Hello 
The following documents should help explain it's purpose:
Apache Module - Mod _Security
What Exactly Is Mod_Security
Thank you.
The following documents should help explain it's purpose:
Apache Module - Mod _Security
What Exactly Is Mod_Security
Thank you.
Web app firewalls (like modsec) are exactly that; firewalls. Just instead of blocking IP addresses or ports, they block request based on a rule set. The rule set generally has rules to catch certain exploit attempts so they don't hit the web site for processing.
From what I can gather after running Easy Apache, mod security is actually installed.
However, when i look at ModSecurity Configuration, it's about as useful as a chocolate fireguard.
It makes no sense.
However, when i look at ModSecurity Configuration, it's about as useful as a chocolate fireguard.
It makes no sense.
so could anyone suggest a decent set of rules and simplified instructions on how to install them.
For instance I looked at OWASP and all the instructions I read assume that you know what your'e doing.
For instance I looked at OWASP and all the instructions I read assume that you know what your'e doing.
Infopro
Well-Known Member
The new cPanel setup for ModSec is your best bet, as far as easy goes. If you're not sure what you're doing, it doesn't get any easier than this.
There are some issues with the rules, but I would think cPanel and OWASP are working on making them better.
Home » Security Center » Manage Vendors
If not, make sure cPanel is up to date (and CSF as well, as of this post) and then click Install > Install and Restart Apache, there.
Make sure, Enabled, and Updates On are both, On.
---
Here:
Home » Security Center » Configure Global Directives
Defaults should be set already, IIRC.
- Only log noteworthy transactions.
- Process the rules.
- Process the rules.
- Enabled - Default
- 1500
- 1500
----
Here:
Home » Security Center » Hits List
You can view rule hits.
CSF/LFD sends out useful emails about blocking with ModSec. You should monitor these hits, and those emails to keep an eye on legit users or scripts being blocked. If you see one, you'll need the ID from the rule to take proper action, for example: 960009
From the "Hits List" page, click the "Rules List" button top right corner.
Using that example rule above, search for it there on the Rules List.
When you find it, click the Disable option.
Reporting tools are to be added here as I understand it, and with that, the rules will be made better over time by us reporting the issues/rules and as they are updated nightly when possible.
There is no other easier way to go. There are better rules though, for now.
HTH!
There are some issues with the rules, but I would think cPanel and OWASP are working on making them better.
Do you have the OWASP rules installed?
Home » Security Center » Manage Vendors
If not, make sure cPanel is up to date (and CSF as well, as of this post) and then click Install > Install and Restart Apache, there.
Make sure, Enabled, and Updates On are both, On.
---
Here:
Home » Security Center » Configure Global Directives
Defaults should be set already, IIRC.
- Only log noteworthy transactions.
- Process the rules.
- Process the rules.
- Enabled - Default
- 1500
- 1500
----
Here:
Home » Security Center » Hits List
You can view rule hits.
CSF/LFD sends out useful emails about blocking with ModSec. You should monitor these hits, and those emails to keep an eye on legit users or scripts being blocked. If you see one, you'll need the ID from the rule to take proper action, for example: 960009
From the "Hits List" page, click the "Rules List" button top right corner.
Using that example rule above, search for it there on the Rules List.
When you find it, click the Disable option.
Reporting tools are to be added here as I understand it, and with that, the rules will be made better over time by us reporting the issues/rules and as they are updated nightly when possible.
There is no other easier way to go. There are better rules though, for now.
HTH!
I don't appear have links to:
Home » Security Center » Manage Vendors
Home » Security Center » Configure Global Directives
Home » Security Center » Hits List
But i do have links for ModSecurity Configuration and ModSecurity Tools, so I assume ModSecurity is installed.
Home » Security Center » Manage Vendors
Home » Security Center » Configure Global Directives
Home » Security Center » Hits List
But i do have links for ModSecurity Configuration and ModSecurity Tools, so I assume ModSecurity is installed.
Last edited:
Infopro
Well-Known Member
I recently added and enabled the OWASP ModSecurity Core Rule Set. Since that time my lfd warnings from csf have increased ten fold or more. The two biggest message types I am getting are these.
ONE:
TWO:
Can someone please give me a brief explanation as to what these messages are telling me and how I might decide if I would want to consider adjusting one or more rules based on these results?
ONE:
Code:
[Wed Feb 11 08:00:38 2015] [error] [client 118.4.175.207] ModSecurity: Access denied with redirection to http://MyDomain1.com/ using status 302 (phase 2). Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] [line "405"] [id "960010"] [rev "2"] [msg "Request content type is not allowed by policy"] [data "application/octet-stream"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "Host: MyDomain1.com"] [tag "OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "MyDomain1.com"] [uri "/"] [unique_id "VNtSdrisyIMAAAVkFN4AAAAK"]TWO:
Code:
[Wed Feb 11 08:01:10 2015] [error] [client 69.112.227.22] ModSecurity: Access denied with redirection to http://www.MyDomain2.com/ using status 302 (phase 2). Match of "pm AppleWebKit Android" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] [line "299"] [id "960015"] [rev "3"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "Host: www.MyDomain2.com"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "www.MyDomain2.com"] [uri "/favicon.ico"] [unique_id "[email protected]"]Can someone please give me a brief explanation as to what these messages are telling me and how I might decide if I would want to consider adjusting one or more rules based on these results?
Last edited by a moderator:
Infopro
Well-Known Member
While not specifically an answer for you, there is an old post here worth a peek I think:
/http://stackoverflow.com/questions/8236736/mod-security-false-positives
Specifically, the 'best answer' posted by: Ryan Barnett ModSecurity Project Lead OWASP ModSecurity CRS Project Lead
I came across it searching for this from your post: [tag "WASCTC/WASC-21"]
The blog posts he links to are dated, but must still be of value, they're still being linked to on the email list:
/http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2015-January/001700.html
By, Chaim Sanders Security Researcher, SpiderLabs
The links:
Advanced Topic of the Week: Traditional vs. Anomaly Scoring Detection Modes
ModSecurity Advanced Topic of the Week: (Updated) Exception Handling
Interestingly enough, their email lists seem kinda of quiet, for now.
The Owasp-modsecurity-core-rule-set Archives
/http://stackoverflow.com/questions/8236736/mod-security-false-positives
Specifically, the 'best answer' posted by: Ryan Barnett ModSecurity Project Lead OWASP ModSecurity CRS Project Lead
I came across it searching for this from your post: [tag "WASCTC/WASC-21"]
The blog posts he links to are dated, but must still be of value, they're still being linked to on the email list:
/http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2015-January/001700.html
By, Chaim Sanders Security Researcher, SpiderLabs
The links:
Advanced Topic of the Week: Traditional vs. Anomaly Scoring Detection Modes
ModSecurity Advanced Topic of the Week: (Updated) Exception Handling
Interestingly enough, their email lists seem kinda of quiet, for now.
The Owasp-modsecurity-core-rule-set Archives
My Cpanel is 11.46 i'm just hold off 11.48 until the few bugs i keep seeing have been ironed out.
this is what i have regarding mod security in Secirity Center "
"
However, when i go into either of them, there's little in there in the way of help.
Configuration has a number of radio buttons, process this, process that, and areas to specify paths to files i guess.
The tools section appears to be where you can add custom rules, but again, not much in the way of help.
When i originally ran EasyApache, i installed MOD_RUID2, does this have anything to do with ModSecurity ?
It's all a little confusing.
"However, when i go into either of them, there's little in there in the way of help.
Configuration has a number of radio buttons, process this, process that, and areas to specify paths to files i guess.
The tools section appears to be where you can add custom rules, but again, not much in the way of help.
When i originally ran EasyApache, i installed MOD_RUID2, does this have anything to do with ModSecurity ?
It's all a little confusing.
Infopro
Well-Known Member
i'm currently 11.46.1.4
If i update to 11.46.2.4, will there be any impact on web and email services while the update is running.
Or am i better off doing this out of busy operating hours.
If i update to 11.46.2.4, will there be any impact on web and email services while the update is running.
Or am i better off doing this out of busy operating hours.
Infopro
Well-Known Member
There should be no issues to force an update I wouldn't think. There should also be no reason for you to jump tiers if you don't want to.
So I took a risk and did the update to 11.46.2.4, but it still doesn't help in my understanding for ModSecurity.
Regards post #5, i found these parameters in ModSecurity Configuration.
And a link to "Hit Lists" in ModSecurity Tools.
But i'm none the wiser on how to install a rule set.
Regards post #5, i found these parameters in ModSecurity Configuration.
And a link to "Hit Lists" in ModSecurity Tools.
But i'm none the wiser on how to install a rule set.
Infopro
Well-Known Member
Was that expected? I've had it installed for years across many servers and I still don't fully understand modsecurity.
Post #6:
Does that help at all in getting the Vendor Rules installed? Keep us posted.
Infopro
Well-Known Member
Oh wait. You weren't on the latest version of STABLE and updated to that. We might assume here the Vendor Rules are not in Stable yet.
Please accept my apologies here, I haven't run or monitored STABLE releases in a long time. I only run CURRENT and EDGE releases.
Infopro
Well-Known Member
Vendor Rules are not included in your Tier, yet.
For reference: http://releases.cpanel.net/
They just hit RELEASE.
For reference: http://releases.cpanel.net/
They just hit RELEASE.