Mod Security?!

[reporter]

Hello,
I Install ModSec From Cpanel Plugins But Its Version Is Very Old(1.9.1-2.6)

How I Can Remove It Complate & Install New Version? 2.5.10

[stoo2000]

Update to Apache 2.2x

[reporter]

apache version is the latest!
2.2.14

[stoo2000]

There's some information here EasyApache mod_security Module

As far as I'm aware 1.x version only work with Apache 1.3.x, and 2.x is used for apache 2.2.x

[stoo2000]

Another note from EasyApache when you enable it.

Mod Security [More Info ↑]
v1.9.5 for Apache 1.3, v2.5.9 for Apache 2.x This option will make the following changes to your profile prior to the build:

[reporter]

i did enable mod security in apache (easyapache)

[reporter]

its ok but rules i think have problem!
i try if i can't ok it come back...
TnX

[cPanelDon]

Quote:

Originally Posted by reporter

Hello,
I Install ModSec From Cpanel Plugins But Its Version Is Very Old(1.9.1-2.6)

How I Can Remove It Complate & Install New Version? 2.5.10

The mod_security plug-in via WHM is deprecated and should not be used for new installations; it may only be kept for legacy users that have not yet migrated to mod_security installed by EasyApache.

This information is indicated on the cPanel Plugins page in WHM:

Code:

Version: 1.9.1-2.6
Description: mod_security Support !!BETA!! (This is deprecated. Use easyapache3 to install mod_security as it is now supported without having to use the addon interface in easyapache3)

If the mod_security plug-in is installed as seen above, please uninstall it, then run EasyApache to compile a fresh mod_security install using the latest supported Apache version.

Here is the menu path to check while making sure the mod_security plug-in is uninstalled/removed as a first step:
WHM: Main >> cPanel >> Manage Plugins

On the above page, simply click "Uninstall modsecurity" to proceed.

Once the uninstall is completed, proceed to run EasyApache3 (EA3), as described below:

Here is the command to run EasyApache via root SSH access:

Code:

# /scripts/easyapache

Here is the menu path to run EasyApache via your root WHM control panel:
WHM: Main >> Software >> EasyApache (Apache Update)

For additional reference I recommend thoroughly reviewing our EasyApache documentation as noted below:
Apache & cPanel/WHM

[egsi]

Does cPanel provide / auto update the default rules that come with mod_security when installed via EasyApache?

I'm using the default rules however would like to use the GotRoot rules and was wondering if it is worth it. Or are the cPanel provided default rules sufficient (and updated)?

Unfortunately the GotRoot wiki on how to install the GotRoot rules are bit lacking!

[Infopro]

When you compile Apache and select to install modsecurity the suggested ruleset from cPanel is installed. If you look close they are tweaked a bit for cPanel, IIRC. They are not auto updated.

You can add any additional rules you like and use an include in the modsec2.conf
In that file right now you should see this line which calls those rules cPanel adds:
Include "/usr/local/apache/conf/modsec2.user.conf"

If you added a line similar to this just below:
Include "/usr/local/apache/conf/myrules/*crs*.conf"
And place your rules in that myrules directory with that naming convention (save and restart Apache) they will be used.
An example added ruleset name: modsecurity_crs_42_comment_spam.conf

This a very generalized comment to explain a bit. You should investigate further before adding your own rules.
ModSecurity: Open Source Web Application Firewall - Documentation Some docs there for you as well.

[cPanelDon]

Quote:

Originally Posted by Infopro

When you compile Apache and select to install modsecurity the suggested ruleset from cPanel is installed. If you look close they are tweaked a bit for cPanel, IIRC. They are not auto updated.

You can add any additional rules you like and use an include in the modsec2.conf
In that file right now you should see this line which calls those rules cPanel adds:
Include "/usr/local/apache/conf/modsec2.user.conf"

If you added a line similar to this just below:
Include "/usr/local/apache/conf/myrules/*crs*.conf"
And place your rules in that myrules directory with that naming convention (save and restart Apache) they will be used.
An example added ruleset name: modsecurity_crs_42_comment_spam.conf

This a very generalized comment to explain a bit. You should investigate further before adding your own rules.
ModSecurity: Open Source Web Application Firewall - Documentation Some docs there for you as well.

To expand upon this example; I recommend using the mod_security user configuration file (e.g., "modsec2.user.conf") to setup additional Include entries; using this file will help ensure the changes are not easily overwritten if recompiling Apache for an upgrade. For Apache version 2.x, the path is exactly as Infopro detailed:

Code:

/usr/local/apache/conf/modsec2.user.conf

In WHM, the following menu path can be used to access the configuration editor for the above file:
WHM: Main >> Plugins >> Mod Security >> Edit Config

On the Edit Config page, in addition to a large text area for editing the configuration file contents there are two options available for setting this file to the default rules we offer or resetting it to no configuration (empty):
Reset configuration textarea to:
(1) Default Configuration
(2) No Configuration
If one of the above two reset features are used, ensure to save the new contents once completed; there is a "Save Configuration" button at the bottom of the page.

As mentioned in Infopro's message, to setup additional configuration files you'd need to setup a subdirectory within the Apache "conf" directory, then setup an Include entry in the mod_security user configuration file (e.g., "modsec2.user.conf") to load the new custom files, such as what may be obtained from sites that compile sets of rules for public distribution. While the mod_security user configuration file can be edited via WHM, if additional files in a sub-directory are needed to be included they would need to be setup manually via root SSH access.

For additional clarification, I recommend thoroughly reviewing the following documentation (that was posted earlier in the thread too):
EasyApache mod_security Module

[egsi]

Thanks for the replies guys. Looks pretty straight forward and will try it out!

[basic]

Hello All:

We use "Mod Security" for several years now, but have not updated our rules for some time ... that is quite some science!!

I would VERY MUCH appreciate if someone could post here his/her ruleset for a server with a **shared** hosting setup (typical ruleset that would work for a typical hosting company server -- not too strict, in other words). Anything that has proven to work out. That would be great. Thanks.

John

[egsi]

Quote:

Originally Posted by basic

Hello All:

We use "Mod Security" for several years now, but have not updated our rules for some time ... that is quite some science!!

I would VERY MUCH appreciate if someone could post here his/her ruleset for a server with a **shared** hosting setup (typical ruleset that would work for a typical hosting company server -- not too strict, in other words). Anything that has proven to work out. That would be great. Thanks.

John

It really does depend on what applications your clients are running. I would suggest running it in debug / error logging mode and then take it from there. Of course during this time you will have no Web Application Firewall.

Other option is to just include the rules one at a time (say trial it over a week) instead of using all the new rules at once. To do so just follow the steps above.

[basic]

yes, yes, yes ... however, but ... as I mentioned, a ruleset for a typical hosting server for shared hosting, where you have 300+ domains on it. There is no way to "customize" that the way you suggest. What we are looking for is a something other hosts are using, have been using for some time on their shared servers.

Thanks.