[-KaaL-]

Quote:

Originally Posted by grniyce

If you look at the mod_security log, it should tell you what is being blocked. Perhaps you can paste the security alert here. Otherwise you'll need to do what I did, and that's searching through each mod_sec document in "modsecurity" and "modsecurity.d" and search for the text, kinda like when you do an edit in vB ya know? Find that text and depending upon the usage of it, you can alter the rule or remove it entirely if it's something like a blacklist. Nothing is perfect for all environments, but what I posted is for a WHM/cPanel environment. With DA I'm not sure how it compiles Apache, and what options you have and so forth. By process of elimination you can most of the time tweak the rule.

The problem that i face is all time i google, what i get is of cPanel/WHM.. not much for DA
so im also like you all alone..the hard way..
Still learning each day something or the other ..

Code:

===============================================
THIS IS THE FIRST TYPE ...
===============================================

POST /newreply.php?do=postreply&t=758 HTTP/1.1
Host: somedomain.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://somedomain.com/showthread.php?p=59668
Cookie: [Cookie....]
Content-Type: application/x-www-form-urlencoded
Content-Length: 382
-----------------------------------------------
HTTP/1.1 403 Forbidden
-----------------------------------------------
Message: [client <CLIENT.IP.ADDRESS>] mod_security: Access denied with code 403, [Rule: 'REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/' '(< ?(?:script|about|applet|activex|chrome).*(?:script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame)'] [severity "WARNING"]

===============================================
2nd ERROR TYPE
===============================================

GET /some/image/sample.gif HTTP/1.1
Host: <CLIENT.IP.ADDRESS>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.somedomain.com.com/index.php?showtopic=19815
Cookie: <COOKIE>
------------------------------------------------
HTTP/1.1 400 Bad Request
------------------------------------------------
Message: [<CLIENT.IP.ADDRESS>] mod_security: Access denied with code 400, [Rule: 'REQUEST_HEADERS:Host' '^[\d\.]+$'] [ID "960017"] [Msg "Host header is a numeric IP address"] [severity "CRITICAL"]