The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help Configuring Rules For Mod_Security2 ?

Discussion in 'Security' started by Mike01, Jun 21, 2013.

  1. Mike01

    Mike01 Member

    Joined:
    Jun 10, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello all,
    I'm fairly new to cPanel and I seem to be getting along pretty well, but still learning.

    I want to configure mod_security2 with customized rules. ModSec works fine w/ default ruleset from:
    Code:
    /home/cpeasyapache/src/modsec2.user.conf.default
    But I want to integrate SOME of the OWASP rules (not all).
    Been trying to muddle through it but I'm just not connecting the dots in my head.
    I've looked at the ConfigServer Modsecurity Control and I guess it's an option, but I'd prefer to not go that route (guess maybe I have control issues, or something :p )

    There's a nice set of rules just sitting here collecting dust (I added a few):
    Code:
    /home/cpeasyapache/src/modsecurity-apache_2.5.13/rules/base_rules/
    mod_sec-rules-list.jpg

    ...but I can't seem to figure out how to get the system to read & implement them.
    Seems this should be easy from this point? Maybe not?

    EDIT: As an interesting note... according to log files, I've got mod_sec 2.7.3


    Any direction?
    Feels like I'm so close, and simply pasting them into the default.conf file seems the incorrect approach.

    Thanks in advance!
    -Mike
     
    #1 Mike01, Jun 21, 2013
    Last edited: Jun 21, 2013
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Lack of control is ok with you? Yuk. That addon is a must have IMHO. The built in editor for modifying the modsec2.user.conf file alone is worth the 2 seconds it takes to install it. And the are many more options as well of course. ;)

    Once you've got mod_security compiled via Easy Apache, you'll modify that file (modsec2.user.conf ) to tell mod security to look for your rulesets. For example:

    Include /usr/local/apache/conf/modsec/10_asl_rules.conf


    You shouldn't use this directory:
    /home/cpeasyapache/src/modsecurity-apache_2.5.13/rules/base_rules/


    From within EasyApache it says this:


    I don't normally post this often, but there are so many threads on installing mod_security and managing it on these forums, I'm not sure this thread requires much more than a nudge for you in the right direction.

    Search google for this:
    site:forums.cpanel.net install mod_security

    In last year. With some reading you'll be on your way in no time.

    In a nutshell: installed mod_security via EA, choose the rulesets you wish to use and add them here (for example):
    /usr/local/apache/conf/modsec/

    Modify: modsec2.user.conf to tell mod security to look for your rulesets. For example:

    Include /usr/local/apache/conf/modsec/10_asl_rules.conf

    Restart Apache.


    It's best, I think, if you read up on all this. Instead of just tossing all the rules you can find, into the mix.

    Having use of a GUI to work from by installing ConfigServer's free tool is very, very handy. No matter what rules you end up using.

    GL!
     
  3. Mike01

    Mike01 Member

    Joined:
    Jun 10, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank you Infopro.
    Maybe I'm just gun-shy on the ConfigServer Modsecurity Control thing being so new to cPanel. I'll give it a serious re-consideration. "Simple" is surely a nice approach to server stuff, too.

    There are a ton of threads on mod_sec but many of them seem to be geared towards v1. Interestingly enough, I'm fairly familiar with v1 from an older server of mine, but the syntax differences between v1 & v2 rulesets are considerable.

    Again, thank you, thank you.
    I'll keep you posted!
    -Mike
     
  4. Mike01

    Mike01 Member

    Joined:
    Jun 10, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Still getting nowhere. :(



    So, I created the folder /usr/local/apache/conf/modsec/
    Copied the .conf files into it.

    I did as Infopro suggested:
    Actual command: Include /usr/local/apache/conf/modsec/modsecurity_crs_46_slr_et_wordpress_attacks.conf

    No luck -Apache won't restart.

    Tried several variations of the Include command...
    Include "/usr/local/apache/conf/modsec/modsecurity_crs_46_slr_et_wordpress_attacks.conf"
    Include /modsec/modsecurity_crs_46_slr_et_wordpress_attacks.conf
    Include "/modsec/modsecurity_crs_46_slr_et_wordpress_attacks.conf"
    Include modsec/modsecurity_crs_46_slr_et_wordpress_attacks.conf
    Include "modsec/modsecurity_crs_46_slr_et_wordpress_attacks.conf"



    So, I installed ConfigServer ModSecurity Control ...(quite painless).
    Restarted Apache.

    I see all my rules listed under the ConfigServer ModSecurity Tools section.



    I'm skeptical it's working.

    One of the rule files is: modsec/modsecurity_crs_42_comment_span.conf
    This file contains the rule:
    Code:
    SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org" "phase:1,id:'981138',t:none,pass,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},setvar:ip.spammer=1,expirevar:ip.spammer=86400,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400,skipAfter:END_RBL_CHECK"
    
    Very common spam I'm still getting has its source IP on the spamhaus.org blacklist.
    Clearly that spam should have been blocked, but it wasn't.


    Is every file/rule listed in the "ConfigServer ModSecurity Tools" section configured to run?
    Or do I need to do something to make them "active"?



    When I go to the Mod_Security plugin and click on "Edit Configuration" the same default rules are there, except with the commented out lines I added and the line: Include /usr/local/apache/conf/modsec2.whitelist.conf (an empty file)

    I've searched google & the forums extensively and all I find is either unrelated or unresolved.

    Sorry, just don't know why I'm not connecting the dots in my head or what I'm doing wrong.
    I must be overthinking something because I'm sure this isn't normally so difficult.

    Your generous help is greatly appreciated.
    Come to Phoenix...the beer is on me!
    -Mike
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Mike-

    Rules breakdown usually works like this;

    /usr/local/apache/conf/modsec2.conf is made by easyapache when you select mod_security. This file is included in /usr/local/apache/conf/httpd.conf, and it calls /usr/local/apache/conf/modsec2.user.conf as an includes. You configure your rules in modsec2.user.conf.

    In one of your previous posts, It looks like you used relative paths; while this will work in some cases, full paths are likely to be easier for you. This is what my modsec2.user.conf looks like with the ASL rules:

    Code:
    SecUploadDir /tmp
    SecTmpDir /tmp
    SecDataDir /tmp
    
    SecRequestBodyAccess On
    
    Include "/usr/local/apache/conf/modsec2/00_asl_whitelist.conf"
    Include "/usr/local/apache/conf/modsec2/05_asl_exclude.conf"
    Include "/usr/local/apache/conf/modsec2/10_asl_antimalware.conf"
    Include "/usr/local/apache/conf/modsec2/10_asl_rules.conf"
    Include "/usr/local/apache/conf/modsec2/11_asl_data_loss.conf"
    Include "/usr/local/apache/conf/modsec2/20_asl_useragents.conf"
    Include "/usr/local/apache/conf/modsec2/30_asl_antispam.conf"
    Include "/usr/local/apache/conf/modsec2/30_asl_antispam_referrer.conf"
    Include "/usr/local/apache/conf/modsec2/40_asl_apache2-rules.conf"
    Include "/usr/local/apache/conf/modsec2/50_asl_rootkits.conf"
    Include "/usr/local/apache/conf/modsec2/60_asl_recons.conf"
    Include "/usr/local/apache/conf/modsec2/99_asl_exclude.conf"
    Include "/usr/local/apache/conf/modsec2/99_asl_jitp.conf"
    Include "/usr/local/apache/conf/modsec2/99_asl_redactor.conf"
    Include "/usr/local/apache/conf/modsec2/99_YOUR_CUSTOM_WHITELIST.conf"
    
    If you use configserver for whitelist rules, it will make them usually in domain-specific includes files (the ones EA will put into httpd.conf for each domain, in a subdirectory under /usr/local/apache/conf/userdata/std/

    The CRS, while nice, in my opinion is not nearly as nice as the ASL rules. The CRS will have a lot more false positives if not tailored for your application.

    I recommend downloading these rules, extracting all the rules to /usr/local/apache/conf/modsec2/, and copying my modsec2.user.conf above. Then restart apache. This will get you going in no time. You can test easily by going to:

    anydomainonyourserver.com/any.php?../../../

    Rules:

    http://atomicorp.com/channels/rules/delayed/modsec-2.7-free-latest.tar.gz

    If you want to include some rules from CRS, you can probably call those files as includes to their full paths as well.
     
    #5 quizknows, Jun 24, 2013
    Last edited: Jun 24, 2013
Loading...

Share This Page