Mod_Security to go from 2.1 to 2.5

[daveformerlyof]

We will be upgrading to Mod_Securtiy 2.5 in the near future. This is a thread for questions, comments, feedback, concerns, etc.

Upgrading from ModSecurity 2.1 to 2.5

Using 2.1 Rules on 2.5

So far it appears that 2.1 format rules work on 2.5. However, the ModSecurity team has made no official announcement of compatibility. You will need to verify that any custom rulesets work with 2.5 to ensure no interruption of service due to the upgrade. The rules included by cpanel for 2.1 will work on 2.5.

ModSecurity 2.5 Rule Scripting - Lua

ModSecurity version 2.5 adds support for rule scripting via lua. Lua is known to have difficulties building. Lua build failures will not cause an Apache build to halt but will provide errors in the build log upon build failure and lua support will not be enabled. If you wish to use lua in your custom ruleset, you should read carefully on the proper usage of lua and ensure that the lua build was a success.

More information on ModSecurity 2.5 can be found here: http://www.modsecurity.org/blog/arch...l_release.html

[cpdan]

A further note on lua scripts in rules:

- mod security marks it as "Experimental" use at your own risk
- lua syntax or permission errors will result in Apache not being able to start
- Apache must be able to read the lua file.
- lua script changes require an apache restart to take effect

For more info:

http://www.modsecurity.org/documenta...ce.html#N109A9

[cpdan]

Also, the way /usr/local/apache needs to be handled (IE wiped clean) for a build dictates that you should put the lua scripts your rules will use in /usr/local/apache/conf/ somewhere, say /usr/local/apache/conf/modsec_lua/

that will keep the lua scripts available at any point an apache config test or restart happens, plus it organizes them in the same area as the mod sec configuration that reference them. This also facilitates Apache being able to read them on startup.

Failure to do this could result in a spuriously failed build and/or a broken mod sec configuration.

[10101]

Hi,

When you add Mod_security when compiling apache, does it add v2.5?

[cpdan]

Hi,

When you add Mod_security when compiling apache, does it add v2.5?

If you're doing apache 2.x yes.

[sebby]

Since when? I have not seen that in any cpanel changelogs...

[cpdan]

Since when?

2008-06-16 10:57:53

I have not seen that in any cpanel changelogs...

1) http://changelog.cpanel.net/?treeview=easyapache

Easyapache 4271

2) The little note next to the option in the ea3 UI says "v1.9.5 for Apache 1.3, v2.5.5 for Apache 2.x"

3) The "info" next to that verbiage discusses it also:
http://www.cpanel.net/support/docs/e...ity_module.htm

HTH

[sebby]

Wow! Can't believe I missed that one! Will upgrade promptly.

I know this has been discussed on multiple occasions on this forum but I have seen no final/complete solution. Can we rely on the default rule set provided by cPanel or should we immediately install the latest rule set from http://gotroot.com/ ? I have read the later would break cPanel upon installation and one would have to trim down the rules until everything gets back to normal... Looks like a lot of work to me.... Any suggestion for a brick wall rule set that would integrate seamlessly with cpanel?


Thanks!

[Infopro]

Once you've upgraded and set the cPanel default ruleset to be used, open it from within WHM and copy/save to file. Then grab someone elses default ruleset and use a compare tool (like compareIT for windows) to see the differences. They are not much different only cPanel has stripped out several things to make it more compatable with cPanel servers.

The cPanel default ruleset is a good place to start for sure.

[wemail]

We had user complaints in May and June that Mod_Security (used since our new server was configured in March) was giving an Apache Error 406 - Not Acceptable - apparently because it considered that legitimate users were either "injecting commands" or engaging in "hacking" activities.

This was found with browsers Lynx (any) [rule id "990011"], Opera (v8.65 mobile) [rule id "950006"] and Fresco (v2.13) [rule id "990011"]. I have more log details if anybody wants them.

The Lynx problem was discussed in the WHM Forum some months ago, but there was no apparent conclusion.

There was pressure from some users to water down the relevant rules to circumvent this, but I am now wondering whether this new Mod_Security version (2.5) may have addressed these problems, making further action pointless at the present time.

TIA

[bls24]

My version of mod security was installed outside of whm, will this still be upgraded on my system, or will I need to do a manual upgrade via ssh?

[wolfy]

2008-06-16 10:57:53


1) http://changelog.cpanel.net/?treeview=easyapache

Easyapache 4271

2) The little note next to the option in the ea3 UI says "v1.9.5 for Apache 1.3, v2.5.5 for Apache 2.x"

3) The "info" next to that verbiage discusses it also:
http://www.cpanel.net/support/docs/e...ity_module.htm

HTH

so am i to assume that this easyapache update is NOT dependant on the cpanel build? (stable,release,edge) I had asked cpanel support about this before and they told us it was not available in the stable build.

[cpdan]

so am i to assume that this easyapache update is NOT dependant on the cpanel build? (stable,release,edge)

Correct

I had asked cpanel support about this before and they told us it was not available in the stable build.

Probably they meant at the time it was still in testing