Help Configuring Rules For Mod_Security2 ?

[Mike01]

Hello all,
I'm fairly new to cPanel and I seem to be getting along pretty well, but still learning.

I want to configure mod_security2 with customized rules. ModSec works fine w/ default ruleset from:

/home/cpeasyapache/src/modsec2.user.conf.default

But I want to integrate SOME of the OWASP rules (not all).
Been trying to muddle through it but I'm just not connecting the dots in my head.
I've looked at the ConfigServer Modsecurity Control and I guess it's an option, but I'd prefer to not go that route (guess maybe I have control issues, or something :p )

There's a nice set of rules just sitting here collecting dust (I added a few):

/home/cpeasyapache/src/modsecurity-apache_2.5.13/rules/base_rules/

...but I can't seem to figure out how to get the system to read & implement them.
Seems this should be easy from this point? Maybe not?

EDIT: As an interesting note... according to log files, I've got mod_sec 2.7.3


Any direction?
Feels like I'm so close, and simply pasting them into the default.conf file seems the incorrect approach.

Thanks in advance!
-Mike

 

[Infopro]

I've looked at the ConfigServer Modsecurity Control and I guess it's an option, but I'd prefer to not go that route (guess maybe I have control issues, or something )

Lack of control is ok with you? Yuk. That addon is a must have IMHO. The built in editor for modifying the modsec2.user.conf file alone is worth the 2 seconds it takes to install it. And the are many more options as well of course.

Once you've got mod_security compiled via Easy Apache, you'll modify that file (modsec2.user.conf ) to tell mod security to look for your rulesets. For example:

Include /usr/local/apache/conf/modsec/10_asl_rules.conf


You shouldn't use this directory:
/home/cpeasyapache/src/modsecurity-apache_2.5.13/rules/base_rules/

EDIT: As an interesting note... according to log files, I've got mod_sec 2.7.3

From within EasyApache it says this:

Mod Security [More Info ↑]
v1.9.5 for Apache 1.3, v2.5.13 for Apache 2.0, v2.7.3 for Apache 2.2 and 2.4 This option will make the following changes to your profile prior to the build:

Enables:
UniqueId

I don't normally post this often, but there are so many threads on installing mod_security and managing it on these forums, I'm not sure this thread requires much more than a nudge for you in the right direction.

Search google for this:
site:forums.cpanel.net install mod_security

In last year. With some reading you'll be on your way in no time.

In a nutshell: installed mod_security via EA, choose the rulesets you wish to use and add them here (for example):
/usr/local/apache/conf/modsec/

Modify: modsec2.user.conf to tell mod security to look for your rulesets. For example:

Include /usr/local/apache/conf/modsec/10_asl_rules.conf

Restart Apache.


It's best, I think, if you read up on all this. Instead of just tossing all the rules you can find, into the mix.

Having use of a GUI to work from by installing ConfigServer's free tool is very, very handy. No matter what rules you end up using.

GL!

 

[Mike01]

Thank you Infopro.
Maybe I'm just gun-shy on the ConfigServer Modsecurity Control thing being so new to cPanel. I'll give it a serious re-consideration. "Simple" is surely a nice approach to server stuff, too.

There are a ton of threads on mod_sec but many of them seem to be geared towards v1. Interestingly enough, I'm fairly familiar with v1 from an older server of mine, but the syntax differences between v1 & v2 rulesets are considerable.

Again, thank you, thank you.
I'll keep you posted!
-Mike

 

[Mike01]

Still getting nowhere.



So, I created the folder /usr/local/apache/conf/modsec/
Copied the .conf files into it.

I did as Infopro suggested:

Modify: modsec2.user.conf to tell mod security to look for your rulesets. For example:

Include /usr/local/apache/conf/modsec/10_asl_rules.conf

Restart Apache.

Actual command: Include /usr/local/apache/conf/modsec/modsecurity_crs_46_slr_et_wordpress_attacks.conf

No luck -Apache won't restart.

Tried several variations of the Include command...
Include "/usr/local/apache/conf/modsec/modsecurity_crs_46_slr_et_wordpress_attacks.conf"
Include /modsec/modsecurity_crs_46_slr_et_wordpress_attacks.conf
Include "/modsec/modsecurity_crs_46_slr_et_wordpress_attacks.conf"
Include modsec/modsecurity_crs_46_slr_et_wordpress_attacks.conf
Include "modsec/modsecurity_crs_46_slr_et_wordpress_attacks.conf"



So, I installed ConfigServer ModSecurity Control ...(quite painless).
Restarted Apache.

I see all my rules listed under the ConfigServer ModSecurity Tools section.



I'm skeptical it's working.

One of the rule files is: modsec/modsecurity_crs_42_comment_span.conf
This file contains the rule:

SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org" "phase:1,id:'981138',t:none,pass,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},setvar:ip.spammer=1,expirevar:ip.spammer=86400,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400,skipAfter:END_RBL_CHECK"

Very common spam I'm still getting has its source IP on the spamhaus.org blacklist.
Clearly that spam should have been blocked, but it wasn't.


Is every file/rule listed in the "ConfigServer ModSecurity Tools" section configured to run?
Or do I need to do something to make them "active"?



When I go to the Mod_Security plugin and click on "Edit Configuration" the same default rules are there, except with the commented out lines I added and the line: Include /usr/local/apache/conf/modsec2.whitelist.conf (an empty file)

I've searched google & the forums extensively and all I find is either unrelated or unresolved.

Sorry, just don't know why I'm not connecting the dots in my head or what I'm doing wrong.
I must be overthinking something because I'm sure this isn't normally so difficult.

Your generous help is greatly appreciated.
Come to Phoenix...the beer is on me!
-Mike

 

[quizknows]

Mike-

Rules breakdown usually works like this;

/usr/local/apache/conf/modsec2.conf is made by easyapache when you select mod_security. This file is included in /usr/local/apache/conf/httpd.conf, and it calls /usr/local/apache/conf/modsec2.user.conf as an includes. You configure your rules in modsec2.user.conf.

In one of your previous posts, It looks like you used relative paths; while this will work in some cases, full paths are likely to be easier for you. This is what my modsec2.user.conf looks like with the ASL rules:

SecUploadDir /tmp
SecTmpDir /tmp
SecDataDir /tmp

SecRequestBodyAccess On

Include "/usr/local/apache/conf/modsec2/00_asl_whitelist.conf"
Include "/usr/local/apache/conf/modsec2/05_asl_exclude.conf"
Include "/usr/local/apache/conf/modsec2/10_asl_antimalware.conf"
Include "/usr/local/apache/conf/modsec2/10_asl_rules.conf"
Include "/usr/local/apache/conf/modsec2/11_asl_data_loss.conf"
Include "/usr/local/apache/conf/modsec2/20_asl_useragents.conf"
Include "/usr/local/apache/conf/modsec2/30_asl_antispam.conf"
Include "/usr/local/apache/conf/modsec2/30_asl_antispam_referrer.conf"
Include "/usr/local/apache/conf/modsec2/40_asl_apache2-rules.conf"
Include "/usr/local/apache/conf/modsec2/50_asl_rootkits.conf"
Include "/usr/local/apache/conf/modsec2/60_asl_recons.conf"
Include "/usr/local/apache/conf/modsec2/99_asl_exclude.conf"
Include "/usr/local/apache/conf/modsec2/99_asl_jitp.conf"
Include "/usr/local/apache/conf/modsec2/99_asl_redactor.conf"
Include "/usr/local/apache/conf/modsec2/99_YOUR_CUSTOM_WHITELIST.conf"

If you use configserver for whitelist rules, it will make them usually in domain-specific includes files (the ones EA will put into httpd.conf for each domain, in a subdirectory under /usr/local/apache/conf/userdata/std/

The CRS, while nice, in my opinion is not nearly as nice as the ASL rules. The CRS will have a lot more false positives if not tailored for your application.

I recommend downloading these rules, extracting all the rules to /usr/local/apache/conf/modsec2/, and copying my modsec2.user.conf above. Then restart apache. This will get you going in no time. You can test easily by going to:

anydomainonyourserver.com/any.php?../../../

Rules:

http://atomicorp.com/channels/rules/delayed/modsec-2.7-free-latest.tar.gz

If you want to include some rules from CRS, you can probably call those files as includes to their full paths as well.