The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_sec rules (where to get the best version)

Discussion in 'General Discussion' started by cookiesunshinex, Nov 4, 2006.

  1. cookiesunshinex

    cookiesunshinex Well-Known Member

    Joined:
    Jun 10, 2005
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    6
    I just updated to WHM 10.8.0 and Cpanel 10.9.0 R57.

    I noticed at the end of the update that mod_security was updated to version 1.9.1 or something like that.

    I had used a custom ruleset for mod_sec which was mentioned in this thread:
    http://forums.cpanel.net/showthread.php?t=30159


    Should I update the mod_sec ruleset again, or is the version that is packaged with the latest WHM/Cpanel update good enough for general purpose webserver?

    I'd like to be as secure as possible. I took a look at the mod_sec rules that are located at http://www.gotroot.com, but it seems that the rules.conf from gotroot.com has around 585 lines in it and the one from the whm update has about 840.

    Any feedback is appreciated.
     
  2. Belaird

    Belaird Well-Known Member

    Joined:
    Jun 24, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Mod_sec rules

    Well what rules you want to implement is up to you to decide based on your needs, the apps you run and the capacity of your server. The more rules you turn on the more overhead apache will take with each request since it now has to process the request against the rules.

    The best place I have found for mod_security rules is here http://www.gotroot.com/tiki-index.php?page=mod_security+rules

    but be careful what you select and mindful of your mod_security and apachee versions. Apache 2.x rules dont work with apache 1.x and can cause it to fail.
     
  3. cookiesunshinex

    cookiesunshinex Well-Known Member

    Joined:
    Jun 10, 2005
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    6
    I guess the question that I have then is:

    What is the ruleset that is loaded with the latest version of WHM/Cpanel? Is it optimized for a standard webserver?

    I'm trying to decipher the difference between what was installed during the latest WHM update and what is out there at gotroot.com

    Thanks for any advice.
     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    "Total garbage barebones" and "No" would be the answers to your questions respectively.

    Just using WHM to install mod_security without going in to SSH and configuring your
    rulesets is roughly equivalent to not having mod_security installed at all!

    It runs but it doesn't really do anything whatsoever in it's default state so having
    it on your server like that is pretty much pointless.

    Once you have mod_security installed, you should go in and add any protection rules
    you want by editing the /etc/httpd/conf/modsec.conf and modsec.user.conf files.

    As to what to put in those files, weveral good sources for rules have been
    mentioned earlier on in this thread.
     
  5. cookiesunshinex

    cookiesunshinex Well-Known Member

    Joined:
    Jun 10, 2005
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    6
    How come when I go to "Edit Config" in WHM under the mod_security section I am able to affect the file located at /etc/httpd/conf/modsec.user.conf.

    Additionally, I can see where http requests are being blocked in the mod_sec log in WHM.

    Are you saying that we should ensure that the rules are actually there by editing them through SSH instead of going through the WHM interface?

    Thanks for the tips.

    It would be better to clearly explain these points to further help people who aren't fully versed in the topic such as some other advanced and experienced administrators might be.
     
  6. bpat1434

    bpat1434 Well-Known Member

    Joined:
    Oct 2, 2004
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Columbia, MD
    cPanel, SVN, and mod_security

    Woops.... totally wrong button I pushed. Sorry :(
     
    #6 bpat1434, Jun 29, 2007
    Last edited: Jun 29, 2007
  7. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    i could not agree more

    I could not agree more ---

    While its nice to have these tools present- I hope many users don't see them and think - wow I am protected now...


    makes me think of when I got started - that 1st day i thought a firewall was installed because I passed the fire hose in the wall of the DC (ok so i have officially dated myself lol )
     
  8. expedio

    expedio Active Member

    Joined:
    Jun 30, 2007
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Gotroot has the nice collection of mod_sec rules.

    I like the blacklisted IP database that prevents many attacks without blocking any script functions.
     
  9. cookiesunshinex

    cookiesunshinex Well-Known Member

    Joined:
    Jun 10, 2005
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    6
    Since it's been a year an a half, I'm re-addressing this issue.

    Are these rules updated on a regular basis? Should I be updating my rules based upon what is out at gotroot?

    Additionally, I just want to clarify previous posts statements about WHM and mod_sec rules.

    Is it ok/sufficient to take an updated list of rules from a secondary source such as gotroot and enable them through the WHM web interface, or are there other steps that need to be taken?

    Regards.
     
  10. mikegotroot

    mikegotroot Well-Known Member

    Joined:
    Apr 29, 2008
    Messages:
    85
    Likes Received:
    1
    Trophy Points:
    8
    Hi this is Mike, I write the gotroot.com rules. Yes you should update, and we put out updates to the rules daily and we fully support them. If you find that any rule we put out interferes with ANY application we will fix it and put out an update that day.

    We fully support the rules, and we also have a rule updater you can download from gotroot.com that will keep your rules up to date and yes, we support cpanel fully. So if you want to secure your cpanel box you really should use our rules.
     
  11. cookiesunshinex

    cookiesunshinex Well-Known Member

    Joined:
    Jun 10, 2005
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    6
    Mike,

    I've just updated to gotroot mod_sec rules. I'm running apache 1.x and mod_sec is 1.9.5.

    I've enabled all of the 1.9 mod_sec rules except the apache 2.x .conf file.

    Why don't you offer a .conf file that includes all of the individual files that you offer?

    Also, it would be good to mention that the excludes should be listed first. I just happened to catch that in the comments section, but I can see how others might miss that.
     
  12. mikegotroot

    mikegotroot Well-Known Member

    Joined:
    Apr 29, 2008
    Messages:
    85
    Likes Received:
    1
    Trophy Points:
    8
    Good question about 1.9.x rules. We offer multiple rules because the 1.9.x engine is much much slower than the 2.x engine (and if you use it with apache 1.x, and use apache 1.x's regexp engine you're in for a world of hurt - make sure you compile in libpcre if you use apache 1.x and modsecurity 1.x), for some folks running all the rules is not practical (too slow, too much memory, etc.).

    I just added an "all-rules.conf" file that contains everything with the excludes upfront. Currently untested (no reason it shouldnt work though) - please let me know if you run into any issues with it.

    A side note: The 1.9.x modsecurity engine is unfortunately no longer supported by the modsecurity project - so using it is definitely not recommended (it has bugs, and it has a flaw too). 2.5 is the current supported engine by the modsecurity project. This is a problem for apache 1.x users because the modsecurity project also does not support apache 1.x anymore - modsecurity 2.x only works with apache 2.x.
     
    #12 mikegotroot, Jun 28, 2009
    Last edited: Jun 28, 2009
  13. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    The complete ruleset from gotroot.com is about 25 times the size of
    the default mod_security rules or anything you get setup by Cpanel by
    default when installing through WHM or EasyApache.

    GotRoot has broken their rulesets into separate files by category to
    make it quicker to find specific rules, flag exceptions, add updates,
    and for easier management. If you are looking at any specific file
    then you aren't viewing the full ruleset.

    And yes ... the GotRoot.Com ruleset is really the best out there!

    (Side note: They offer a paid subscription set and a free set which
    are basically identically; The only real main difference is whether you
    want your updates (nearly) daily or if you are okay with monthly updates.)
     
Loading...

Share This Page