Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Mod Security version and rules version

Discussion in 'Security' started by jimlongo, Jul 24, 2013.

  1. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    211
    Likes Received:
    10
    Trophy Points:
    68
    I assume since I'm on automatic updates every night that my current version of Mod Security is 2.7?

    How do I know what version my rules are - do they need to be v2.x or specifically 2.7? and what would happen if they are old rules and not compatible. Would something alert me to this?

    I'm also using CMC 1.05

    Thanks.
     
    #1 jimlongo, Jul 24, 2013
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,802
    Likes Received:
    1,895
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    Mod_Security is enabled through EasyApache, and new versions are pushed through EasyApache updates. You can review changes to the version of Mod_Security in the EasyApache change log:

    EasyApache Change Log

    You will need to run EasyApache if you want to update to a newer version that has been pushed out. Incompatible rules will typically result in a failure when the Apache configuration file is built.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelMichael, Jul 24, 2013
  3. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    211
    Likes Received:
    10
    Trophy Points:
    68
    Thank You.
     
    #3 jimlongo, Jul 24, 2013
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,011
    Likes Received:
    88
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Running "httpd configtest " at a prompt will tell you if anything is broken, including modsec rules.

    Also, your modsec version does not update automatically; you have to run an easyapache to be on the latest version as Michael noted. You can check the version (among other ways) by tailing the apache error log and hard stopping/starting apache.

    All 2.x rules should work with 2.7.x as long as they have unique numeric IDs.
     
    #4 quizknows, Jul 24, 2013
  5. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,872
    Likes Received:
    89
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 24x7server, Jul 25, 2013
  6. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    211
    Likes Received:
    10
    Trophy Points:
    68
    Thanks, I'm sure the Atomic rules are great but they seem to require quite an investment of time to understand how to install and use them correctly.

    For instance if I try to include the delayed rules by adding . . .

    Include "/usr/local/apache/conf/atomic_modsec_rules/00_asl_z_antievasion.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/09_asl_rules.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/10_asl_antimalware.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/10_asl_rules.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/11_asl_adv_rules.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/20_asl_useragents.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/30_asl_antispam.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/50_asl_rootkits.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/60_asl_recons.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/61_asl_recons_dlp.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/99_asl_jitp.conf"

    to /usr/local/apache/conf/modsec2.user.conf

    THEN Apache will not start.
     
    #6 jimlongo, Jul 25, 2013
    Last edited: Jul 25, 2013
  7. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    11
    Trophy Points:
    168
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    What is the error message you get?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 quietFinn, Jul 25, 2013
  8. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    285
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    Make sure Mod_security is updated to 2.7.4 for: 11_asl_adv_rules.conf and it's empty in the delayed rules.

    09_asl_rules.conf may not work with cPanel without ASL installed and it's empty in the delayed rules so disable it.

    30_asl_antispam.conf and 99_asl_jitp.conf are also empty with the delayed rules so you might as well not include those either. It's sad that they removed 99_asl_jitp.conf from the delayed since for me it plays a big part in application protection. Had to upgrade to the realtime rules.

    You may have not updated mod_security to recent 2.7 versions rules is probably the reason you have errors since the other problem files are all empty with the delayed rules.
     
    #8 kdean, Jul 25, 2013
  9. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    211
    Likes Received:
    10
    Trophy Points:
    68
    Thanks for the suggestions . . .

    Mod_security is the latest version 2.7.4
    I've whittled down the rules to remove those empty ones.

    Include "/usr/local/apache/conf/atomic_modsec_rules/00_asl_z_antievasion.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/10_asl_antimalware.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/10_asl_rules.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/20_asl_useragents.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/50_asl_rootkits.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/60_asl_recons.conf"
    Include "/usr/local/apache/conf/atomic_modsec_rules/61_asl_recons_dlp.conf"

    Apache restart failed. Unable to load pid from pid file and no httpd process found in process list.

    Same result if I only try to load the 1 rule
    Include "/usr/local/apache/conf/atomic_modsec_rules/10_asl_rules.conf"
     
    #9 jimlongo, Jul 25, 2013
  10. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    285
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    Did you follow the install instructions found at the following link and create the required folders and add the configurations settings.

    Although, don't set "SecAuditLogType Concurrent" or else the plugins like "ConfigServer ModSec Control" (which I recommend) won't view the logs.

    https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Special_notes_for_CPANEL_users_not_using_ASL

    - - - Updated - - -

    My current modsec2.user.conf settings for the atomic realtime rules using Apache 2.2.25 and Mod Security 2.7.4:

    SecPcreMatchLimit 50000
    SecPcreMatchLimitRecursion 50000
    SecRequestBodyLimit 220621440
    LimitRequestBody 134217728

    SecRequestBodyAccess On
    SecResponseBodyAccess On
    SecResponseBodyMimeType (null) text/html text/plain text/xml
    SecResponseBodyLimit 220621440
    SecServerSignature Apache
    SecUploadDir /var/asl/data/suspicious
    SecUploadKeepFiles Off
    #SecAuditLogRelevantStatus "^(?:5|4(?!04))"
    SecAuditLogParts ABIFHZ
    SecArgumentSeparator "&"
    SecCookieFormat 0
    SecRequestBodyInMemoryLimit 220621440
    SecDataDir /var/asl/data/msa
    SecTmpDir /tmp
    SecAuditLogStorageDir /var/asl/data/audit
    SecResponseBodyLimitAction ProcessPartial

    Include /usr/local/apache/conf/modsec_rules/00_asl_whitelist.conf
    Include /usr/local/apache/conf/modsec_rules/00_asl_zz_strict.conf
    Include /usr/local/apache/conf/modsec_rules/01_asl_content.conf
    Include /usr/local/apache/conf/modsec_rules/03_asl_dos.conf
    Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf
    Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf
    Include /usr/local/apache/conf/modsec_rules/11_asl_adv_rules.conf
    Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf
    Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf
    Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf
    Include /usr/local/apache/conf/modsec_rules/51_asl_rootkits.conf
    Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf
    Include /usr/local/apache/conf/modsec_rules/61_asl_recons_dlp.conf
    Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf

    - - - Updated - - -

    If you edit modsec2.user.conf using "ConfigServer ModSec Control", when it restarts Apache it provides any rule errors on screen.
     
    #10 kdean, Jul 25, 2013
  11. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    11
    Trophy Points:
    168
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    When doing Apache configuration changes you should always test the config before you try to restart Apache:

    Run:
    Code:
    service httpd -t
    and if you don't see any errors it should be safe to restart Apache.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #11 quietFinn, Jul 25, 2013
  12. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    211
    Likes Received:
    10
    Trophy Points:
    68
    Thanks for all the help.

    i followed the wiki instructions, created the folders and changed ownerships, etc.,
    Followed the link to install ASL. Although it's still confusing to me why the aim -u instruction. What that refers to.
    Pasted your suggested settings (also used the suggested settings from the wiki using only the free files compatible with 2.7.4) into modsec2.user.conf using Mod Sec Control, and got the following errors

    Code:
    Initial configuration generation failed with the following message:

Configuration problem detected on line 61 of file /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf:	Error creating rule: Could not open phrase file "/usr/local/apache/conf/modsec_rules/malware-blacklist.txt": No such file or directory

	--- /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf ---
	55
	56# Broadcheck
	57#SecRule REQUEST_HEADERS:Referer|ARGS "!@pmFromFile malware-exclusion-local.txt" \
	58#        "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360000,rev:2,severity:2,msg:'Blocklist Malware Site (AE)'"
	59SecRule REQUEST_URI|ARGS|!ARGS:/description/|!ARGS:resolution|!ARGS:/subject/|!ARGS:/body/|!ARGS:message|!ARGS:/txt/|XML:/* "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \
	60        "phase:2,deny,status:403,chain,capture,t:none,t:urlDecodeUni,t:replaceNulls,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:360000,rev:5,severity:2,msg:'Atomicorp.com Malware Blocklist: Malware Site detected in URL/Argument (AE)',logdata:'%{TX.0}'"
	61 ===> SecRule REQUEST_URI|ARGS|!ARGS:resolution|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|!ARGS:message|XML:/* "@pmFromFile malware-blacklist.txt"  "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace" <===
	62
	63# Rule 330002: Blocklist of known malware sites w/ Anti-evasion features
	64#SecRule REQUEST_URI "!(?:/imp/compose\.php)" \
	65#        "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360002,rev:1,severity:2,msg:'Atomicorp.com Malware Blocklist:  Malware Site detected in ARGS/Body (AE)',chain,logdata:'%{TX.0}'"
	66#SecRule REQUEST_BODY|ARGS|!ARGS:resolution|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|XML:/* "(?:ogg|zlib|(?:ht|f)tps?)\:/" "chain"
	67##SecRule REQUEST_BODY|ARGS "!@pmFromFile malware-exclusion-local.txt" chain
	--- /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf ---


Rebuilding configuration without any local modifications.

Failed to generate a syntactically correct Apache configuration.
Bad configuration file located at /usr/local/apache/conf/httpd.conf.work.TpctZFUg_PueCsW9
Error:
Configuration problem detected on line 61 of file /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf:	Error creating rule: Could not open phrase file "/usr/local/apache/conf/modsec_rules/malware-blacklist.txt": No such file or directory

	--- /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf ---
	55
	56# Broadcheck
	57#SecRule REQUEST_HEADERS:Referer|ARGS "!@pmFromFile malware-exclusion-local.txt" \
	58#        "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360000,rev:2,severity:2,msg:'Blocklist Malware Site (AE)'"
	59SecRule REQUEST_URI|ARGS|!ARGS:/description/|!ARGS:resolution|!ARGS:/subject/|!ARGS:/body/|!ARGS:message|!ARGS:/txt/|XML:/* "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \
	60        "phase:2,deny,status:403,chain,capture,t:none,t:urlDecodeUni,t:replaceNulls,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:360000,rev:5,severity:2,msg:'Atomicorp.com Malware Blocklist: Malware Site detected in URL/Argument (AE)',logdata:'%{TX.0}'"
	61 ===> SecRule REQUEST_URI|ARGS|!ARGS:resolution|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|!ARGS:message|XML:/* "@pmFromFile malware-blacklist.txt"  "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace" <===
	62
	63# Rule 330002: Blocklist of known malware sites w/ Anti-evasion features
	64#SecRule REQUEST_URI "!(?:/imp/compose\.php)" \
	65#        "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360002,rev:1,severity:2,msg:'Atomicorp.com Malware Blocklist:  Malware Site detected in ARGS/Body (AE)',chain,logdata:'%{TX.0}'"
	66#SecRule REQUEST_BODY|ARGS|!ARGS:resolution|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|XML:/* "(?:ogg|zlib|(?:ht|f)tps?)\:/" "chain"
	67##SecRule REQUEST_BODY|ARGS "!@pmFromFile malware-exclusion-local.txt" chain
	--- /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf ---



Syntax error on line 61 of /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf:
Error creating rule: Could not open phrase file "/usr/local/apache/conf/modsec_rules/malware-blacklist.txt": No such file or directory
     
    #12 jimlongo, Jul 26, 2013
  13. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    11
    Trophy Points:
    168
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    As the error message states:
    When you downloaded the rules there should be the file malware-blacklist.tx, just copy it to that directory.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #13 quietFinn, Jul 26, 2013
  14. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    285
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    Your includes indicate that you uploaded the rules to "atomic_modsec_rules", but as the error indicates, it prefers them to be in "modsec_rules" instead. I'd rename the folder and revise your include statements so it's not a problem in the future.

    You didn't need to or probably shouldn't have installed ASL since that's another commercial solution they have.
     
    #14 kdean, Jul 26, 2013
  15. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    211
    Likes Received:
    10
    Trophy Points:
    68
    Thanks for all your help and suggestions.

    I looked around and found clear concise installation directions for the delayed rules here.

    Except for also needing to eliminate 15_asl_paranoid_rules.conf this worked for me.

    I must say the Atomic rules instructions seem designed as a marketing tool to push people towards the paid services. They are very convoluted and constantly mix the commercial products into the instructions for using the delayed rules.
     
    #15 jimlongo, Jul 28, 2013
  16. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    285
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    Yep, they definitely try to upsell you at every turn.
     
    #16 kdean, Jul 28, 2013
(You must log in or sign up to post here.)
Loading...
Similar Threads - Security version rules
  1. marcuszan

    security advisor kernel update version issue

    marcuszan, Aug 13, 2018, in forum: Security
    Replies:
    3
    Views:
    163
    cPanelLauren
    Aug 14, 2018
  2. lukekenny

    New Thread ModSecurity Rule Triggered by autodiscover

    lukekenny, Oct 14, 2018 at 5:11 AM, in forum: Security
    Replies:
    0
    Views:
    35
    lukekenny
    Oct 14, 2018 at 5:11 AM
  3. quizknows

    New Thread A Guide to ModSecurity in 2018, for administrators

    quizknows, Oct 12, 2018 at 1:41 PM, in forum: Security
    Replies:
    0
    Views:
    61
    quizknows
    Oct 12, 2018 at 1:41 PM
  4. Peoplespaces

    User Name Security Reserved?

    Peoplespaces, Sep 21, 2018, in forum: General Discussion
    Replies:
    1
    Views:
    71
    cPanelLauren
    Sep 24, 2018
  5. vponteras

    Mail Security Using Host Access Control?

    vponteras, Sep 19, 2018, in forum: Security
    Replies:
    1
    Views:
    61
    cPanelMichael
    Sep 21, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice