The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod Security version and rules version

Discussion in 'Security' started by jimlongo, Jul 24, 2013.

  1. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    145
    Likes Received:
    2
    Trophy Points:
    18
    I assume since I'm on automatic updates every night that my current version of Mod Security is 2.7?

    How do I know what version my rules are - do they need to be v2.x or specifically 2.7? and what would happen if they are old rules and not compatible. Would something alert me to this?

    I'm also using CMC 1.05

    Thanks.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Mod_Security is enabled through EasyApache, and new versions are pushed through EasyApache updates. You can review changes to the version of Mod_Security in the EasyApache change log:

    EasyApache Change Log

    You will need to run EasyApache if you want to update to a newer version that has been pushed out. Incompatible rules will typically result in a failure when the Apache configuration file is built.

    Thank you.
     
  3. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    145
    Likes Received:
    2
    Trophy Points:
    18
    Thank You.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Running "httpd configtest " at a prompt will tell you if anything is broken, including modsec rules.

    Also, your modsec version does not update automatically; you have to run an easyapache to be on the latest version as Michael noted. You can check the version (among other ways) by tailing the apache error log and hard stopping/starting apache.

    All 2.x rules should work with 2.7.x as long as they have unique numeric IDs.
     
  5. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
  6. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    145
    Likes Received:
    2
    Trophy Points:
    18
    Thanks, I'm sure the Atomic rules are great but they seem to require quite an investment of time to understand how to install and use them correctly.

    For instance if I try to include the delayed rules by adding . . .

    Include "/usr/local/apache/conf/atomic_modsec_rules/00_asl_z_antievasion.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/09_asl_rules.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/10_asl_antimalware.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/10_asl_rules.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/11_asl_adv_rules.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/20_asl_useragents.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/30_asl_antispam.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/50_asl_rootkits.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/60_asl_recons.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/61_asl_recons_dlp.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/99_asl_jitp.conf"

    to /usr/local/apache/conf/modsec2.user.conf

    THEN Apache will not start.
     
    #6 jimlongo, Jul 25, 2013
    Last edited: Jul 25, 2013
  7. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    What is the error message you get?
     
  8. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    262
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    Make sure Mod_security is updated to 2.7.4 for: 11_asl_adv_rules.conf and it's empty in the delayed rules.

    09_asl_rules.conf may not work with cPanel without ASL installed and it's empty in the delayed rules so disable it.

    30_asl_antispam.conf and 99_asl_jitp.conf are also empty with the delayed rules so you might as well not include those either. It's sad that they removed 99_asl_jitp.conf from the delayed since for me it plays a big part in application protection. Had to upgrade to the realtime rules.

    You may have not updated mod_security to recent 2.7 versions rules is probably the reason you have errors since the other problem files are all empty with the delayed rules.
     
  9. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    145
    Likes Received:
    2
    Trophy Points:
    18
    Thanks for the suggestions . . .

    Mod_security is the latest version 2.7.4
    I've whittled down the rules to remove those empty ones.

    Include "/usr/local/apache/conf/atomic_modsec_rules/00_asl_z_antievasion.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/10_asl_antimalware.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/10_asl_rules.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/20_asl_useragents.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/50_asl_rootkits.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/60_asl_recons.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/61_asl_recons_dlp.conf"

    Apache restart failed. Unable to load pid from pid file and no httpd process found in process list.

    Same result if I only try to load the 1 rule
    Include "/usr/local/apache/conf/atomic_modsec_rules/10_asl_rules.conf"
     
  10. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    262
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    Did you follow the install instructions found at the following link and create the required folders and add the configurations settings.

    Although, don't set "SecAuditLogType Concurrent" or else the plugins like "ConfigServer ModSec Control" (which I recommend) won't view the logs.

    https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Special_notes_for_CPANEL_users_not_using_ASL

    - - - Updated - - -

    My current modsec2.user.conf settings for the atomic realtime rules using Apache 2.2.25 and Mod Security 2.7.4:

    SecPcreMatchLimit 50000
    SecPcreMatchLimitRecursion 50000
    SecRequestBodyLimit 220621440
    LimitRequestBody 134217728

    SecRequestBodyAccess On
    SecResponseBodyAccess On
    SecResponseBodyMimeType (null) text/html text/plain text/xml
    SecResponseBodyLimit 220621440
    SecServerSignature Apache
    SecUploadDir /var/asl/data/suspicious
    SecUploadKeepFiles Off
    #SecAuditLogRelevantStatus "^(?:5|4(?!04))"
    SecAuditLogParts ABIFHZ
    SecArgumentSeparator "&"
    SecCookieFormat 0
    SecRequestBodyInMemoryLimit 220621440
    SecDataDir /var/asl/data/msa
    SecTmpDir /tmp
    SecAuditLogStorageDir /var/asl/data/audit
    SecResponseBodyLimitAction ProcessPartial

    Include /usr/local/apache/conf/modsec_rules/00_asl_whitelist.conf
    Include /usr/local/apache/conf/modsec_rules/00_asl_zz_strict.conf
    Include /usr/local/apache/conf/modsec_rules/01_asl_content.conf
    Include /usr/local/apache/conf/modsec_rules/03_asl_dos.conf
    Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf
    Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf
    Include /usr/local/apache/conf/modsec_rules/11_asl_adv_rules.conf
    Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf
    Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf
    Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf
    Include /usr/local/apache/conf/modsec_rules/51_asl_rootkits.conf
    Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf
    Include /usr/local/apache/conf/modsec_rules/61_asl_recons_dlp.conf
    Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf

    - - - Updated - - -

    If you edit modsec2.user.conf using "ConfigServer ModSec Control", when it restarts Apache it provides any rule errors on screen.
     
  11. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    When doing Apache configuration changes you should always test the config before you try to restart Apache:

    Run:
    Code:
    service httpd -t
    
    and if you don't see any errors it should be safe to restart Apache.
     
  12. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    145
    Likes Received:
    2
    Trophy Points:
    18
    Thanks for all the help.

    i followed the wiki instructions, created the folders and changed ownerships, etc.,
    Followed the link to install ASL. Although it's still confusing to me why the aim -u instruction. What that refers to.
    Pasted your suggested settings (also used the suggested settings from the wiki using only the free files compatible with 2.7.4) into modsec2.user.conf using Mod Sec Control, and got the following errors

    Code:
    Initial configuration generation failed with the following message:
    
    Configuration problem detected on line 61 of file /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf:	Error creating rule: Could not open phrase file "/usr/local/apache/conf/modsec_rules/malware-blacklist.txt": No such file or directory
    
    	--- /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf ---
    	55
    	56# Broadcheck
    	57#SecRule REQUEST_HEADERS:Referer|ARGS "!@pmFromFile malware-exclusion-local.txt" \
    	58#        "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360000,rev:2,severity:2,msg:'Blocklist Malware Site (AE)'"
    	59SecRule REQUEST_URI|ARGS|!ARGS:/description/|!ARGS:resolution|!ARGS:/subject/|!ARGS:/body/|!ARGS:message|!ARGS:/txt/|XML:/* "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \
    	60        "phase:2,deny,status:403,chain,capture,t:none,t:urlDecodeUni,t:replaceNulls,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:360000,rev:5,severity:2,msg:'Atomicorp.com Malware Blocklist: Malware Site detected in URL/Argument (AE)',logdata:'%{TX.0}'"
    	61 ===> SecRule REQUEST_URI|ARGS|!ARGS:resolution|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|!ARGS:message|XML:/* "@pmFromFile malware-blacklist.txt"  "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace" <===
    	62
    	63# Rule 330002: Blocklist of known malware sites w/ Anti-evasion features
    	64#SecRule REQUEST_URI "!(?:/imp/compose\.php)" \
    	65#        "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360002,rev:1,severity:2,msg:'Atomicorp.com Malware Blocklist:  Malware Site detected in ARGS/Body (AE)',chain,logdata:'%{TX.0}'"
    	66#SecRule REQUEST_BODY|ARGS|!ARGS:resolution|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|XML:/* "(?:ogg|zlib|(?:ht|f)tps?)\:/" "chain"
    	67##SecRule REQUEST_BODY|ARGS "!@pmFromFile malware-exclusion-local.txt" chain
    	--- /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf ---
    
    
    Rebuilding configuration without any local modifications.
    
    Failed to generate a syntactically correct Apache configuration.
    Bad configuration file located at /usr/local/apache/conf/httpd.conf.work.TpctZFUg_PueCsW9
    Error:
    Configuration problem detected on line 61 of file /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf:	Error creating rule: Could not open phrase file "/usr/local/apache/conf/modsec_rules/malware-blacklist.txt": No such file or directory
    
    	--- /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf ---
    	55
    	56# Broadcheck
    	57#SecRule REQUEST_HEADERS:Referer|ARGS "!@pmFromFile malware-exclusion-local.txt" \
    	58#        "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360000,rev:2,severity:2,msg:'Blocklist Malware Site (AE)'"
    	59SecRule REQUEST_URI|ARGS|!ARGS:/description/|!ARGS:resolution|!ARGS:/subject/|!ARGS:/body/|!ARGS:message|!ARGS:/txt/|XML:/* "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \
    	60        "phase:2,deny,status:403,chain,capture,t:none,t:urlDecodeUni,t:replaceNulls,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:360000,rev:5,severity:2,msg:'Atomicorp.com Malware Blocklist: Malware Site detected in URL/Argument (AE)',logdata:'%{TX.0}'"
    	61 ===> SecRule REQUEST_URI|ARGS|!ARGS:resolution|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|!ARGS:message|XML:/* "@pmFromFile malware-blacklist.txt"  "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace" <===
    	62
    	63# Rule 330002: Blocklist of known malware sites w/ Anti-evasion features
    	64#SecRule REQUEST_URI "!(?:/imp/compose\.php)" \
    	65#        "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360002,rev:1,severity:2,msg:'Atomicorp.com Malware Blocklist:  Malware Site detected in ARGS/Body (AE)',chain,logdata:'%{TX.0}'"
    	66#SecRule REQUEST_BODY|ARGS|!ARGS:resolution|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|XML:/* "(?:ogg|zlib|(?:ht|f)tps?)\:/" "chain"
    	67##SecRule REQUEST_BODY|ARGS "!@pmFromFile malware-exclusion-local.txt" chain
    	--- /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf ---
    
    
    
    Syntax error on line 61 of /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf:
    Error creating rule: Could not open phrase file "/usr/local/apache/conf/modsec_rules/malware-blacklist.txt": No such file or directory
     
  13. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    As the error message states:
    When you downloaded the rules there should be the file malware-blacklist.tx, just copy it to that directory.
     
  14. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    262
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    Your includes indicate that you uploaded the rules to "atomic_modsec_rules", but as the error indicates, it prefers them to be in "modsec_rules" instead. I'd rename the folder and revise your include statements so it's not a problem in the future.

    You didn't need to or probably shouldn't have installed ASL since that's another commercial solution they have.
     
  15. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    145
    Likes Received:
    2
    Trophy Points:
    18
    Thanks for all your help and suggestions.

    I looked around and found clear concise installation directions for the delayed rules here.

    Except for also needing to eliminate 15_asl_paranoid_rules.conf this worked for me.

    I must say the Atomic rules instructions seem designed as a marketing tool to push people towards the paid services. They are very convoluted and constantly mix the commercial products into the instructions for using the delayed rules.
     
  16. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    262
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    Yep, they definitely try to upsell you at every turn.
     
Loading...

Share This Page