Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

A Guide to ModSecurity in 2018, for administrators

Discussion in 'Security' started by quizknows, Oct 12, 2018.

Tags:
  1. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,011
    Likes Received:
    89
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    I have worked in web hosting for nearly 10 years. If you know me, please, now is not the time :)

    I have found some good community works which help for monitoring ModSec attacks in a live and manageable fashion.

    I much prefer to use RPM to manage rules (opposed to YAML) because versioning is much easier with EA4.

    I have managed EA4 as such:

    Request MLOGC be added and included in this new branch, for an easy and capable log shipper with https support, with piped logging (THIS IS VERY FAST).

    Use a well maintained community rule set, or a vendor which maintains their own.

    Within your RPM file clearly make CONFIG/NOREPLACE files. In this way, users are free to both use your rules and any custom rules at the same time, so long as boundaries are respected.

    Through my work in the community I claimed many ranges, most relating to WP vuln. While I do not care that the community may have this work, most of it was done under the pay of a web hosting company we know and love. Anything I posted here is public domain (obviously).

    My request to the community is, Please take this over in 2 ways.

    First, use mlogc with ELK, and create a friendly shipping package pre-configured for this project:

    github.com/bitsofinfo/logstash-modsecurity

    A community contribution has fixed issues with 2.9.2 so as far as I know this should be fully compatible with cPanel so long as your ELK stack and mlogc configuration files are set up correctly.

    I personally use a "cPanel friendly" shipper. This allows access to modsec hits in .002 seconds in a dynamic interface. It also still supports YAML vendors, in addition to its own rules in RPM, so long as they don't overlap your rules range numerically.

    Second chapter:

    In my opinion, ModSecurity is very hind on content decoding. You must know transformations and WAF evasion very well for it to be worth your time managing this.

    I never want any credit for my community work; I feel despite this being a personal account, that due to my salary, this belongs to my employer, and I must ask respect on this. Again everything you find on forums I posted on my own accord, via the modsec reference manual, at home. Just making that clear :)

    Getting past ModSec, I much prefer to use a vendor which has nginx modules available, for dynamic deployment and threat verification. This alone would fix an immense number of problems in our industry.

    Sincerely,
    QUIZKNOWS
     
    #1 quizknows, Oct 12, 2018
    Last edited: Oct 12, 2018
    cPanelMichael and garconcn like this.
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,167
    Likes Received:
    1,933
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi @quizknows,

    Thanks for sharing this information!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice