Hi all this my first post of for this new blog and I suppose appropriately about the blog its self.

If your concerned about security or paranoid like me your most likely running Apache mod_security on your server. If your not running mod_security it is what is referred to as a web application firewall, it applies filters and rules to data being submitted to and coming from the web server, using pattern matching it can detect attacks such as SQL injection attacks and either blocks or logs them. I plan to cover this in more detail in my next blog post but that is a very brief explanation for a more indepth explanation see the modsecurity website.

When it came to setting up this blog with wordpress I found that I was unable to use the admin area of the site due to wordpress triggering one of the mod_security rules.

After clicking login and the form being submitted I was greated with a page saying

Method Not Implemented
POST to /wp-login.php not supported.

Checking the mod_security logs /var/log/apache2/mod_security/modsec_debug.log I found this entry

[05/Feb/2010:10:57:21 +0000] [www.pablumfication.co.uk/sid#7f1a39164270][rid#7f1a393ed888][/wp-login.php][1] Access denied with code 501 (phase 2). Pattern match “^(?:ht|f)tp:/” at ARGS:redirect_to. [file “/etc/apache2/conf.d/modsecurity/optional_rules/modsecurity_crs_42_tight_security.conf”] [line “32”] [id “950117”] [msg “Remote File Inclusion Attack”] [severity “CRITICAL”]

the reason this occures is because of the field redirect_to that wordpress is posting from the login page

<input name="redirect_to"type="hidden" value="http://www.pablumfication.co.uk/wp-admin/" />

and the rule that is being triggered is

SecRule ARGS "^(?:ht|f)tp:/" \ "phase:2, t:none, t:htmlEntityDecode, t:lowercase, capture, ctl:auditLogParts=+E, deny, log, auditlog, status:501, msg:'Remote File Inclusion Attack', id:'950117', severity:'2'"

which is matching the http:// part of the argument that is being passed.

So how do we fix this?

Well you could just disable the rule by commenting it out with a # or by using SecRuleRemoveById to disable it globally but this kind of defeats the point. After a bit of playing around I decided the best way to get around it is to add a Location based rule into the virtual host as follows.

<LocationMatch "(/wp-admin/|/wp-login.php)">
    SecRuleRemoveById 950117 # Disable Remote File Inclusion Rule
    SecRuleRemoveById 950005 #Had to add this rule in addition when writing this article as the article contains /etc/ which triggers the "Remote File Access Attempt" rule.
</LocationMatch>

this disables the Remote File Inclusion Attack rule for the /wp-admin/ directory and the /wp-admin.php page.

A full example of how a full vhost file should look would be

<VirtualHost *:80>
    ServerName pablumfication.co.uk
    ServerAlias www.pablumfication.co.uk

    DocumentRoot /var/www/pablumfication.co.uk
    <Directory />
        Options +FollowSymLinks
        AllowOverride FileInfo
    </Directory>

    <LocationMatch "(/wp-admin/|/wp-login.php)">
        SecRuleRemoveById 950117
        SecRuleRemoveById 950005
    </LocationMatch>
</VirtualHost>

Thats all for now short and sweet. Any questions or comments I would love to hear what you think and would be happy to answer any questions. I plan to be posting at least twice a week for a while. My next article will be on setting up mod_security under Gentoo & Ubuntu 9.04 so if your not running mod_security yet please check out the post in the next few days hopefully I’ll convince you its worth your time to use it.