How to whitelist an IP address on WAF

Thanks for the free WAF product!

How would I go about applying a whitelisted IP address to modsecurity. It’s for my monitoring station as the WAF is picking up a number of false positives that I would like to eliminate?

Hi

Yes it’s possible to add IP to white list
Please add following to Custom User Rules (in plugin go to ‘Userdata’ tab, ‘Custom Rules’ textbox or just edit file /etc/cwaf/httpd/custom_user.conf)

SecRule REMOTE_ADDR "^192\.168\.50\.1$" phase:1,log,allow,ctl:ruleEngine=Off,id:999900

192.168.50.1 - is whitelisted IP
id:999900 - is rule ID, should be unique for each exclude

Regards, Oleg

Thanks a mill Oleg! Works perfectly.

If you wanted to whitelist a range of IP’s and lastly an entire domain, what would the parameters be?

Hi

Argument after ‘REMOTE_ADDR’ is regular expression. So you can add several IP according to regex syntax, for example:

SecRule REMOTE_ADDR "^192\.168\.50\.1|192\.168\.50\.2$" phase:1,log,allow,ctl:ruleEngine=Off,id:999900

means “disable address 192.168.50.1 or 192.168.50.2” (‘|’ here is OR statement)

Also you can add several lines to config (rules should have unique IDs):

SecRule REMOTE_ADDR "^192\.168\.50\.1$" phase:1,log,allow,ctl:ruleEngine=Off,id:999900
SecRule REMOTE_ADDR "^192\.168\.50\.2$" phase:1,log,allow,ctl:ruleEngine=Off,id:999901
SecRule REMOTE_ADDR "^192\.168\.50\.3$" phase:1,log,allow,ctl:ruleEngine=Off,id:999902

More complex regex:

SecRule REMOTE_ADDR "^192\.168\.50\.\d+$" phase:1,log,allow,ctl:ruleEngine=Off,id:999900

means “disable any address in 192.168.50.* subnet” (‘\d+’ here means any digit sequence)

To add entire domain SERVER_NAME argument have to be used instead of REMOTE_ADDR. For example:

SecRule SERVER_NAME "^www\.test\.com$" phase:1,log,allow,ctl:ruleEngine=Off,id:999900

means "disable domain ‘www.test.com’ "

Regards, Oleg

Thanks a mill for the quick response and assistance Oleg!

hi Oleg, thanks for the tip.

Please where is the custom rules file mentioned above located in plesk admin? I can confirm it’s location in cPanel, but it’s certainly not in /etc/cwaf in a plesk server install.

Thanks.

Please check possible variant:


/usr/local/cwaf/etc/httpd/custom_user.conf

Thanks for the response, but I do not have CWAF directory in /usr/local. I have looked in other directories as well…

It may help to know that I’m using the CWAF version that comes pre-installed with Plesk Onyx.

Thanks.

Please, try to run:

# locate cwaf

or

# cd /
# find -name cwaf

Hi!

Locate and find turned up nothing. But I found that CWAF lives in /etc/apache2/modsecurity.d/rules/comodo

And besides the numbered file rules, these are the only other files (below).

categories.conf
cwatch_managed_domains
cwatch_protected_domains
exclude.yml
LICENSE.txt
rules.conf.main
rules.dat
scheme.yml
bl_agents
bl_domains
bl_input
bl_output
bl_scanners
userdata_bl_agents
userdata_bl_domains
userdata_bl_extensions
userdata_bl_headers
userdata_login_pages
userdata_wl_agents
userdata_wl_content_type
userdata_wl_domains
userdata_wl_methods

And by the way, the updates keep clearing out my ‘userdata_bl_agents’ entries frequently… both on cPanel and on Plesk.

Regards.

I suppose you use just Comodo ruleset not CWAF-plugin as described here:

Files in /etc/apache2/modsecurity.d/rules/comodo are rewritten in update.
So, please, try to create /etc/apache2/modsecurity.d/custom_user.conf and include it to apache or modsecurity conf-file.

Oh, thanks for taking the time to dig for answers for me. I appreciate that.

That rule set is exactly what I’m using. So I’ll create the file, add the rules and see how it goes.

Thanks plenty.