The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ConfigServer ModSecurity Control - log file is empty, does it work?

Discussion in 'Security' started by postcd, Apr 28, 2014.

  1. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    620
    Likes Received:
    6
    Trophy Points:
    18
    Hello,

    i installed Mod_security

    and on its tab in WHM i seen like its empty.

    i rather then installed as an addon so called "ConfigServer ModSecurity Control" and after isntall and i set it to "On" and "Select".

    But the log file is empty. ("View the last entries in the ModSecurity log file")

    How can i veriffy mod security rules are applied and works?
     
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    The log will only generate entries when a rule is hit. So you'd need to trigger one of the modsec rules.
     
  3. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    Also you can check the mod_sec rules on your server through command line using following command

    Code:
    grep mod_security /usr/local/apache/conf/httpd.conf 
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Also, note that if you install mod_ruid2 and mod_security, the mod_security log location is:

    Code:
    /usr/local/apache/logs/modsec_audit/[user]/YYYYMMDD/YYYYMMDD-HHmm/YYYYMMDD-HHmmSS-[unique_id]
    Thank you.
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    This will only return ifmodule lines, which theoretically could be present without the module (unlikely as that is)

    Best way to make sure ModSecurity is compiled is:

    Code:
    httpd -M |grep security
    This will return "security2_module (shared)" if ModSecurity was compiled properly.

    Then check to make sure that /usr/local/apache/conf/httpd.conf includes /usr/local/apache/conf/modsec2.conf, and make sure that /usr/local/apache/conf/modsec2.user.conf has rules in it.

    By default, modsec2.user.conf is blank and you have to install your own rule set, be it from Trustwave, ASL, or the CRS rules.
     
  6. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    620
    Likes Received:
    6
    Trophy Points:
    18
    My modsec2.user.conf has only one line:
    That whitelist file contains this:
    Please can you advice any good rule sets, search phrasse to put to google? I searched "Trustwave, ASL, or the CRS rules." but cant find any rule set?

    Edit, there is Quick download section at https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
    I assume i can just copy the base rule set file content into modsec2.user.conf ?

    Edit2: i downloaded that owasp.org rule files

    and mkdir /usr/local/apache/conf/modseclists
    coppied rule conf files
    then included this:
    in file /usr/local/apache/conf/modsec2.user.conf
    but after Apache restart sites was showing:
    Error in log:
     
    #6 postcd, May 7, 2014
    Last edited: May 7, 2014
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You're on the right track, I usually only recommend the CRS base rules for more advanced users as they're pretty generic and prone to false positives. If you do want to use the CRS rules, I recommend commenting out any rules which cause you too many problems. In your case it was rule ID 960032, and your error states it was on line 31 of /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_30_http_policy.conf. Some rules are multiple lines, so if you comment out the rule, make sure to get all lines for that rule ID (multi-line rules will have "chain" in the rule actions).

    Personally for hosting companies I recommend the Trustwave corporate ruleset. The trustwave rules are a paid product but very well worth it. I believe a single license is $500/year, but this includes nightly updates to the rules which protect most common CMS software. They also do bulk licensing for hosting companies if you contact them.

    If you cannot afford a license for the trustwave rules, or the paid ASL rules, I may have a copy of the old free ASL rules which will be much better than nothing. PM me if you need these.
     
    #7 quizknows, May 7, 2014
    Last edited: May 7, 2014
Loading...

Share This Page