Best Mod Security Rules

Up until recently we have been quite happy with the Atomicorp ruleset. However, there are some issues with these rules and the 2.8 version of Modsecurity that installs with Easyapache (only partially resolved with the patched version of Modsecurity that cPanel included with EasyApache 3.24.21).

Atomicorp explicitly does not support Modsecurity version 2.8, recommending that cPanel users uninstall the EasyApache ModSecurity and use either ASL or their stand-alone AUM installer instead. Something we are not keen to do since it would probably mean no support from cPanel.

Given that neither cPanel nor Atomicorp show any great interest in ensuring that these rules work with cPanel, we are also looking for alternatives. Would be interesting to hear what others are doing.

 

I don't want to derail the thread, but what issues are you still having with ModSecurity 2.8 after we patched it?

 

Shavaun, check this thread:

http://forums.cpanel.net/f442/revert-mod_security-2-7-7-a-411361.html

 

The Atomicorp ruleset + the patched version of Modsec 2.8 will cause httpd to crash. This does not occur immediately, and it does not happen on a lightly loaded test server, only in production (presumably because the offending rule(s) does not get triggered with the light load on the test server).

On the production server we can run Atomicorps ruleset 201406131129 with no issues. We have not tried all rulesets released since then, but those we did try all caused the crash.

We have not been able to find anything of interest in the error logs. We did try disabling some of the rules we thought might be causing the problem, but without success. Unfortunately we cannot test more exhaustively to isolate the problem since it is customer impacting.

 

The issue that was reported to us (or at least, how we interpreted it) was related to how IP addresses were handled. That issue should be fixed now. The thread linked was about the issues prior to the patch.

This sounds like a totally different issue, but obviously if there are issues then we want to address them. Do you know what the load and conditions were of your server when Apache crashed? We can artificially induce conditions to a test server, but we will need some more detail in order to reproduce the situation.

 

The server is nowhere near a high load when httpd crashes, it just has real traffic including various spam and exploit attempts (we host mainly WordPress websites). Unfortunately I don't see a way to provide much more detail without updating the rules again and waiting for the crash to repeat itself. We are not keen to do that.

Presumably Atomicorp have plenty of test cases that could be used to determine where the problem is, but since they are explicitly not supporting ModSecurity 2.8 (quoting "multiple bugs" in that version) that does not really help any.

The issue could be with the Atomicorp ruleset rather than Modsecurity, of course. But since we cannot roll back to Modsec 2.7.7 - the version that Atomicorp does support - we don't have any way of finding out.

 

I just downloaded the comodo rule set; it looks like they just took some rules from the CRS. All the rule IDs look like they are in the 200,000-299,999 range which is reserved for modsecurity.org:

200,000–299,999 Reserved for rules published at modsecurity.org. ( https://documentation.cpanel.net/display/EA/Apache+Module:+ModSecurity )

Even the headers in the files say:

Code:

# Comodo ModSecurity Rules
# Copyright (coffee) 2014 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------

 

The thread about free Comodo rules including the comment "Modsecurity 2.8.0 works with Comodo rules." is here:

Free mod_security rules! - Free Modsecurity rules - Comodo Web Application Firewall

 

Hello.

If this helps anyone at all we have done a how-to guide on installing Comodo ModSecurity Rules within cPanel:

Free ModSecurity Rules from Comodo for cPanel