A Guide to ModSecurity in 2018, for administrators

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I have worked in web hosting for nearly 10 years. If you know me, please, now is not the time :)

I have found some good community works which help for monitoring ModSec attacks in a live and manageable fashion.

I much prefer to use RPM to manage rules (opposed to YAML) because versioning is much easier with EA4.

I have managed EA4 as such:

Request MLOGC be added and included in this new branch, for an easy and capable log shipper with https support, with piped logging (THIS IS VERY FAST).

Use a well maintained community rule set, or a vendor which maintains their own.

Within your RPM file clearly make CONFIG/NOREPLACE files. In this way, users are free to both use your rules and any custom rules at the same time, so long as boundaries are respected.

Through my work in the community I claimed many ranges, most relating to WP vuln. While I do not care that the community may have this work, most of it was done under the pay of a web hosting company we know and love. Anything I posted here is public domain (obviously).

My request to the community is, Please take this over in 2 ways.

First, use mlogc with ELK, and create a friendly shipping package pre-configured for this project:

github.com/bitsofinfo/logstash-modsecurity

A community contribution has fixed issues with 2.9.2 so as far as I know this should be fully compatible with cPanel so long as your ELK stack and mlogc configuration files are set up correctly.

I personally use a "cPanel friendly" shipper. This allows access to modsec hits in .002 seconds in a dynamic interface. It also still supports YAML vendors, in addition to its own rules in RPM, so long as they don't overlap your rules range numerically.

Second chapter:

In my opinion, ModSecurity is very hind on content decoding. You must know transformations and WAF evasion very well for it to be worth your time managing this.

I never want any credit for my community work; I feel despite this being a personal account, that due to my salary, this belongs to my employer, and I must ask respect on this. Again everything you find on forums I posted on my own accord, via the modsec reference manual, at home. Just making that clear :)

Getting past ModSec, I much prefer to use a vendor which has nginx modules available, for dynamic deployment and threat verification. This alone would fix an immense number of problems in our industry.

Sincerely,
QUIZKNOWS
 
Last edited: