rmalderson3

OK, no one wants to take a stab at this. Fine.

While I can’t get modsecurity to accept the SecRuleRemoveById exceptions, I did get it to go “detection only”, which did indeed allow insertion and publishing of my first post.

Too bad.

Continuing the saga: I added a ModSecurity exclusion, first to …/local_rules/modsecurity_localrules.conf and after that failed on restart, to …/activated_rules/whitelist.conf which also failed on restart. I realize that this is not a ModSecurity support page, but since the places I garnered this information were found by searching for “modsecurity rules wordpress” I think I can say that I’m probably not the first person to encounter this.

The rules I added were

`<LocationMatch “/wp-admin/page.php”>
SecRuleRemoveById 932130
</LocationMatch>

<LocationMatch “/wp-admin/post.php”>
SecRuleRemoveById 932130
</LocationMatch>

<LocationMatch “/wp-admin/admin-ajax.php”>
SecRuleRemoveById 932130
</LocationMatch>`

The following excerpt shows the failure.

journalctl -xe
Mar 21 18:31:32 mail.alderson.science httpd[636168]: AH00526: Syntax error on line 13 of /etc/httpd/modsecurity.d/activated_rules/whitelist.conf:
Mar 21 18:31:32 mail.alderson.science httpd[636168]: ModSecurity: No action id present within the rule
Mar 21 18:31:32 mail.alderson.science systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Mar 21 18:31:32 mail.alderson.science systemd[1]: httpd.service: Failed with result ‘exit-code’.
— Subject: Unit failed
— Defined-By: systemd
— Support: https://access.redhat.com/support
—
— The unit httpd.service has entered the ‘failed’ state with result ‘exit-code’.
Mar 21 18:31:32 mail.alderson.science systemd[1]: Failed to start The Apache HTTP Server.
— Subject: Unit httpd.service has failed
— Defined-By: systemd
— Support: https://access.redhat.com/support
—
— Unit httpd.service has failed.
—
— The result is failed.

VPS hosting is irrelevant. I could install WordPress on my Macintosh on my desk.
Perhaps someone with experience in self-hosted installations should chime in.

In any case, I have had a look at the logs, and find the following (for example) in the ssl_error log for yesterday:

[Fri Mar 18 15:40:42.754737 2022] [:error] [pid 536254:tid 140146821244672] [client 172.92.68.182:60441] [client 172.92.68.182] ModSecurity: Warning. Pattern match "(?:\\\\$(?:\\\\((?:\\\\(.*\\\\)|.*)\\\\)|\\\\{.*\\\\})|[<>]\\\\(.*\\\\))" at ARGS:data[wp_autosave][content]. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "366"] [id "932130"] [msg "Remote Command Execution: Unix Shell Expression Found"] [data "Matched Data: >(corrected version originally answered on quora.com february 11 2016)</em> how was the proto-indo-european language reconstructed? in order to answer this question we have to look at the historical background in which the earliest research in what we now call indo-european historical linguistics took place. first off we have to recognize that people familiar with more than one language saw resemblances between and among them even where none actually existed. for example the ancient romans ..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88 [hostname "www.alderson.science"] [uri "/wordpress/wp-admin/admin-ajax.php"] [unique_id "YjUKasT5cUoLjsr5qeN57gAAAM4"], referer: https://www.alderson.science/wordpress/wp-admin/post-new.php?post_type=page

It looks as though something in the pasted text text is matching an attack vector. ???

There is no “hosting support”. This is a VPS on which I have installed PHP, MariaDB, and Apache (along with Postfix and Dovecot for e-mail), and layered WordPress on top of those installations.
I installed ModSecurity following the steps in the relevant documentation.

What am I looking for in which log?

Hey, are you just copying text and passing it into the wordpress editor, or are you also including links, images that are hosted on someone’s website?

if you’re using any CDN then disable it

As I said in the original post, I am just trying to paste some plain ASCII (8-bit Unicode subset) text into a post and preview it.

I had to look up “CDN” to be sure that I could honestly say that I am not using any such thing. This is my first attempt at using WordPress. (Well, I installed it a few months ago, got it completely wound around the axle, deleted it and started again.) Why would I have complicated matters with a CDN of any kind?

I installed the query monitor plugin, but apparently it does not have reasonable defaults for reporting things like access violations, and I am in the process of learning PHP and the like (which is why I wanted to play with WordPress at all) so I do not understand the cryptic instructions regarding turning on various bits of debugging.

I also tried turning on WordPress debugging, per the Debugging in WordPress page, which *did* trigger an error report from the query monitor (“WP_DEBUG already turned on”), but nothing else that I can interpret.

I just want to set up a little blog, folks. I’m not looking to become a WP developer; I’ve already had a 50 year career in IT and systems engineering. What is WP trying to tell me when it throws that 403 at me???

Thank you. It wasn’t clear whether there was anything else to be done, since the cPanel how-tos all boiled down to “click on button X”.

I’ve just added

<Directory /var/www/html/wordpress>
AllowOverride all
</Directory>

to httpd.conf and restarted httpd, without changing the result.

At this point, I would prefer to stop trying to fix this broken installation and start over. As I noted previously, all of the how-tos I’ve found online assume that there is a cPanel button for doing this, and do not provide actual details on what needs to be deleted/modified to allow this. Pointers would be appreciated.

Thanks.

Apparently I have gmagick installed rather than ImageMagick; this may have been due to an issue in Centos 8 when I was setting things up. It’s not clear to me whether WP does not work with gmagick.

The server was DoS’d and unable to send/receive mail for a few days. Site Health complains about a 404 with regard to the REST API, and doesn’t seem to find ImageMagick although it is installed. I accept the inherent security risk of inactive themes and plugins, since this is still an experiment. See the site report below.

One of the issues I have in attempting repairs is that very nearly every online resource assumes that WP is controlled via cPanel; it is not, so I cannot simply click on a button and magically fix a problem. I’ve even considered wiping the entire thing from the system (cf. “experiment”), but even the online help for that drastic measure assumes cPanel!

Thanks for your patience.

The following is the site report:

### wp-core ###

version: 5.8.2
site_language: en_US
user_language: en_US
timezone: America/Los_Angeles
permalink: /index.php/%year%-%monthnum%-%day%/%postname%/
https_status: true
multisite: false
user_registration: 1
blog_public: 0
default_comment_status: undefined
environment_type: production
user_count: 1
dotorg_communication: true

### wp-paths-sizes ###

wordpress_path: /var/www/html/wordpress
wordpress_size: loading...
uploads_path: /var/www/html/wordpress/wp-content/uploads
uploads_size: loading...
themes_path: /var/www/html/wordpress/wp-content/themes
themes_size: loading...
plugins_path: /var/www/html/wordpress/wp-content/plugins
plugins_size: loading...
database_size: loading...
total_size: loading...

### wp-active-theme ###

name: Twenty Twenty-One (twentytwentyone)
version: 1.4
author: the WordPress team
author_website: https://www.ads-software.com/
parent_theme: none
theme_features: core-block-patterns, widgets-block-editor, automatic-feed-links, title-tag, post-formats, post-thumbnails, menus, html5, custom-logo, customize-selective-refresh-widgets, wp-block-styles, align-wide, editor-styles, editor-style, editor-font-sizes, custom-background, editor-color-palette, editor-gradient-presets, responsive-embeds, custom-line-height, experimental-link-color, custom-spacing, custom-units, widgets
theme_path: /var/www/html/wordpress/wp-content/themes/twentytwentyone
auto_update: Disabled

### wp-themes-inactive (6) ###

Blank Canvas: version: 1.2.9, author: Automattic, Auto-updates disabled
Blog Light: version: 0.0.9, author: themesmake, Auto-updates disabled
RetroGeek: version: 0.5, author: tuxlog, Auto-updates disabled
Seedlet: version: 1.1.13, author: Automattic, Auto-updates disabled
Twenty Nineteen: version: 2.1, author: the WordPress team, Auto-updates disabled
Twenty Twenty: version: 1.8, author: the WordPress team, Auto-updates disabled

### wp-plugins-active (3) ###

Akismet Anti-Spam: version: 4.2.1, author: Automattic, Auto-updates enabled
Classic Editor: version: 1.6.2, author: WordPress Contributors, Auto-updates enabled
Limit Login Attempts Reloaded: version: 2.23.2, author: Limit Login Attempts Reloaded, Auto-updates enabled

### wp-plugins-inactive (1) ###

WordPress Backup & Migration: version: 1.3.3, author: WebToffee, Auto-updates enabled

### wp-media ###

image_editor: WP_Image_Editor_GD
imagick_module_version: Not available
imagemagick_version: Not available
imagick_version: Not available
file_uploads: File uploads is turned off
post_max_size: 48M
upload_max_filesize: 32M
max_effective_size: 32 MB
max_file_uploads: 20
gd_version: 2.2.5
gd_formats: GIF, JPEG, PNG, WebP, BMP, XPM
ghostscript_version: not available

### wp-server ###

server_architecture: Linux 4.18.0-305.12.1.el8_4.x86_64 x86_64
httpd_software: Apache/2.4.37 (centos) OpenSSL/1.1.1k
php_version: 7.4.26 64bit
php_sapi: fpm-fcgi
max_input_variables: 1000
time_limit: 600
memory_limit: 256M
max_input_time: 1000
upload_max_filesize: 32M
php_post_max_size: 48M
curl_version: 7.61.1 OpenSSL/1.1.1k
suhosin: false
imagick_availability: false
pretty_permalinks: true

### wp-database ###

extension: mysqli
server_version: 10.3.28-MariaDB
client_version: mysqlnd 7.4.26

### wp-constants ###

WP_HOME: undefined
WP_SITEURL: undefined
WP_CONTENT_DIR: /var/www/html/wordpress/wp-content
WP_PLUGIN_DIR: /var/www/html/wordpress/wp-content/plugins
WP_MEMORY_LIMIT: 40M
WP_MAX_MEMORY_LIMIT: 256M
WP_DEBUG: false
WP_DEBUG_DISPLAY: true
WP_DEBUG_LOG: false
SCRIPT_DEBUG: false
WP_CACHE: false
CONCATENATE_SCRIPTS: undefined
COMPRESS_SCRIPTS: undefined
COMPRESS_CSS: undefined
WP_LOCAL_DEV: undefined
DB_CHARSET: utf8mb4
DB_COLLATE: undefined

### wp-filesystem ###

wordpress: writable
wp-content: writable
uploads: writable
plugins: writable
themes: writable

• This reply was modified 3 years, 3 months ago by Yui. Reason: formatting

I assume that you mean inserting “/index.php” ahead of the date formatting entries in the custom format string.

No, that made no difference.

Yes. A grep of conf.modules.d/00-base-conf yields

conf.modules.d/00-base.conf:LoadModule rewrite_module modules/mod_rewrite.so

The .htaccess file contains

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

• This reply was modified 3 years, 3 months ago by Yui. Reason: formatting

Thanks for the suggestion, but the change (and I did change to a custom value for testing purposes) had no effect on the “File not found” error.