The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Anyone have a fail proof mod_security configuration?

Discussion in 'Security' started by Kikky, Apr 20, 2006.

  1. Kikky

    Kikky Active Member

    Joined:
    Aug 14, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Silly title really lol, but does anyone have a really intensive and secure modsec.conf that they'd be kind enough to share?

    I tried the one posted over at theplanet, and it just doesn't load when i copy/paste the configuration into the modec.conf file. It causes apache to fail to load. :(

    Thank you to anyone who can help.
     
  2. xisn

    xisn Well-Known Member

    Joined:
    Dec 4, 2004
    Messages:
    128
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    The one I use:

    I am posting the one I currently use, I do know it's fallen a little behind and will need some updating. It does work pretty good but it is not "Fool-Proof".

    Here is the modsec.conf -

    Code:
    <IfModule mod_security.c>
    SecFilterEngine On
    SecFilterCheckURLEncoding On
    SecFilterForceByteRange 0 255
    SecAuditEngine RelevantOnly
    SecAuditLog logs/audit_log
    SecFilterDebugLog logs/modsec_debug_log
    SecFilterDebugLevel 0
    SecFilterDefaultAction "deny,log,status:406"
    SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow
    Include "/usr/local/apache/conf/modsec.user.conf"
    </IfModule>
    And the modsec.user.conf is attached
     

    Attached Files:

  3. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    Hello,

    we've been thinking of adding the mod_security to our apache web server(1.3.34), and was wonder what the best/recommended/safest way to install mod_security, either through the WHM addon module or directly from the shell method.

    any input much appreciated.

    Mickalo
     
  4. elitewebninja

    elitewebninja Active Member

    Joined:
    Jan 2, 2004
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Atlanta Ga!
    Why don't you use hostmerit's?

    He's posted this multiple times in the forums:
    http://www.hostmerit.com/modsec.user.conf

    It's awesome and he updates it frequently. I had to modify it because my server load skyrocketed when I set it up, but I'm running the essentials of it.

    It's the most comprehensive one I've seen.
     
  5. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    We added this mod_security earlier today and noticed alot of these errors in the error_log file
    Code:
    [Fri Apr 21 20:12:59 2006] [error] [client 70.97.174.16] mod_security: Filtering against POST payload requested but payload is not available [hostname "www.userdomain.com"] [uri "/cgi-bin/awaiting.cgi"]
    
    there are tons of these errors similar related to the POST payload. What exactly is this and anything to worry about ??

    TIA,
    Mickalo
     
  6. Kikky

    Kikky Active Member

    Joined:
    Aug 14, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    thanks guys, will give it a go today.
     
  7. rmbnet

    rmbnet Well-Known Member

    Joined:
    Feb 22, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    Same here.. any updates?
     
  8. xisn

    xisn Well-Known Member

    Joined:
    Dec 4, 2004
    Messages:
    128
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Make sure you have post payloads turned on:

    Code:
    # Should mod_security inspect POST payloads
    SecFilterScanPOST On
    
    So the file would look like this:

    Code:
    <IfModule mod_security.c>
    SecFilterEngine On
    SecFilterScanPOST On
    SecFilterCheckURLEncoding On
    SecFilterForceByteRange 0 255
    SecAuditEngine RelevantOnly
    SecAuditLog logs/audit_log
    SecFilterDebugLog logs/modsec_debug_log
    SecFilterDebugLevel 0
    SecFilterDefaultAction "deny,log,status:406"
    SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow
    Include "/usr/local/apache/conf/modsec.user.conf"
    </IfModule>
    
     
  9. rmbnet

    rmbnet Well-Known Member

    Joined:
    Feb 22, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    Got it, is it normal for my server load to double as a result of applying that?

    Tnx
     
  10. xisn

    xisn Well-Known Member

    Joined:
    Dec 4, 2004
    Messages:
    128
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Unfortunately, yes it is...

     
  11. rmbnet

    rmbnet Well-Known Member

    Joined:
    Feb 22, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    ahh.. thats better than having udp.pl, php drops and all that other neat stuff running from /tmp anymore...
     
  12. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38

    look at my signature ;)

    http://www.gotroot.com/tiki-index.php?page=mod_security+rules
     
  13. cooldude7273

    cooldude7273 Well-Known Member

    Joined:
    Jan 11, 2004
    Messages:
    363
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Roswell, GA
    My word of advice is to use the rules from gotroot. For their "Just in Time" rules, just pick the ones out of there for the scripts you have on your server, like if you only have phpbb on your server, then there is no need for IPB rules. I'd also take all the rules found in their rootkit file, I've blocked quite a few things with those.
     
  14. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    why don't you use the gotroot mailing list ? It will help you to remove false positive rules.
     
  15. Salman75

    Salman75 Well-Known Member

    Joined:
    Jan 20, 2004
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
  16. wilfried

    wilfried Active Member

    Joined:
    Aug 23, 2003
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    Is it ok to paste the rules from gotroot into the interface inside WHM?

    Can I paste rules from all the different files into that one window?

    thanks
     
  17. cooldude7273

    cooldude7273 Well-Known Member

    Joined:
    Jan 11, 2004
    Messages:
    363
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Roswell, GA
    Yes and yes.
     
  18. wilfried

    wilfried Active Member

    Joined:
    Aug 23, 2003
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    That did not work because I am guessing it's too long....

    So where are the conf files on a cPanel box?

    The instructions on gotroot.com are only for apache 2 :(

    Thanks for any help!
     
Loading...

Share This Page