mod_sec rules (where to get the best version)

cookiesunshinex

Well-Known Member
Jun 10, 2005
77
0
156
I just updated to WHM 10.8.0 and Cpanel 10.9.0 R57.

I noticed at the end of the update that mod_security was updated to version 1.9.1 or something like that.

I had used a custom ruleset for mod_sec which was mentioned in this thread:
http://forums.cpanel.net/showthread.php?t=30159


Should I update the mod_sec ruleset again, or is the version that is packaged with the latest WHM/Cpanel update good enough for general purpose webserver?

I'd like to be as secure as possible. I took a look at the mod_sec rules that are located at http://www.gotroot.com, but it seems that the rules.conf from gotroot.com has around 585 lines in it and the one from the whm update has about 840.

Any feedback is appreciated.
 

Belaird

Well-Known Member
Jun 24, 2004
59
0
156
Mod_sec rules

Well what rules you want to implement is up to you to decide based on your needs, the apps you run and the capacity of your server. The more rules you turn on the more overhead apache will take with each request since it now has to process the request against the rules.

The best place I have found for mod_security rules is here http://www.gotroot.com/tiki-index.php?page=mod_security+rules

but be careful what you select and mindful of your mod_security and apachee versions. Apache 2.x rules dont work with apache 1.x and can cause it to fail.
 

cookiesunshinex

Well-Known Member
Jun 10, 2005
77
0
156
I guess the question that I have then is:

What is the ruleset that is loaded with the latest version of WHM/Cpanel? Is it optimized for a standard webserver?

I'm trying to decipher the difference between what was installed during the latest WHM update and what is out there at gotroot.com

Thanks for any advice.
 

Spiral

BANNED
Jun 24, 2005
2,020
8
193
What is the ruleset that is loaded with the latest version of WHM/Cpanel? Is it optimized for a standard webserver?
"Total garbage barebones" and "No" would be the answers to your questions respectively.

Just using WHM to install mod_security without going in to SSH and configuring your
rulesets is roughly equivalent to not having mod_security installed at all!

It runs but it doesn't really do anything whatsoever in it's default state so having
it on your server like that is pretty much pointless.

Once you have mod_security installed, you should go in and add any protection rules
you want by editing the /etc/httpd/conf/modsec.conf and modsec.user.conf files.

As to what to put in those files, weveral good sources for rules have been
mentioned earlier on in this thread.
 

cookiesunshinex

Well-Known Member
Jun 10, 2005
77
0
156
How come when I go to "Edit Config" in WHM under the mod_security section I am able to affect the file located at /etc/httpd/conf/modsec.user.conf.

Additionally, I can see where http requests are being blocked in the mod_sec log in WHM.

Are you saying that we should ensure that the rules are actually there by editing them through SSH instead of going through the WHM interface?

Thanks for the tips.

It would be better to clearly explain these points to further help people who aren't fully versed in the topic such as some other advanced and experienced administrators might be.
 

hostmedic

Well-Known Member
Apr 30, 2003
544
0
166
Washington Court House, Ohio, United States
cPanel Access Level
DataCenter Provider
i could not agree more

"Total garbage barebones" and "No" would be the answers to your questions respectively.

Just using WHM to install mod_security without going in to SSH and configuring your
rulesets is roughly equivalent to not having mod_security installed at all!

It runs but it doesn't really do anything whatsoever in it's default state so having
it on your server like that is pretty much pointless.
I could not agree more ---

While its nice to have these tools present- I hope many users don't see them and think - wow I am protected now...


makes me think of when I got started - that 1st day i thought a firewall was installed because I passed the fire hose in the wall of the DC (ok so i have officially dated myself lol )
 

expedio

Active Member
Jun 30, 2007
36
0
56
Gotroot has the nice collection of mod_sec rules.

I like the blacklisted IP database that prevents many attacks without blocking any script functions.
 

cookiesunshinex

Well-Known Member
Jun 10, 2005
77
0
156
Since it's been a year an a half, I'm re-addressing this issue.

Are these rules updated on a regular basis? Should I be updating my rules based upon what is out at gotroot?

Additionally, I just want to clarify previous posts statements about WHM and mod_sec rules.

Is it ok/sufficient to take an updated list of rules from a secondary source such as gotroot and enable them through the WHM web interface, or are there other steps that need to be taken?

Regards.
 

mikegotroot

Well-Known Member
Verifed Vendor
Apr 29, 2008
85
1
58
Hi this is Mike, I write the gotroot.com rules. Yes you should update, and we put out updates to the rules daily and we fully support them. If you find that any rule we put out interferes with ANY application we will fix it and put out an update that day.

We fully support the rules, and we also have a rule updater you can download from gotroot.com that will keep your rules up to date and yes, we support cpanel fully. So if you want to secure your cpanel box you really should use our rules.
 

cookiesunshinex

Well-Known Member
Jun 10, 2005
77
0
156
Mike,

I've just updated to gotroot mod_sec rules. I'm running apache 1.x and mod_sec is 1.9.5.

I've enabled all of the 1.9 mod_sec rules except the apache 2.x .conf file.

Why don't you offer a .conf file that includes all of the individual files that you offer?

Also, it would be good to mention that the excludes should be listed first. I just happened to catch that in the comments section, but I can see how others might miss that.
 

mikegotroot

Well-Known Member
Verifed Vendor
Apr 29, 2008
85
1
58
Good question about 1.9.x rules. We offer multiple rules because the 1.9.x engine is much much slower than the 2.x engine (and if you use it with apache 1.x, and use apache 1.x's regexp engine you're in for a world of hurt - make sure you compile in libpcre if you use apache 1.x and modsecurity 1.x), for some folks running all the rules is not practical (too slow, too much memory, etc.).

I just added an "all-rules.conf" file that contains everything with the excludes upfront. Currently untested (no reason it shouldnt work though) - please let me know if you run into any issues with it.

A side note: The 1.9.x modsecurity engine is unfortunately no longer supported by the modsecurity project - so using it is definitely not recommended (it has bugs, and it has a flaw too). 2.5 is the current supported engine by the modsecurity project. This is a problem for apache 1.x users because the modsecurity project also does not support apache 1.x anymore - modsecurity 2.x only works with apache 2.x.
 
Last edited:

Spiral

BANNED
Jun 24, 2005
2,020
8
193
I'd like to be as secure as possible. I took a look at the mod_sec rules that are located at Got Root : Welcome, but it seems that the rules.conf from gotroot.com has around 585 lines in it and the one from the whm update has about 840.
The complete ruleset from gotroot.com is about 25 times the size of
the default mod_security rules or anything you get setup by Cpanel by
default when installing through WHM or EasyApache.

GotRoot has broken their rulesets into separate files by category to
make it quicker to find specific rules, flag exceptions, add updates,
and for easier management. If you are looking at any specific file
then you aren't viewing the full ruleset.

And yes ... the GotRoot.Com ruleset is really the best out there!

(Side note: They offer a paid subscription set and a free set which
are basically identically; The only real main difference is whether you
want your updates (nearly) daily or if you are okay with monthly updates.)