could anyone explain mod security please

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Web app firewalls (like modsec) are exactly that; firewalls. Just instead of blocking IP addresses or ports, they block request based on a rule set. The rule set generally has rules to catch certain exploit attempts so they don't hit the web site for processing.
 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
From what I can gather after running Easy Apache, mod security is actually installed.
However, when i look at ModSecurity Configuration, it's about as useful as a chocolate fireguard.
It makes no sense.
 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
so could anyone suggest a decent set of rules and simplified instructions on how to install them.
For instance I looked at OWASP and all the instructions I read assume that you know what your'e doing.
 

Infopro

Well-Known Member
May 20, 2003
17,091
516
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
The new cPanel setup for ModSec is your best bet, as far as easy goes. If you're not sure what you're doing, it doesn't get any easier than this.

There are some issues with the rules, but I would think cPanel and OWASP are working on making them better.


...simplified instructions on how to install them.
Do you have the OWASP rules installed?
Home » Security Center » Manage Vendors

If not, make sure cPanel is up to date (and CSF as well, as of this post) and then click Install > Install and Restart Apache, there.
Make sure, Enabled, and Updates On are both, On.
---
Here:
Home » Security Center » Configure Global Directives

Defaults should be set already, IIRC.

- Only log noteworthy transactions.
- Process the rules.
- Process the rules.
- Enabled - Default
- 1500
- 1500
----

Here:
Home » Security Center » Hits List

You can view rule hits.

CSF/LFD sends out useful emails about blocking with ModSec. You should monitor these hits, and those emails to keep an eye on legit users or scripts being blocked. If you see one, you'll need the ID from the rule to take proper action, for example: 960009

From the "Hits List" page, click the "Rules List" button top right corner.
Using that example rule above, search for it there on the Rules List.

When you find it, click the Disable option.

Reporting tools are to be added here as I understand it, and with that, the rules will be made better over time by us reporting the issues/rules and as they are updated nightly when possible.

There is no other easier way to go. There are better rules though, for now.


HTH!
 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
I don't appear have links to:

Home » Security Center » Manage Vendors

Home » Security Center » Configure Global Directives

Home » Security Center » Hits List


But i do have links for ModSecurity Configuration and ModSecurity Tools, so I assume ModSecurity is installed.
 
Last edited:

PCZero

Well-Known Member
Dec 13, 2003
712
85
178
Earth
I recently added and enabled the OWASP ModSecurity Core Rule Set. Since that time my lfd warnings from csf have increased ten fold or more. The two biggest message types I am getting are these.

ONE:
Code:
[Wed Feb 11 08:00:38 2015] [error] [client 118.4.175.207] ModSecurity: Access denied with redirection to http://MyDomain1.com/ using status 302 (phase 2). Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] [line "405"] [id "960010"] [rev "2"] [msg "Request content type is not allowed by policy"] [data "application/octet-stream"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "Host: MyDomain1.com"] [tag "OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "MyDomain1.com"] [uri "/"] [unique_id "VNtSdrisyIMAAAVkFN4AAAAK"]

TWO:
Code:
[Wed Feb 11 08:01:10 2015] [error] [client 69.112.227.22] ModSecurity: Access denied with redirection to http://www.MyDomain2.com/ using status 302 (phase 2). Match of "pm AppleWebKit Android" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] [line "299"] [id "960015"] [rev "3"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "Host: www.MyDomain2.com"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "www.MyDomain2.com"] [uri "/favicon.ico"] [unique_id "[email protected]"]


Can someone please give me a brief explanation as to what these messages are telling me and how I might decide if I would want to consider adjusting one or more rules based on these results?
 
Last edited by a moderator:

Infopro

Well-Known Member
May 20, 2003
17,091
516
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
While not specifically an answer for you, there is an old post here worth a peek I think:
/http://stackoverflow.com/questions/8236736/mod-security-false-positives

Specifically, the 'best answer' posted by: Ryan Barnett ModSecurity Project Lead OWASP ModSecurity CRS Project Lead

I came across it searching for this from your post: [tag "WASCTC/WASC-21"]

The blog posts he links to are dated, but must still be of value, they're still being linked to on the email list:
/http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2015-January/001700.html

By, Chaim Sanders Security Researcher, SpiderLabs

The links:
Advanced Topic of the Week: Traditional vs. Anomaly Scoring Detection Modes
ModSecurity Advanced Topic of the Week: (Updated) Exception Handling

Interestingly enough, their email lists seem kinda of quiet, for now.
The Owasp-modsecurity-core-rule-set Archives
 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
this is what i have regarding mod security in Secirity Center "mod.jpg"
However, when i go into either of them, there's little in there in the way of help.
Configuration has a number of radio buttons, process this, process that, and areas to specify paths to files i guess.
The tools section appears to be where you can add custom rules, but again, not much in the way of help.

When i originally ran EasyApache, i installed MOD_RUID2, does this have anything to do with ModSecurity ?

It's all a little confusing.
 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
i'm currently 11.46.1.4
If i update to 11.46.2.4, will there be any impact on web and email services while the update is running.
Or am i better off doing this out of busy operating hours.
 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
So I took a risk and did the update to 11.46.2.4, but it still doesn't help in my understanding for ModSecurity.
Regards post #5, i found these parameters in ModSecurity Configuration.
And a link to "Hit Lists" in ModSecurity Tools.
But i'm none the wiser on how to install a rule set.
 

Infopro

Well-Known Member
May 20, 2003
17,091
516
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
So I took a risk and did the update to 11.46.2.4, but it still doesn't help in my understanding for ModSecurity.
Was that expected? I've had it installed for years across many servers and I still don't fully understand modsecurity.

Regards post #5, i found these parameters in ModSecurity Configuration.
And a link to "Hit Lists" in ModSecurity Tools.
But i'm none the wiser on how to install a rule set.
Post #6:

Do you have the OWASP rules installed?
Home » Security Center » Manage Vendors

If not, make sure cPanel is up to date (and CSF as well, as of this post) and then click Install > Install and Restart Apache, there.
Make sure, Enabled, and Updates On are both, On.

Does that help at all in getting the Vendor Rules installed? Keep us posted.
 

Infopro

Well-Known Member
May 20, 2003
17,091
516
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
So I took a risk and did the update to 11.46.2.4
...
Oh wait. You weren't on the latest version of STABLE and updated to that. We might assume here the Vendor Rules are not in Stable yet.


Please accept my apologies here, I haven't run or monitored STABLE releases in a long time. I only run CURRENT and EDGE releases.