The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod Security in Critical Systems, Install?

Discussion in 'Security' started by dezagus, Nov 11, 2014.

  1. dezagus

    dezagus Active Member

    Joined:
    Mar 2, 2014
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello All :)

    I have crtitical systems working in WHM where if I get down my service just by 5 min a lot of website would too. So, my question is, be or not to be, no, seriusly, in case of install Mod Security there is some type of timeout which can I expect or all config is empty?

    Regards!
     
  2. Brian

    Brian Well-Known Member

    Joined:
    Dec 1, 2010
    Messages:
    117
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    ModSecurity, like most security related features, has the potential to block users from visiting sites. The goal, as always, is to only block malicious traffic. But as with any blocking feature (brute force, anti-spam, etc) you run the risk of false positives.

    In short, yes, it is possible for you to cause downtime for clients if you have a ModSecurity rule that inadvertently blocks good traffic. This is just the same risk as having an anti-spam rule or anti-spam software that might block a good piece of email.

    The best advice I have is for you to set the ModSecurity engine to the "report only" mode (so it will log what it WOULD have blocked, but not actually block the traffic). From there, you can review if you would've been blocked when viewing the website(s) normally. If everything looks good after a few days/weeks of testing, then you could switch it over to enforce the blocks.

    As of 11.46, cPanel & WHM does not distribute a default set of ModSecurity rules, so you'll need to look into 3rd party ModSecurity rulesets if you are looking to deploy rules. In a future release, we plan to include a distribution of the OWASP ruleset with cPanel & WHM.
     
  3. dezagus

    dezagus Active Member

    Joined:
    Mar 2, 2014
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank you for clarify :) Very useful! I would put it like "report only". PS: Sometimes I do not show the pop-up about activation, where I can find it at WHM dashboard?
     
  4. Brian

    Brian Well-Known Member

    Joined:
    Dec 1, 2010
    Messages:
    117
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    In the event you change your mind with the decision you made in the Feature Manager or didn't see the Feature Showcase, you can manually enable the ModSecurity Domain Manager through the below option:

    1. Go to: WHM
    2. Go to: Feature Manager
    3. Edit the "default" feature list
    4. Check "Mod_Security™ Domain Manager"

    (Note that this is just the cPanel user interface for letting customers turn ModSecurity on/off per-domain. The WHM portion of this feature is always available)

    To turn the mod_security module into a "report only" mode, go to the ModSecurity Configuration page in WHM and turn the "Engine" options to the mode that says:

    Process the rules in verbose mode, but do not execute disruptive actions.

    That will ensure that they are reporting rules only, and not actually blocking anyone.
     
  5. dezagus

    dezagus Active Member

    Joined:
    Mar 2, 2014
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    You are the man!
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You will usually find with most rulesets that one or two rules need to be whitelisted for your application. That slight nuisance is well worth the benefits of running a good web application firewall, especially on critical or production systems.

    The recommended method of processing but not disrupting (at first) is a good one. Use the features of your site, and make sure your IP does not show up with any rules being tripped. If it does not, you should be OK to deploy ModSecurity normally. If you notice rules being logged during normal use, disable or adjust the rules (or your code) to stop that. Once you can use the site normally without any ModSecurity notices, then go ahead and deploy.

    If you do run into issues with production it's likely to only affect very specific requests (like long blog posts that contain SQL commands like SELECT, DROP, etc.). Typically all you need to troubleshoot that is the IP of the legitimate visitor who experienced the error, and you can adjust the rule for everyone.
     
Loading...

Share This Page