The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

csr rules for mod_security

Discussion in 'Security' started by jimlongo, Nov 15, 2012.

  1. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    145
    Likes Received:
    2
    Trophy Points:
    18
    I was using the default cpanel ruleset for mod_security.
    I deleted those using the WHM>Plugins>Mod Security Edit Config tool.
    I installed the the core ruleset distributed by OWASP.

    But I'm a little confused by the lack of clear instructions.
    I downloaded the latest tarball to my server, unpacked it.
    Copied the example config file to mod_security_crs_10_config.conf

    Added the following to /etc/httpd/conf/httpd.conf
    Code:
    <IfModule security2_module>
        Include modsecurity-crs/*.conf
        Include modsecurity-crs/base_rules/*.conf
    </IfModule>
    Restarted Apache.

    I'm not sure at this point, if the rules are in effect. I looked for SecRuleEngine in the crs_10 config file but don't see it. It is ON in the mod_sec config file. I can't see any indication in WHM that the rules are in effect.

    If I try to go to http:/myIP/etc I get a 404 error and nothing in my apache error_log

    Any help would be great.
    Thanks.
     
  2. Syrehn

    Syrehn Registered

    Joined:
    Jul 18, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I hate to bump an old thread but I have the exact same question as the OP.

    The server in question is a cPanel server. ModSecurity is installed (via EasyApache) and it is using default cPanel rules for mod_security; which are found via WHM>Plugins>Mod Security Edit Config tool and correlate to the file modsec2.user.conf

    I installed the core ruleset (all subfolders/files such as base_rules, activated_rules, etc) distributed by OWASP to: /usr/local/apache/conf/modsec_crs/ (I had to create the modsec_crs directory)
    I copied the modsecurity_crs_10_setup.conf.example to modsecurity_crs_10_setup.conf.

    It says to create the symlinks then to add the following to /etc/httpd/conf/httpd.conf or in this case usr/local/apache/conf/httpd.conf (I think):

    Code (changed from conf/crs to conf/modsec_crs):

    Code:
    <IfModule security2_module>
        Include conf/modsec_crs/modsecurity_crs_10_setup.conf
        Include conf/modsec_crs/activated_rules/*.conf
    </IfModule>
    However, what about the original default cPanel rules that are found in the modsec2.user.conf file? Should all the entries in there be deleted. If I don’t do anything about that file will the rules in it conflict with these OWASP rules? Should the contents of the modsecurity_crs_10_setup.conf be instead copied into the modsec2.user.conf file?

    The reason for asking is that I was reading the following and it seemed quite a bit different than the OWASP install instructions (mind you it references the Atomicorp rules) but they use the modsec2.user.conf: Web Hosting Talk - View Single Post - Mod_security - too many conflicting install instructions?. I’ve also seen reference to using a similar method for the GotRoot rules: ModSec Taylor Made and Tweaks by Sergio

    After restarting Apache how can we check if the rules are in effect? As mentioned by the OP there isn’t a SecRuleEngine in the crs_10 config but it is ON in the mod_sec config file. Will there be any indication in WHM that the rules are in effect?

    Additionally since I had to create the modsec_rules folder do I need to set any permissions on that folder?

    Any additional guidance with this would be appreciated.
     
  3. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    145
    Likes Received:
    2
    Trophy Points:
    18
    I ended up just using the Default rules included with mod_security, then used the ConfigServer ModSecurity Control - cmc v1.04 to control which rules to disable. That seems to be pretty restrictive and I don't feel the need to add anything further.

    YMMV
     
Loading...

Share This Page