On Fri, Sep 13, 2013 at 1:08 AM, Macks, Aaron <amacks@harvardbusiness.org> wrote:
I'm in the process of setting up mod_security for the first time, and am trying to whitelist some internal IP addresses using the MODSEC_ENABLE=Off environmental variable.

Hi Aaron,

In ModSecurity v2.x you should use the ctl action to whitelist internal IP addresses, e.g.:

SecRule REMOTE_ADDR "^$" "phase:1,nolog,id:1,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"

FWIW you could also use the ipMatch operator for more flexibility in defining ranges.

 - Josh

 I'm currently running in detection-only mode, but the modsec audit log is still recording hits, with the expected errors, where the modsec_enable value is "off"

Is this the expected behavior, will it continue to monitor these packets and just not block them, or have I not implemented the environment var properly?  I can verify that the value is getting the OFF value where appropriate (i set it to a header, and see if in the audit logs), and that is happening the first thing in the big <ifmodule mod_security2> block

Aaron Macks
Systems Architect

Harvard Business Publishing
300 North Beacon St.    |   Watertown, MA 02472
(617) 783-7461                |   Fax: (617) 783-7467

How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: