The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod security confusion

Discussion in 'Security' started by Mat-d-rat, Aug 30, 2008.

  1. Mat-d-rat

    Mat-d-rat Well-Known Member

    Joined:
    Jul 30, 2003
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    I've just had on OS reinstall on a server, and have been taking measures to secure it. Apache has been rebuilt to 2.2 with mod_security and I have Chirpys' CF installed as well...

    When I use whm->mod_security i see nothing in the logs, same when I click the edit config, it's blank

    When I use whm->csf->mod_security log - it's still blank, but when I click to edit the modsec2.conf file it shows :-

    Code:
    LoadFile /opt/xml2/lib/libxml2.so
     LoadFile /opt/lua/lib/liblua.so
    LoadModule security2_module  modules/mod_security2.so
    <IfModule mod_security2.c>
    SecRuleEngine On
    # See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf 
    #  "Add the rules that will do exactly the same as the directives"
    # SecFilterCheckURLEncoding On 
    # SecFilterForceByteRange 0 255
    SecAuditEngine RelevantOnly
    SecAuditLog logs/modsec_audit.log 
    SecDebugLog logs/modsec_debug_log
    SecDebugLogLevel 0
    SecDefaultAction "phase:2,deny,log,status:406"
    SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
    Include "/usr/local/apache/conf/modsec2.user.conf"
    </IfModule>
    
    How can I check what rules if any are loaded, and is the 403security.org rules the best to put on?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    In the mod_sec log area, click the link at top for the config. Set to the default config and save. That should get the rules loaded. The default rules are, IMO, a very good place to get you started.

    You can always copy that default config to file and compare it to any others to see the differences.
     
  3. Mat-d-rat

    Mat-d-rat Well-Known Member

    Joined:
    Jul 30, 2003
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    How can I test/check if mod_sec is even working though? Both areas show two different config files... oh heck I'll just install 403sec rules!
     
  4. nibb

    nibb Well-Known Member

    Joined:
    Mar 22, 2008
    Messages:
    301
    Likes Received:
    1
    Trophy Points:
    18
    How can we set it to only log but dont block to get false positives?

    What you say about the default rules is not trough. I activated them once and it was a mess. Hundreds of web apps where blocked, at least it logged much data from several respectable scripts.

    Im not sure if the default is the place to go. Are they the defaults rules from Breach?
     
  5. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    you may need to remove few rules to be able to allow your users run their website smoothly.

    IF you are using long rulesets, it may turn out to be very strict and may block legitimate access also.

    try looking for what was blocked and why, if its not a intrusion update the ruleset to match your or your users' need.
     
  6. nibb

    nibb Well-Known Member

    Joined:
    Mar 22, 2008
    Messages:
    301
    Likes Received:
    1
    Trophy Points:
    18
    I dont have may own rules. I used the default provided by cPanel. Those gave problems, and they are suppose to be compatible WHM - cPanel ones.

    I will try to activated them again and see what is logs.

    I do remember it had problems when i tried it some months ago.

    I wish it could be set up just for logging and not blocking but cant find that function.
     
  7. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    The rules are only compatible with cPanel, WHM and applications provided by cPanel in their default configuration. Any customization to an application (e.g. adding plugins to Wordpress) may cause the application to be blocked by the rule.
     
  8. nibb

    nibb Well-Known Member

    Joined:
    Mar 22, 2008
    Messages:
    301
    Likes Received:
    1
    Trophy Points:
    18
    OK i guess its fair.

    I tried download the gotroot.com rules but there is a bunch of them, where do they fit into the editor that has WHM. It seems there arent made for it, or are the WHM global rules.

    The documentation on WHM is null about configuring mod rules, breaze also doesnt say much, but just manually configuration. I dont want to break the WHM mod security integration with them.
     
  9. mikegotroot

    mikegotroot Well-Known Member

    Joined:
    Apr 29, 2008
    Messages:
    85
    Likes Received:
    1
    Trophy Points:
    8
Loading...

Share This Page