lexor

Member
Aug 8, 2006
10
0
151
Hello Guys,
Im new here im trying to use mod security i found some usefull rules in cpanel forum i copy paste in the whm mod secrurity config and its working great blokking some asshol whos trying to exploit my server.
But i really cant figure out how can i enable and configure the mode security to use the 5.conf file and update it automatically.
Help me pls.
Thanx
Sam
 

angelina_holy

Well-Known Member
Aug 6, 2006
113
0
166
May be this will help
cd /root
wget http://www.modsecurity.org/download/modsecurity-apache_1.9.4.tar.gz
tar zxvf modsecurity-apache_1.9.4.tar.gz
cd modsecurity-apache_1.9.4


Then check the version of apache using /usr/local/apache/bin/httpd –v

For apache 1
cd apache1/
For apache 2
cd apache2/


Put the below commands


/usr/local/apache/bin/apxs -cia mod_security.c
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup


Then browse www.acunett.com/files/mod_sec.conf

Go in /usr/local/apache/conf/ pico mod_sec.conf

Copy paste the code from www.acunett.com/files/mod_sec.conf

And paste in mod_sec.conf

Search for “IfModule mod_user”

After the closing </ifmodule> put

For CPANEL
Include "/usr/local/apache/conf/mod_sec.conf"
 

SherKhan

Member
Nov 29, 2001
9
0
301
I'll second the request from KuwaitNT.
:D

Thank you very much casey for pointing this link out, very usefull.
 

Bulent Tekcan

Well-Known Member
May 11, 2004
182
1
168
cPanel Access Level
Root Administrator
Code:
#phpbb wormsign
SecFilterSelective THE_REQUEST "echo _GHC/RST_"

#Generic PHP avatar upload exploits
SecFilterSelective REQUEST_URI "\.php" chain
SecFilterSelective POST_PAYLOAD "Content-Disposition\: form-data\; name=\"avatar\"\;" chain
SecFilter "\<\?php" chain
SecFilter "\?>"

#Fake image file shell attacvk
SecFilterSelective HTTP_Content-Type "image/.*"
SecFilterSelective POST_PAYLOAD "chr\("

#bogus graphics file
SecFilterSelective HTTP_Content-Disposition "\.php" chain
SecFilterSelective HTTP_Content-Type "(image/gif|image/jpg|image/png|image/bmp)"
These entries double in that file.....


And also many entries double or 3 times....for example this

SecFilter "^(GET|POST).*Host:.*^(GET|POST)"
 
Last edited:

Spiral

BANNED
Jun 24, 2005
2,020
8
193
For those who don't know about it, some of the best rules for mod_security
can be found at http://www.gotroot.com and it's frequently updated and
kept current with the latest hacking threats and exploits.
 

HostMerit

Well-Known Member
Oct 24, 2004
164
0
166
New Jersey, USA
cPanel Access Level
DataCenter Provider
I'd love to hear what you think's missing Rampage, actually I'd suggest adding my rules to your tutorial / ruleset as it only has 5 or 6. :rolleyes:

I personally grep domlogs / error logs to find and block the newest exploits, many many many people use my conf with no issue, and trust me.... It's quite secure. CPanel acutally used my mod_security conf at HostingCon last year in a Security presentation. :D
 

katmai

Well-Known Member
Mar 13, 2006
564
3
168
Brno, Czech Republic
guys those rules from gotroot are the big ones okay ? for your server you need to select the stuff that you want you can't just put in like all the rulesets and expect the server will work great, in fact you will just see load going over 40 50.

everybody must adapt, based on what he expects from his customers, and what software you might run on your webserver.

for example, having 1 website (forum/phpbb) on a server, just that single website, why in the world would you put rulesets to protect yourself from wordpress and ... simplemachines forum, and other tons of software.

this thing pays a lot of attention and you just gotta track your server load vs incoming attacks. not to mention that a ton of attacks would just go useless by disabling certain functions of php (thanks chirpy for the csf thing)
 

Spiral

BANNED
Jun 24, 2005
2,020
8
193
guys those rules from gotroot are the big ones okay ? for your server you need to select the stuff that you want you can't just put in like all the rulesets and expect the server will work great, in fact you will just see load going over 40 50.
You are both right and wrong here and it really depends on which Apache version you have!

If you are using Apache 1.x then you would be best advised to select a limit set
of rules and keep things trimmed down to what you need the most.

However, things are totally different when talking about Apache 2.x ....

Apache 2.x is much more efficient in resources usage and does not have any load
problems loading large mod_security rulesets like when you add those from gotroot.com
and you can easily add all of them without any loading issues whatsoever.

We have every single rule file from gotroot.com installed on our servers plus a number of
additional complex rulesets we created ourselves installed on all of our servers with
Apache 2.0.59 and our loads very rarely jump above "1" ... occasionally "2" ....
definitely no where close to your "40" or "50" ... and some of those servers I speak of
actually have more than 600 cpanel hosting accounts loaded too!
 
Last edited:

jayh38

Well-Known Member
Mar 3, 2006
1,213
0
166
Add your rules directly to the conf file instead.

/usr/local/apache/conf/modsec.user.conf