Mod Security version and rules version

[jimlongo]

I assume since I'm on automatic updates every night that my current version of Mod Security is 2.7?

How do I know what version my rules are - do they need to be v2.x or specifically 2.7? and what would happen if they are old rules and not compatible. Would something alert me to this?

I'm also using CMC 1.05

Thanks.

 

[cPanelMichael]

Hello

Mod_Security is enabled through EasyApache, and new versions are pushed through EasyApache updates. You can review changes to the version of Mod_Security in the EasyApache change log:

EasyApache Change Log

You will need to run EasyApache if you want to update to a newer version that has been pushed out. Incompatible rules will typically result in a failure when the Apache configuration file is built.

Thank you.

 

[jimlongo]

Thank You.

 

[quizknows]

Running "httpd configtest " at a prompt will tell you if anything is broken, including modsec rules.

Also, your modsec version does not update automatically; you have to run an easyapache to be on the latest version as Michael noted. You can check the version (among other ways) by tailing the apache error log and hard stopping/starting apache.

All 2.x rules should work with 2.7.x as long as they have unique numeric IDs.

 

[24x7server]

Also to keep your mod_sec with hardened rules, you can also have a look on atomic mod sec rules. As they are really good for security.

https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules

 

[jimlongo]

Thanks, I'm sure the Atomic rules are great but they seem to require quite an investment of time to understand how to install and use them correctly.

For instance if I try to include the delayed rules by adding . . .

Include "/usr/local/apache/conf/atomic_modsec_rules/00_asl_z_antievasion.conf"
Include "/usr/local/apache/conf/atomic_modsec_rules/09_asl_rules.conf"
Include "/usr/local/apache/conf/atomic_modsec_rules/10_asl_antimalware.conf"
Include "/usr/local/apache/conf/atomic_modsec_rules/10_asl_rules.conf"
Include "/usr/local/apache/conf/atomic_modsec_rules/11_asl_adv_rules.conf"
Include "/usr/local/apache/conf/atomic_modsec_rules/20_asl_useragents.conf"
Include "/usr/local/apache/conf/atomic_modsec_rules/30_asl_antispam.conf"
Include "/usr/local/apache/conf/atomic_modsec_rules/50_asl_rootkits.conf"
Include "/usr/local/apache/conf/atomic_modsec_rules/60_asl_recons.conf"
Include "/usr/local/apache/conf/atomic_modsec_rules/61_asl_recons_dlp.conf"
Include "/usr/local/apache/conf/atomic_modsec_rules/99_asl_jitp.conf"

to /usr/local/apache/conf/modsec2.user.conf

THEN Apache will not start.

 

[quietFinn]

THEN Apache will not start.

What is the error message you get?

 

[kdean]

Make sure Mod_security is updated to 2.7.4 for: 11_asl_adv_rules.conf and it's empty in the delayed rules.

09_asl_rules.conf may not work with cPanel without ASL installed and it's empty in the delayed rules so disable it.

30_asl_antispam.conf and 99_asl_jitp.conf are also empty with the delayed rules so you might as well not include those either. It's sad that they removed 99_asl_jitp.conf from the delayed since for me it plays a big part in application protection. Had to upgrade to the realtime rules.

You may have not updated mod_security to recent 2.7 versions rules is probably the reason you have errors since the other problem files are all empty with the delayed rules.

 

[jimlongo]

Thanks for the suggestions . . .

Mod_security is the latest version 2.7.4
I've whittled down the rules to remove those empty ones.

Include "/usr/local/apache/conf/atomic_modsec_rules/00_asl_z_antievasion.conf"
Include "/usr/local/apache/conf/atomic_modsec_rules/10_asl_antimalware.conf"
Include "/usr/local/apache/conf/atomic_modsec_rules/10_asl_rules.conf"
Include "/usr/local/apache/conf/atomic_modsec_rules/20_asl_useragents.conf"
Include "/usr/local/apache/conf/atomic_modsec_rules/50_asl_rootkits.conf"
Include "/usr/local/apache/conf/atomic_modsec_rules/60_asl_recons.conf"
Include "/usr/local/apache/conf/atomic_modsec_rules/61_asl_recons_dlp.conf"

Apache restart failed. Unable to load pid from pid file and no httpd process found in process list.

Same result if I only try to load the 1 rule
Include "/usr/local/apache/conf/atomic_modsec_rules/10_asl_rules.conf"

 

[kdean]

Did you follow the install instructions found at the following link and create the required folders and add the configurations settings.

Although, don't set "SecAuditLogType Concurrent" or else the plugins like "ConfigServer ModSec Control" (which I recommend) won't view the logs.

https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Special_notes_for_CPANEL_users_not_using_ASL

- - - Updated - - -

My current modsec2.user.conf settings for the atomic realtime rules using Apache 2.2.25 and Mod Security 2.7.4:

SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 50000
SecRequestBodyLimit 220621440
LimitRequestBody 134217728

SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 220621440
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
#SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 220621440
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

Include /usr/local/apache/conf/modsec_rules/00_asl_whitelist.conf
Include /usr/local/apache/conf/modsec_rules/00_asl_zz_strict.conf
Include /usr/local/apache/conf/modsec_rules/01_asl_content.conf
Include /usr/local/apache/conf/modsec_rules/03_asl_dos.conf
Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf
Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf
Include /usr/local/apache/conf/modsec_rules/11_asl_adv_rules.conf
Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf
Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf
Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf
Include /usr/local/apache/conf/modsec_rules/51_asl_rootkits.conf
Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf
Include /usr/local/apache/conf/modsec_rules/61_asl_recons_dlp.conf
Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf

- - - Updated - - -

If you edit modsec2.user.conf using "ConfigServer ModSec Control", when it restarts Apache it provides any rule errors on screen.

 

[quietFinn]

When doing Apache configuration changes you should always test the config before you try to restart Apache:

Run:

service httpd -t

and if you don't see any errors it should be safe to restart Apache.

 

[jimlongo]

Thanks for all the help.

i followed the wiki instructions, created the folders and changed ownerships, etc.,
Followed the link to install ASL. Although it's still confusing to me why the aim -u instruction. What that refers to.
Pasted your suggested settings (also used the suggested settings from the wiki using only the free files compatible with 2.7.4) into modsec2.user.conf using Mod Sec Control, and got the following errors

Initial configuration generation failed with the following message:

Configuration problem detected on line 61 of file /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf:	Error creating rule: Could not open phrase file "/usr/local/apache/conf/modsec_rules/malware-blacklist.txt": No such file or directory

	--- /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf ---
	55
	56# Broadcheck
	57#SecRule REQUEST_HEADERS:Referer|ARGS "!@pmFromFile malware-exclusion-local.txt" \
	58#        "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360000,rev:2,severity:2,msg:'Blocklist Malware Site (AE)'"
	59SecRule REQUEST_URI|ARGS|!ARGS:/description/|!ARGS:resolution|!ARGS:/subject/|!ARGS:/body/|!ARGS:message|!ARGS:/txt/|XML:/* "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \
	60        "phase:2,deny,status:403,chain,capture,t:none,t:urlDecodeUni,t:replaceNulls,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:360000,rev:5,severity:2,msg:'Atomicorp.com Malware Blocklist: Malware Site detected in URL/Argument (AE)',logdata:'%{TX.0}'"
	61 ===> SecRule REQUEST_URI|ARGS|!ARGS:resolution|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|!ARGS:message|XML:/* "@pmFromFile malware-blacklist.txt"  "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace" <===
	62
	63# Rule 330002: Blocklist of known malware sites w/ Anti-evasion features
	64#SecRule REQUEST_URI "!(?:/imp/compose\.php)" \
	65#        "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360002,rev:1,severity:2,msg:'Atomicorp.com Malware Blocklist:  Malware Site detected in ARGS/Body (AE)',chain,logdata:'%{TX.0}'"
	66#SecRule REQUEST_BODY|ARGS|!ARGS:resolution|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|XML:/* "(?:ogg|zlib|(?:ht|f)tps?)\:/" "chain"
	67##SecRule REQUEST_BODY|ARGS "!@pmFromFile malware-exclusion-local.txt" chain
	--- /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf ---


Rebuilding configuration without any local modifications.

Failed to generate a syntactically correct Apache configuration.
Bad configuration file located at /usr/local/apache/conf/httpd.conf.work.TpctZFUg_PueCsW9
Error:
Configuration problem detected on line 61 of file /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf:	Error creating rule: Could not open phrase file "/usr/local/apache/conf/modsec_rules/malware-blacklist.txt": No such file or directory

	--- /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf ---
	55
	56# Broadcheck
	57#SecRule REQUEST_HEADERS:Referer|ARGS "!@pmFromFile malware-exclusion-local.txt" \
	58#        "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360000,rev:2,severity:2,msg:'Blocklist Malware Site (AE)'"
	59SecRule REQUEST_URI|ARGS|!ARGS:/description/|!ARGS:resolution|!ARGS:/subject/|!ARGS:/body/|!ARGS:message|!ARGS:/txt/|XML:/* "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \
	60        "phase:2,deny,status:403,chain,capture,t:none,t:urlDecodeUni,t:replaceNulls,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:360000,rev:5,severity:2,msg:'Atomicorp.com Malware Blocklist: Malware Site detected in URL/Argument (AE)',logdata:'%{TX.0}'"
	61 ===> SecRule REQUEST_URI|ARGS|!ARGS:resolution|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|!ARGS:message|XML:/* "@pmFromFile malware-blacklist.txt"  "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace" <===
	62
	63# Rule 330002: Blocklist of known malware sites w/ Anti-evasion features
	64#SecRule REQUEST_URI "!(?:/imp/compose\.php)" \
	65#        "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360002,rev:1,severity:2,msg:'Atomicorp.com Malware Blocklist:  Malware Site detected in ARGS/Body (AE)',chain,logdata:'%{TX.0}'"
	66#SecRule REQUEST_BODY|ARGS|!ARGS:resolution|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|XML:/* "(?:ogg|zlib|(?:ht|f)tps?)\:/" "chain"
	67##SecRule REQUEST_BODY|ARGS "!@pmFromFile malware-exclusion-local.txt" chain
	--- /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf ---



Syntax error on line 61 of /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf:
Error creating rule: Could not open phrase file "/usr/local/apache/conf/modsec_rules/malware-blacklist.txt": No such file or directory

 

[quietFinn]

As the error message states:

Could not open phrase file "/usr/local/apache/conf/modsec_rules/malware-blacklist.txt": No such file or directory

When you downloaded the rules there should be the file malware-blacklist.tx, just copy it to that directory.

 

[kdean]

Your includes indicate that you uploaded the rules to "atomic_modsec_rules", but as the error indicates, it prefers them to be in "modsec_rules" instead. I'd rename the folder and revise your include statements so it's not a problem in the future.

You didn't need to or probably shouldn't have installed ASL since that's another commercial solution they have.

 

[jimlongo]

Thanks for all your help and suggestions.

I looked around and found clear concise installation directions for the delayed rules here.

Except for also needing to eliminate 15_asl_paranoid_rules.conf this worked for me.

I must say the Atomic rules instructions seem designed as a marketing tool to push people towards the paid services. They are very convoluted and constantly mix the commercial products into the instructions for using the delayed rules.

 

[kdean]

Yep, they definitely try to upsell you at every turn.