The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Best Mod Security Rules

Discussion in 'Security' started by markb14391, Jun 26, 2014.

  1. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    18
    Hi,

    For some time we have been struggling with Atomic Secured Linux, which is a very comprehensive security package but seems to have multiple issues with cPanel and CloudLinux. As we face yet another issue, we are looking for alternatives.

    What is the best Mod Security scenario? I know that the cPanel default rules are not enough. We have considered the paid Atomicorp rules, but after our experience with the whole Atomic Secured Linux product, we are also looking at alternatives.

    Comodo offers a free ruleset that looks good from the description, however I have heard that their installer and updater plugin are very buggy and can cause issues with websites (unless that has been rectified).

    So...what is the best option for Mod Security rules on a cPanel server? I know every situation is different...I'm talking about general web hosting or WordPress hosting.

    Thanks!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. Tom Risager

    Tom Risager Well-Known Member

    Joined:
    Jul 10, 2012
    Messages:
    107
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Copenhagen, Denmark, Denmark
    cPanel Access Level:
    Root Administrator
    Up until recently we have been quite happy with the Atomicorp ruleset. However, there are some issues with these rules and the 2.8 version of Modsecurity that installs with Easyapache (only partially resolved with the patched version of Modsecurity that cPanel included with EasyApache 3.24.21).

    Atomicorp explicitly does not support Modsecurity version 2.8, recommending that cPanel users uninstall the EasyApache ModSecurity and use either ASL or their stand-alone AUM installer instead. Something we are not keen to do since it would probably mean no support from cPanel.

    Given that neither cPanel nor Atomicorp show any great interest in ensuring that these rules work with cPanel, we are also looking for alternatives. Would be interesting to hear what others are doing.
     
    #3 Tom Risager, Jun 26, 2014
    Last edited: Jun 26, 2014
  4. Shavaun

    Shavaun Well-Known Member

    Joined:
    Aug 15, 2013
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I don't want to derail the thread, but what issues are you still having with ModSecurity 2.8 after we patched it?
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
  6. Tom Risager

    Tom Risager Well-Known Member

    Joined:
    Jul 10, 2012
    Messages:
    107
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Copenhagen, Denmark, Denmark
    cPanel Access Level:
    Root Administrator
    The Atomicorp ruleset + the patched version of Modsec 2.8 will cause httpd to crash. This does not occur immediately, and it does not happen on a lightly loaded test server, only in production (presumably because the offending rule(s) does not get triggered with the light load on the test server).

    On the production server we can run Atomicorps ruleset 201406131129 with no issues. We have not tried all rulesets released since then, but those we did try all caused the crash.

    We have not been able to find anything of interest in the error logs. We did try disabling some of the rules we thought might be causing the problem, but without success. Unfortunately we cannot test more exhaustively to isolate the problem since it is customer impacting.
     
  7. Shavaun

    Shavaun Well-Known Member

    Joined:
    Aug 15, 2013
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    The issue that was reported to us (or at least, how we interpreted it) was related to how IP addresses were handled. That issue should be fixed now. The thread linked was about the issues prior to the patch.

    This sounds like a totally different issue, but obviously if there are issues then we want to address them. Do you know what the load and conditions were of your server when Apache crashed? We can artificially induce conditions to a test server, but we will need some more detail in order to reproduce the situation.
     
  8. Tom Risager

    Tom Risager Well-Known Member

    Joined:
    Jul 10, 2012
    Messages:
    107
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Copenhagen, Denmark, Denmark
    cPanel Access Level:
    Root Administrator
    The server is nowhere near a high load when httpd crashes, it just has real traffic including various spam and exploit attempts (we host mainly WordPress websites). Unfortunately I don't see a way to provide much more detail without updating the rules again and waiting for the crash to repeat itself. We are not keen to do that.

    Presumably Atomicorp have plenty of test cases that could be used to determine where the problem is, but since they are explicitly not supporting ModSecurity 2.8 (quoting "multiple bugs" in that version) that does not really help any.

    The issue could be with the Atomicorp ruleset rather than Modsecurity, of course. But since we cannot roll back to Modsec 2.7.7 - the version that Atomicorp does support - we don't have any way of finding out.
     
  9. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    18
    BTW, it looks like Trustwave's rules are $495 a year now? Yikes!!!

    Would love to hear if anyone has had good luck with the free Comodo set.
     
  10. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I just downloaded the comodo rule set; it looks like they just took some rules from the CRS. All the rule IDs look like they are in the 200,000-299,999 range which is reserved for modsecurity.org:

    200,000–299,999 Reserved for rules published at modsecurity.org. ( https://documentation.cpanel.net/display/EA/Apache+Module:+ModSecurity )

    Even the headers in the files say:

    Code:
    # Comodo ModSecurity Rules
    # Copyright (coffee) 2014 Comodo Security solutions All rights reserved.
    #
    # The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
    # THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
    # Please see the enclosed LICENCE file for full details.
    # ---------------------------------------------------------------
    # This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
    # OWASP ModSecurity Core Rule Set (CRS)
    # ---------------------------------------------------------------
    
     
  11. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
  12. ukhost4u

    ukhost4u Active Member
    PartnerNOC

    Joined:
    Apr 24, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
Loading...

Share This Page