Minimal OWASP ModSecurity CRS Settings?

polariz

Member
Feb 23, 2015
5
0
1
cPanel Access Level
Root Administrator
I am using WHM and have installed OWASP ModSecurity CRS but I want to have the most crucial secure protections only that does not (or at least almost never) cause false positives. So what rules do you suggest to have enabled for this?

I was thinking ONLY enabling these:

  • REQUEST-30-APPLICATION-ATTACK-LFI
  • REQUEST-31-APPLICATION-ATTACK-RFI
  • REQUEST-41-APPLICATION-ATTACK-SQLI
  • REQUEST-49-BLOCKING-EVALUATION


Do you have any suggestions?
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
From what i'm learning, i think it all depends on what packages are running.
For instance Joomla would require different rules disabling to WordPress.

I was told that most installs would remove around 10 rules, but no one has told me any specific 10.
I currently have 960008, 960009, 960015 and 981138 disabled.
I'm not even sure if the results i was seeing were false or true, but i was seeing hundreds of results within 2 hours of installing OWASP.
 

polariz

Member
Feb 23, 2015
5
0
1
cPanel Access Level
Root Administrator
From what i'm learning, i think it all depends on what packages are running.
For instance Joomla would require different rules disabling to WordPress.

I was told that most installs would remove around 10 rules, but no one has told me any specific 10.
I currently have 960008, 960009, 960015 and 981138 disabled.
I'm not even sure if the results i was seeing were false or true, but i was seeing hundreds of results within 2 hours of installing OWASP.
I am also confused. When I first turned it on (all rules was set to default - ALL on) and I got hundreds of results after 2 min which made me turn it off completely.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
I am using WHM and have installed OWASP ModSecurity CRS but I want to have the most crucial secure protections only that does not (or at least almost never) cause false positives. So what rules do you suggest to have enabled for this?
Hello :)

You may find this thread helpful:

OWASP - mod security and wordpress

There are several posts regarding this rule list and it's usability.

Thank you.
 

polariz

Member
Feb 23, 2015
5
0
1
cPanel Access Level
Root Administrator
cPanelMichael , Thanks for the info. I read that thread and also added a message unfortunately I just noticed alot of people addressing many of the issues like me.... Still I am waiting for an answer to my initial question mentioned in 1st post here.
 

Infopro

Well-Known Member
May 20, 2003
17,090
517
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
cPanelMichael , Thanks for the info. I read that thread and also added a message unfortunately I just noticed alot of people addressing many of the issues like me....
I have removed your post in the other thread, cross posting only confuses an issue.

Still I am waiting for an answer to my initial question mentioned in 1st post here.

There is no perfect list to suggest, IMHO. All of the Rulesets ideally could be used and the only need being to disable specific rules for your own needs. That thread you were linked to, discusses issues with Wordpress, some rules need to be disabled for it to work properly, for one example.