The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

could anyone explain mod security please

Discussion in 'Security' started by keat63, Feb 4, 2015.

  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I don't have a clue what it is, what it does or indeed how it works.
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Web app firewalls (like modsec) are exactly that; firewalls. Just instead of blocking IP addresses or ports, they block request based on a rule set. The rule set generally has rules to catch certain exploit attempts so they don't hit the web site for processing.
     
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    From what I can gather after running Easy Apache, mod security is actually installed.
    However, when i look at ModSecurity Configuration, it's about as useful as a chocolate fireguard.
    It makes no sense.
     
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    so could anyone suggest a decent set of rules and simplified instructions on how to install them.
    For instance I looked at OWASP and all the instructions I read assume that you know what your'e doing.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,476
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    The new cPanel setup for ModSec is your best bet, as far as easy goes. If you're not sure what you're doing, it doesn't get any easier than this.

    There are some issues with the rules, but I would think cPanel and OWASP are working on making them better.


    Do you have the OWASP rules installed?
    Home » Security Center » Manage Vendors

    If not, make sure cPanel is up to date (and CSF as well, as of this post) and then click Install > Install and Restart Apache, there.
    Make sure, Enabled, and Updates On are both, On.
    ---
    Here:
    Home » Security Center » Configure Global Directives

    Defaults should be set already, IIRC.

    - Only log noteworthy transactions.
    - Process the rules.
    - Process the rules.
    - Enabled - Default
    - 1500
    - 1500
    ----

    Here:
    Home » Security Center » Hits List

    You can view rule hits.

    CSF/LFD sends out useful emails about blocking with ModSec. You should monitor these hits, and those emails to keep an eye on legit users or scripts being blocked. If you see one, you'll need the ID from the rule to take proper action, for example: 960009

    From the "Hits List" page, click the "Rules List" button top right corner.
    Using that example rule above, search for it there on the Rules List.

    When you find it, click the Disable option.

    Reporting tools are to be added here as I understand it, and with that, the rules will be made better over time by us reporting the issues/rules and as they are updated nightly when possible.

    There is no other easier way to go. There are better rules though, for now.


    HTH!
     
  6. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I don't appear have links to:

    Home » Security Center » Manage Vendors

    Home » Security Center » Configure Global Directives

    Home » Security Center » Hits List


    But i do have links for ModSecurity Configuration and ModSecurity Tools, so I assume ModSecurity is installed.
     
    #7 keat63, Feb 11, 2015
    Last edited: Feb 11, 2015
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,476
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    What is your cPanel version? Vendors area wasn't added earlier on as I recall.
     
  8. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    I recently added and enabled the OWASP ModSecurity Core Rule Set. Since that time my lfd warnings from csf have increased ten fold or more. The two biggest message types I am getting are these.

    ONE:
    Code:
    [Wed Feb 11 08:00:38 2015] [error] [client 118.4.175.207] ModSecurity: Access denied with redirection to http://MyDomain1.com/ using status 302 (phase 2). Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] [line "405"] [id "960010"] [rev "2"] [msg "Request content type is not allowed by policy"] [data "application/octet-stream"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "Host: MyDomain1.com"] [tag "OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "MyDomain1.com"] [uri "/"] [unique_id "VNtSdrisyIMAAAVkFN4AAAAK"]

    TWO:
    Code:
    [Wed Feb 11 08:01:10 2015] [error] [client 69.112.227.22] ModSecurity: Access denied with redirection to http://www.MyDomain2.com/ using status 302 (phase 2). Match of "pm AppleWebKit Android" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] [line "299"] [id "960015"] [rev "3"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "Host: www.MyDomain2.com"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "www.MyDomain2.com"] [uri "/favicon.ico"] [unique_id "VNtSlrisyIMAAATM6@oAAAAB"]


    Can someone please give me a brief explanation as to what these messages are telling me and how I might decide if I would want to consider adjusting one or more rules based on these results?
     
    #9 PCZero, Feb 11, 2015
    Last edited by a moderator: Feb 11, 2015
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,476
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    While not specifically an answer for you, there is an old post here worth a peek I think:
    /http://stackoverflow.com/questions/8236736/mod-security-false-positives

    Specifically, the 'best answer' posted by: Ryan Barnett ModSecurity Project Lead OWASP ModSecurity CRS Project Lead

    I came across it searching for this from your post: [tag "WASCTC/WASC-21"]

    The blog posts he links to are dated, but must still be of value, they're still being linked to on the email list:
    /http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2015-January/001700.html

    By, Chaim Sanders Security Researcher, SpiderLabs

    The links:
    Advanced Topic of the Week: Traditional vs. Anomaly Scoring Detection Modes
    ModSecurity Advanced Topic of the Week: (Updated) Exception Handling

    Interestingly enough, their email lists seem kinda of quiet, for now.
    The Owasp-modsecurity-core-rule-set Archives
     
  10. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    My Cpanel is 11.46 i'm just hold off 11.48 until the few bugs i keep seeing have been ironed out.
     
  11. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    this is what i have regarding mod security in Secirity Center " mod.jpg "
    However, when i go into either of them, there's little in there in the way of help.
    Configuration has a number of radio buttons, process this, process that, and areas to specify paths to files i guess.
    The tools section appears to be where you can add custom rules, but again, not much in the way of help.

    When i originally ran EasyApache, i installed MOD_RUID2, does this have anything to do with ModSecurity ?

    It's all a little confusing.
     
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,476
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    From your Update Preferences page:

     
  13. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    i'm currently 11.46.1.4
    If i update to 11.46.2.4, will there be any impact on web and email services while the update is running.
    Or am i better off doing this out of busy operating hours.
     
  14. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,476
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    There should be no issues to force an update I wouldn't think. There should also be no reason for you to jump tiers if you don't want to.
     
  15. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    So I took a risk and did the update to 11.46.2.4, but it still doesn't help in my understanding for ModSecurity.
    Regards post #5, i found these parameters in ModSecurity Configuration.
    And a link to "Hit Lists" in ModSecurity Tools.
    But i'm none the wiser on how to install a rule set.
     
  16. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,476
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Was that expected? I've had it installed for years across many servers and I still don't fully understand modsecurity.

    Post #6:


    Does that help at all in getting the Vendor Rules installed? Keep us posted.
     
  17. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,476
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Oh wait. You weren't on the latest version of STABLE and updated to that. We might assume here the Vendor Rules are not in Stable yet.


    Please accept my apologies here, I haven't run or monitored STABLE releases in a long time. I only run CURRENT and EDGE releases.
     
  18. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I still see no reference anywhere to Manage Vendors, or vendor rules.
     
  19. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,476
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
Loading...

Share This Page