The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Getting Error while implementing mod_Security rules for antispam event

Discussion in 'Security' started by prashantjadhav, Jul 11, 2013.

  1. prashantjadhav

    prashantjadhav Registered

    Joined:
    Jul 11, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    We are trying to implement below mentioned rules for mod_security aaplication and getting error as " Syntax error on line 170 of /usr/local/apache/conf/modsec2.user.conf:
    ModSecurity: No action id present within the rule " where line number 170 is SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" t:lowercase,chain.

    Code:
    SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" t:lowercase,chain
    SecRule REQUEST_BODY "[A-Za-z0-9._%-]+@[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,\x20[A-Za-z0-9._%-]+@[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
    SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" t:lowercase,chain
    SecRule REQUEST_BODY "[A-Za-z0-9._%-]+@[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,[A-Za-z0-9._%-]+@[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
    SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" t:lowercase,chain
    SecRule REQUEST_BODY "[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,\x20[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
    SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" t:lowercase,chain
    SecRule REQUEST_BODY "[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
    
    
    SecRule REQUEST_URI "dm.cgi"
    SecRule REQUEST_BODY|REQUEST_URI "\.cgi\?m\=state"
    SecRule REQUEST_BODY|REQUEST_URI "cgi\?m\=snd"
    SecRule REQUEST_BODY|REQUEST_URI "cgi\?m\=icfg"
    Regards,
    Prashant
     
    #1 prashantjadhav, Jul 11, 2013
    Last edited by a moderator: Jul 11, 2013
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,665
    Likes Received:
    646
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Unique rule IDs are mandatory for the version on Mod_Security installed on your system. You can find more information on this at:

    Mod_Security Rule Changes

    This includes the steps you can take to ensure rules have unique ids.

    Thank you.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    This should fix up those rules so that modsec 2.7 is happy with them

    Code:
    SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" "t:lowercase,chain,id:99001"
    SecRule REQUEST_BODY "[A-Za-z0-9._%-]+@[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,\x20[A-Za-z0-9._%-]+@[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
    SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" "t:lowercase,chain,id:99002"
    SecRule REQUEST_BODY "[A-Za-z0-9._%-]+@[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,[A-Za-z0-9._%-]+@[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
    SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" "t:lowercase,chain,id:99003"
    SecRule REQUEST_BODY "[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,\x20[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
    SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" "t:lowercase,chain,id:99004"
    SecRule REQUEST_BODY "[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
    
    
    SecRule REQUEST_URI "dm.cgi" "id:99005"
    SecRule REQUEST_BODY|REQUEST_URI "\.cgi\?m\=state" "id:99006"
    SecRule REQUEST_BODY|REQUEST_URI "cgi\?m\=snd" "id:99007"
    SecRule REQUEST_BODY|REQUEST_URI "cgi\?m\=icfg" "id:99008"
     
  4. prashantjadhav

    prashantjadhav Registered

    Joined:
    Jul 11, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    Thank you for your valuable update. But how we would come to know which id needs to be used like 99001, 99002. Is there any formula calculation for such ids ? Because suppose in future we want to use any mod_security rule then how will come to know the id to be used ?

    Regards,
    Prashant
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Technically you can use any rule ID you are not already using. There are "reserved" ranges, and it's a good idea to follow those if you can. I used this range for you:

    "1–99,999 Reserved for local (internal) use. Use as you see fit, but do not use this range for rules that are distributed to others. "

    See Apache Module: Security under Rules ID required in ModSecurity for further information.
     
  6. prashantjadhav

    prashantjadhav Registered

    Joined:
    Jul 11, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    Thanks quizknows. It helped me a lot.

    - - - Updated - - -

    Hello,

    Thanks quizknows. It helped me a lot.
     
  7. inthukha

    inthukha Well-Known Member

    Joined:
    Jul 17, 2013
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    So you allow cgi script globally by adding them in main user file ?
    why not using ConfigServer ModSecurity Control for this job ?
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,665
    Likes Received:
    646
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You are welcome to use a third-party application to manage your Mod_Security rules. Keep in mind that ConfigServer applications are not installed with cPanel by default. They are third-party applications that users must install on their own.

    Thank you.
     
Loading...

Share This Page