How to disable auto-enabled new domains by default?

Hi,
Have a question that i can’t figurate by myself. How can i disable that all new domains, or sub-domains, start with ModSecurity ON?

Thanks,
Facundo

Hi!
You can use:
for cPanel: Plugins - Comodo WAF - Security engine - Disable domain - Disable - Apply Changes
for Plesk: Extensions Comodo WAF Plugin - Security engine - Disable domain - Disable - Apply Changes

For standalone installation you should create configuration file /<path_to_cwaf>/cwaf/etc/httpd/domains/exclude_domain.name.conf, containing the next:

SecRule SERVER_NAME “(?:..)?www.domain.name(?::80|:443)?|(?:..)?ftp.domain.name(?::80|:443)?|(?:..)?ipv4.domain.name(?::80|:443)?|(?:..)?mail.domain.name(?::80|:443)?|(?:..)?webmail.domain.name(?::80|:443)?|(?:..)?ns.domain.name(?::80|:443)?|(?:.*.)?domain.name(?::80|:443)?” “phase:1,nolog,noauditlog,allow,ctl:ruleEngine=Off,id:10001”

I don’t test if works with domains.tld, but i create a subdomian from cPanel like test.domain.com.ar (.com.ar is the tld) and start enabled :frowning:
I hope new domains not begin ModSecurity enabled, i will test tomorrow.

Hi Facundo

For security reasons new created domains will start with ModSecurity enabled if not stated otherwise.
To disable ModSecurity for subdomain you sould disable ModSecurity for its parent domain first.
For example, I disabled domain “mydomain.com”. Now (if “Consider subdomains” checkbox at “Configuration” tab is checked) all subdomains for “mydomain.com” will start with ModSecurity disabled.

To check why domains start as enabled, can you please provide content of your domains exclude directory?
It located at /var/cpanel/cwaf/etc/httpd/domains for cPanel
<CWAF_INSTALL_PATH>etc/httpd/domains for other platforms.

Great response time for a free aplication :azn: Thanks, really.

I have this situation. CWAF it’s a very good plugin with great rules, but have a lot of false positives (almost 10%) in really used production web. That’s why i don’t want to enabled ModSec for anysite, i just only want to enabled by hand (manualy). In that way, i can have control of what websites can have problems, and i don’t have advertisment all new websites (of my resellers), that they have to disable ModSec manually if they don’t want have fase positives problem.

I create the file: exclude_domain.name.conf like akabakov say, and i test the following:
Create a subdomain of a domain that don’t have ModSec enabled (that was disable from CWAF pluging) | Stars enabled
Create a new account from cPanel | Starts enabled
Create a subdomain of a domain, after that i disabled ModSec for every domains from cPanel | Starts DISABLED

I just that all from above, starts DISABLED without have to disable manually anything. And then, if i have a site with problems, or that want security, i can enabled by hand, or they can do it from the cPanel :slight_smile:

The content of exclude directory is the following:
A 000_exclude_domain.tld:80.conf.backup for every domain that i have disabled in server
00_blank.conf file, that is empty
00_blank.conf.backup Empty
exclude_domain.name.conf that have the following:

SecRule SERVER_NAME "(?:.*\.)?www\.domain\.name(?::80|:443)?|(?:.*\.)?ftp\.domain\.name(?::80|:443)?|(?:.*\.)?ipv4\.domain\.name(?::80|:443)?|(?:.*\.)?mail\.domain\.name(?::80|:443)?|(?:.*\.)?webmail\.domain\.name(?::80|:443)?|(?:.*\.)?ns\.domain\.name(?::80|:443)?|(?:.*\.)?domain\.name(?::80|:443)?" "phase:1,nolog,noauditlog,allow,ctl:ruleEngine=Off,id:10001"

Hi Facundo

I guess to disable modsecurity for subdomains of *.domain.name it’s enough to provide following config:

SecRule SERVER_NAME "(?:.*\.)?domain\.name(?::80|:443)?" "phase:1,nolog,noauditlog,allow,ctl:ruleEngine=Off,id:10001"

Please try it.
It turn off Rule Engine for all domains match pattern *.domain.name