Advice on enabling the cPanel/OWASP-CRS Mod Security Rule Set

[sneader]

We have Mod Security enabled, and using mod sec rules developed and provided by our data center. It has worked out very well, but there are some things we like about the OWASP Core Rule Set (CRS) that cPanel is making available to us. I'm investigating enabling these rules, either in conjunction with, or to replace, the existing rules we are running, and have a few questions.

The cPanel Knowledge Base for OWASP® ModSecurity CRS says you can install the rules either via WHM ModSecurity Vendors, via Easy Apache, or via yum command. The WHM ModSecurity Vendors page seems really clean and an easy way to manage things, but, VERY ODDLY, cPanel says this rule set is no longer updated?? I quote:

Use the ModSecurity® Vendors interface (WHM >> Home >> Security Center >> ModSecurity® Vendors) to install the OWASP rule set. This rule set is no longer updated.

Anyone have any idea what is going on here? Can anyone confirm that we do NOT want to use WHM's ModSecurity Vendors to install the rules? (or be subject to old rules that never get updated??) And, if this is really true, are we OK with installing the rule set via EasyApache (and will that get auto updated as part of the nightly updates?)

Another question: The instructions say you can install the rules via Easy Apache, by going under "Additional Packages" but all that is listed there is tomcat, nodejs and nginx -- there are no mod sec rules to install here. ??

Any other advice with using the cPanel / OWASP CRS rule set?

Thanks!!

- Scott

 

[cPRex]

Hey there! I believe the "This rule set is no longer updated" entry is an error in the documentation, so I'll get that updated soon. That is the default rule set we encourage people to use, and it definitely gets updates.

You can't install the rules themselves using EasyApache, only the mod_security2 Apache module.

 

[sneader]

Thanks @cPRex! To be clear, the docs say you can install them using EasyApache, so that is another correction that needs to be made, I think?

So, the right thing to do is to install the rules using WHM > ModSecurity™ Vendors, then in the same panel, click "ON" under Enabled, correct? We already have installed the mod_security2 Apache module via WHM EasyApache 4 interface, and have "Process the rules" enabled under ModSecurity™ Configuration (since we have a working ModSec config already -- we are just adding new rules).

If I'm missing anything, let me know!

- Scott

 

[cPRex]

That all sounds correct to me :D

 

[sneader]

@cPRex, there is another page of documentation that ALSO says that installing the rules via WHM means you will never get any updates (they are OLD rules). It says you must install rules via RPM to get updates. Here is that page:

https://docs.cpanel.net/whm/security-center/modsecurity-vendors/

• To use the older version of the rule set, click Install next to OWASP® ModSecurity Core Rule Set V3.0 in the table. This rule set is not currently updated.
• To install the newer version, you must install the ea-modsec2-rules-owasp-crs RPM in the Additional Packages section of WHM’s EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4). This will install the RPM version of the rules, and will replace the previous rule set. This version receives updates frequently.

Can you confirm that this is bogus, and that the rules installed via WHM really are going to get updated?

- Scott

 

[sneader]

@cPRex, I have another question... when OWASP is enabled via WHM > ModSecurity™ Vendors, the rules that get loaded all say "OWASP ModSecurity Core Rule Set ver.3.0.2" at the top. However, if we go to the OWASP CRS website, it says "Current version: 3.3.0 — July 1, 2020". Can you tell me why we are getting these old rules?

The OWASP CRS website also says they have "Application-specific exclusions for WordPress Core and Drupal" but I see nothing like that in our current rules. And, boy, we sure need it. These rules are blocking legitimate WordPress stuff left and right.

We've disabled the OWASP CRS rules until we can get clarification from cPanel about the proper way to enable these rules AND get current rules and updates.

- Scott

 

[cPRex]

The team is investigating these options per the documentation request I opened earlier. I don't have any updates just yet, but I'll be sure to post them when I do!