to whitelist Comodo rules as they trigger due to some word or phrase that gets used in his campaign.

Thanks

Hedloff · March 11, 2016, 1:05pm

Yes, files are there. Both for subdomain and main domain.
But still we had to disable the rule on the whole server

akabakov · March 14, 2016, 11:05am

Hello,

We reproduced this issue on our server and found that when virtual domain is managed by Apache domain exclude works,
but when we turned to LiteSpeed it doesn’t.

So we need to be consulted with cPanel or LiteSpeed support.

Hedloff · March 14, 2016, 12:11pm

Ok, great.
So you will contact them and get this fixed?

akabakov · March 14, 2016, 4:08pm

I made a topic:

Please, check it. Am I right or made some mistakes in definitions?

Hedloff · March 28, 2016, 6:14pm

Seems right and they did respond to you:

Add vhost include file, then add SecRuleEngine Off

Is this something you can get fixed for your Litespeed rule/agent so we can disable/enable domains?

Hedloff · April 24, 2016, 5:48pm

Would really appriciate a fix for this since there are so many false positives on LiteSpeed rules that we currently cannot use CWAF on LiteSpeed.
So therefore it would be great to be able to disable rules on domains from customers that are having issues.

I also recommend that you setup a LiteSpeed test server and fix all the false positives. Or if you need you can get access to one of my servers and fix them once and for all!

Hedloff · June 28, 2016, 10:43pm

TDmitry: Any update on LiteSpeed? I’m on skype if I can help you with something in order to get a solution on this problem.

TDmitry · June 29, 2016, 1:10pm

Logically all CWAF rules are fine and domain exclusion should work on LS, but due to LS’s internal limitations it doesn’t work. Currently we have no plans to fix LiteSpeed’s ModSecurity limited support. But “cWatch Web Application Security” should solve this issue, so watch for news.

Hedloff · July 26, 2016, 9:03am

OK. But those disable domain work if you add CWAF as vendor in WHM?
I think OWASP rules provided by cPanel does work with LS. So then your rules should too?

TDmitry · August 3, 2016, 12:10pm

COMODO WAF rules also works in LS. Your question isn’t clear for me.

Hedloff · August 4, 2016, 9:40am

Sorry for that.
I mean is it possible to disable a domain if we use your rules as a vendor in WHM and not use your CWAF plugin?

TDmitry · August 4, 2016, 4:15pm

The same thing happens in WHM operating on LiteSpeed.

ctl:ruleEngine=Off

aren’t processed correctly so you can’t disable domains on LiteSpeed using WHM.

You can use pure Apache Web Server to achieve your goal.

Disable domains - not working

============ Current rules version: 1.39 Rules CWAF plugin version: 2.16 (Latest version) Web Platform: LiteSpeed LiteSpeed version: 5.0.13 Enterprise Mod_security compatible: yes Mod_security loaded: yes

============ ./cwaf-cli.pl -dl list of disabled domains: domain.co.za

============
Current rules version: 1.39 Rules
CWAF plugin version: 2.16 (Latest version)
Web Platform: LiteSpeed
LiteSpeed version: 5.0.13 Enterprise
Mod_security compatible: yes
Mod_security loaded: yes

============
./cwaf-cli.pl -dl
list of disabled domains:
domain.co.za