The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod security conf

Discussion in 'Security' started by lexor, Sep 28, 2006.

  1. lexor

    lexor Member

    Joined:
    Aug 8, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Hello Guys,
    Im new here im trying to use mod security i found some usefull rules in cpanel forum i copy paste in the whm mod secrurity config and its working great blokking some asshol whos trying to exploit my server.
    But i really cant figure out how can i enable and configure the mode security to use the 5.conf file and update it automatically.
    Help me pls.
    Thanx
    Sam
     
  2. angelina_holy

    angelina_holy Well-Known Member

    Joined:
    Aug 6, 2006
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    May be this will help
    cd /root
    wget http://www.modsecurity.org/download/modsecurity-apache_1.9.4.tar.gz
    tar zxvf modsecurity-apache_1.9.4.tar.gz
    cd modsecurity-apache_1.9.4


    Then check the version of apache using /usr/local/apache/bin/httpd –v

    For apache 1
    cd apache1/
    For apache 2
    cd apache2/


    Put the below commands


    /usr/local/apache/bin/apxs -cia mod_security.c
    cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup


    Then browse www.acunett.com/files/mod_sec.conf

    Go in /usr/local/apache/conf/ pico mod_sec.conf

    Copy paste the code from www.acunett.com/files/mod_sec.conf

    And paste in mod_sec.conf

    Search for “IfModule mod_user”

    After the closing </ifmodule> put

    For CPANEL
    Include "/usr/local/apache/conf/mod_sec.conf"
     
  3. lexor

    lexor Member

    Joined:
    Aug 8, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    thanx lot i ll try it today
     
  4. lexor

    lexor Member

    Joined:
    Aug 8, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Thanx a lot its working great help...:)
     
  5. SherKhan

    SherKhan Member

    Joined:
    Nov 29, 2001
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Unfortunately, Link is dead.
    Can anyone repost this?

    BTW, Thank you for the awesome step-by-step really helpfull.
     
  6. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
  7. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    HostMerit has a decent ruleset, but they are missing a few things I would suggest adding in.
     
  8. kuwaitnt

    kuwaitnt Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    whats you would like to add ?

    so we can add it manual for that configration file:D
     
  9. SherKhan

    SherKhan Member

    Joined:
    Nov 29, 2001
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    I'll second the request from KuwaitNT.
    :D

    Thank you very much casey for pointing this link out, very usefull.
     
  10. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    What would you suggest to add in ?
     
  11. RandyO

    RandyO Well-Known Member

    Joined:
    Jun 17, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    Rather useless post dont you think?
     
  12. Bulent Tekcan

    Bulent Tekcan Well-Known Member

    Joined:
    May 11, 2004
    Messages:
    177
    Likes Received:
    0
    Trophy Points:
    16
    Code:
    #phpbb wormsign
    SecFilterSelective THE_REQUEST "echo _GHC/RST_"
    
    #Generic PHP avatar upload exploits
    SecFilterSelective REQUEST_URI "\.php" chain
    SecFilterSelective POST_PAYLOAD "Content-Disposition\: form-data\; name=\"avatar\"\;" chain
    SecFilter "\<\?php" chain
    SecFilter "\?>"
    
    #Fake image file shell attacvk
    SecFilterSelective HTTP_Content-Type "image/.*"
    SecFilterSelective POST_PAYLOAD "chr\("
    
    #bogus graphics file
    SecFilterSelective HTTP_Content-Disposition "\.php" chain
    SecFilterSelective HTTP_Content-Type "(image/gif|image/jpg|image/png|image/bmp)"
    These entries double in that file.....


    And also many entries double or 3 times....for example this

    SecFilter "^(GET|POST).*Host:.*^(GET|POST)"
     
    #12 Bulent Tekcan, Nov 7, 2006
    Last edited: Nov 7, 2006
  13. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    For those who don't know about it, some of the best rules for mod_security
    can be found at http://www.gotroot.com and it's frequently updated and
    kept current with the latest hacking threats and exploits.
     
  14. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    I'd love to hear what you think's missing Rampage, actually I'd suggest adding my rules to your tutorial / ruleset as it only has 5 or 6. :rolleyes:

    I personally grep domlogs / error logs to find and block the newest exploits, many many many people use my conf with no issue, and trust me.... It's quite secure. CPanel acutally used my mod_security conf at HostingCon last year in a Security presentation. :D
     
  15. katmai

    katmai Well-Known Member

    Joined:
    Mar 13, 2006
    Messages:
    526
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brno, Czech Republic
    guys those rules from gotroot are the big ones okay ? for your server you need to select the stuff that you want you can't just put in like all the rulesets and expect the server will work great, in fact you will just see load going over 40 50.

    everybody must adapt, based on what he expects from his customers, and what software you might run on your webserver.

    for example, having 1 website (forum/phpbb) on a server, just that single website, why in the world would you put rulesets to protect yourself from wordpress and ... simplemachines forum, and other tons of software.

    this thing pays a lot of attention and you just gotta track your server load vs incoming attacks. not to mention that a ton of attacks would just go useless by disabling certain functions of php (thanks chirpy for the csf thing)
     
  16. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    You are both right and wrong here and it really depends on which Apache version you have!

    If you are using Apache 1.x then you would be best advised to select a limit set
    of rules and keep things trimmed down to what you need the most.

    However, things are totally different when talking about Apache 2.x ....

    Apache 2.x is much more efficient in resources usage and does not have any load
    problems loading large mod_security rulesets like when you add those from gotroot.com
    and you can easily add all of them without any loading issues whatsoever.

    We have every single rule file from gotroot.com installed on our servers plus a number of
    additional complex rulesets we created ourselves installed on all of our servers with
    Apache 2.0.59 and our loads very rarely jump above "1" ... occasionally "2" ....
    definitely no where close to your "40" or "50" ... and some of those servers I speak of
    actually have more than 600 cpanel hosting accounts loaded too!
     
    #16 Spiral, Nov 8, 2006
    Last edited: Nov 8, 2006
  17. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    What are the limits of the Cpanel config for mod security ?

    I want to add most of the Mod security core rules from
    http://www.modsecurity.org/download/index.html

    I tried adding just a few of them with the coments and had a problem where it wouldnt save

    Any ideas ??
    Thanks
    Doug
     
  18. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    Add your rules directly to the conf file instead.

    /usr/local/apache/conf/modsec.user.conf
     
  19. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    Didnt Cpanel billy recommend against that ?
     
  20. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    The WHM module doesnt work properly so I dont see that there is any other way of doing it.
     
Loading...

Share This Page