Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

csr rules for mod_security

Discussion in 'Security' started by jimlongo, Nov 15, 2012.

  1. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    211
    Likes Received:
    10
    Trophy Points:
    68
    I was using the default cpanel ruleset for mod_security.
    I deleted those using the WHM>Plugins>Mod Security Edit Config tool.
    I installed the the core ruleset distributed by OWASP.

    But I'm a little confused by the lack of clear instructions.
    I downloaded the latest tarball to my server, unpacked it.
    Copied the example config file to mod_security_crs_10_config.conf

    Added the following to /etc/httpd/conf/httpd.conf
    Code:
    <IfModule security2_module>
        Include modsecurity-crs/*.conf
        Include modsecurity-crs/base_rules/*.conf
    </IfModule>
    Restarted Apache.

    I'm not sure at this point, if the rules are in effect. I looked for SecRuleEngine in the crs_10 config file but don't see it. It is ON in the mod_sec config file. I can't see any indication in WHM that the rules are in effect.

    If I try to go to http:/myIP/etc I get a 404 error and nothing in my apache error_log

    Any help would be great.
    Thanks.
     
  2. Syrehn

    Syrehn Registered

    Joined:
    Jul 18, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I hate to bump an old thread but I have the exact same question as the OP.

    The server in question is a cPanel server. ModSecurity is installed (via EasyApache) and it is using default cPanel rules for mod_security; which are found via WHM>Plugins>Mod Security Edit Config tool and correlate to the file modsec2.user.conf

    I installed the core ruleset (all subfolders/files such as base_rules, activated_rules, etc) distributed by OWASP to: /usr/local/apache/conf/modsec_crs/ (I had to create the modsec_crs directory)
    I copied the modsecurity_crs_10_setup.conf.example to modsecurity_crs_10_setup.conf.

    It says to create the symlinks then to add the following to /etc/httpd/conf/httpd.conf or in this case usr/local/apache/conf/httpd.conf (I think):

    Code (changed from conf/crs to conf/modsec_crs):

    Code:
    <IfModule security2_module>
        Include conf/modsec_crs/modsecurity_crs_10_setup.conf
        Include conf/modsec_crs/activated_rules/*.conf
    </IfModule>
    However, what about the original default cPanel rules that are found in the modsec2.user.conf file? Should all the entries in there be deleted. If I don’t do anything about that file will the rules in it conflict with these OWASP rules? Should the contents of the modsecurity_crs_10_setup.conf be instead copied into the modsec2.user.conf file?

    The reason for asking is that I was reading the following and it seemed quite a bit different than the OWASP install instructions (mind you it references the Atomicorp rules) but they use the modsec2.user.conf: Web Hosting Talk - View Single Post - Mod_security - too many conflicting install instructions?. I’ve also seen reference to using a similar method for the GotRoot rules: ModSec Taylor Made and Tweaks by Sergio

    After restarting Apache how can we check if the rules are in effect? As mentioned by the OP there isn’t a SecRuleEngine in the crs_10 config but it is ON in the mod_sec config file. Will there be any indication in WHM that the rules are in effect?

    Additionally since I had to create the modsec_rules folder do I need to set any permissions on that folder?

    Any additional guidance with this would be appreciated.
     
  3. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    211
    Likes Received:
    10
    Trophy Points:
    68
    I ended up just using the Default rules included with mod_security, then used the ConfigServer ModSecurity Control - cmc v1.04 to control which rules to disable. That seems to be pretty restrictive and I don't feel the need to add anything further.

    YMMV
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice