ConfigServer ModSecurity Control - log file is empty, does it work?

postcd

Well-Known Member
Oct 22, 2010
721
21
68
Hello,

i installed Mod_security

and on its tab in WHM i seen like its empty.

i rather then installed as an addon so called "ConfigServer ModSecurity Control" and after isntall and i set it to "On" and "Select".

But the log file is empty. ("View the last entries in the ModSecurity log file")

How can i veriffy mod security rules are applied and works?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,245
463
Also, note that if you install mod_ruid2 and mod_security, the mod_security log location is:

Code:
/usr/local/apache/logs/modsec_audit/[user]/YYYYMMDD/YYYYMMDD-HHmm/YYYYMMDD-HHmmSS-[unique_id]
Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Hello,

Also you can check the mod_sec rules on your server through command line using following command

Code:
grep mod_security /usr/local/apache/conf/httpd.conf
This will only return ifmodule lines, which theoretically could be present without the module (unlikely as that is)

Best way to make sure ModSecurity is compiled is:

Code:
httpd -M |grep security
This will return "security2_module (shared)" if ModSecurity was compiled properly.

Then check to make sure that /usr/local/apache/conf/httpd.conf includes /usr/local/apache/conf/modsec2.conf, and make sure that /usr/local/apache/conf/modsec2.user.conf has rules in it.

By default, modsec2.user.conf is blank and you have to install your own rule set, be it from Trustwave, ASL, or the CRS rules.
 

postcd

Well-Known Member
Oct 22, 2010
721
21
68
make sure that /usr/local/apache/conf/modsec2.user.conf has rules in it.

By default, modsec2.user.conf is blank and you have to install your own rule set, be it from Trustwave, ASL, or the CRS rules.
My modsec2.user.conf has only one line:
Include /usr/local/apache/conf/modsec2.whitelist.conf
That whitelist file contains this:
# ConfigServer ModSecurity whitelist file
<LocationMatch .*>
</LocationMatch>
Please can you advice any good rule sets, search phrasse to put to google? I searched "Trustwave, ASL, or the CRS rules." but cant find any rule set?

Edit, there is Quick download section at https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
I assume i can just copy the base rule set file content into modsec2.user.conf ?

Edit2: i downloaded that owasp.org rule files

and mkdir /usr/local/apache/conf/modseclists
coppied rule conf files
then included this:
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_20_protocol_violations.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_21_protocol_anomalies.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_23_request_limits.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_30_http_policy.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_35_bad_robots.conf
in file /usr/local/apache/conf/modsec2.user.conf
but after Apache restart sites was showing:
Not Acceptable

An appropriate representation of the requested resource / could not be found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Error in log:
Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_30_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"]
 
Last edited:

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
You're on the right track, I usually only recommend the CRS base rules for more advanced users as they're pretty generic and prone to false positives. If you do want to use the CRS rules, I recommend commenting out any rules which cause you too many problems. In your case it was rule ID 960032, and your error states it was on line 31 of /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_30_http_policy.conf. Some rules are multiple lines, so if you comment out the rule, make sure to get all lines for that rule ID (multi-line rules will have "chain" in the rule actions).

Personally for hosting companies I recommend the Trustwave corporate ruleset. The trustwave rules are a paid product but very well worth it. I believe a single license is $500/year, but this includes nightly updates to the rules which protect most common CMS software. They also do bulk licensing for hosting companies if you contact them.

If you cannot afford a license for the trustwave rules, or the paid ASL rules, I may have a copy of the old free ASL rules which will be much better than nothing. PM me if you need these.
 
Last edited: