I am running mod_security on a couple of sites running RHEL5 and the latest cpanel/whm. However, looking at the mod_security plugin in whm, there is nothing showing in spite of getting some things blocked by mod_security? Maybe I need to point the plugin to the correct mod_security log file location.
Below are my settings for mod_security in httpd.conf.
<IfModule mod_security.c>
# Turn the filtering engine On/Off
SecFilterEngine On
# Modify your Server Signature, or turn it off by setting it to empty string.
SecServerSignature "Keep Looking!!"
# Enforce URL encoding validation
SecFilterCheckURLEncoding On
# Unicode Encoding Validation
SecFilterCheckUnicodeEncoding Off
# Byte range
SecFilterForceByteRange 1 255
# The audit engine can be turned On of Off on the per server or
# per directory basis. "On" will log everything, "DynamicOrRelevant"
# will only log dynamic requests or violations, and "RelevantOnly"
# will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog /var/log/httpd/modsecurity_audit_log
# Whether the mod_security should inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:500"
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Prevent path traversal (..) attacks
SecFilter "../"
# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
</IfModule>
Below are my settings for mod_security in httpd.conf.
<IfModule mod_security.c>
# Turn the filtering engine On/Off
SecFilterEngine On
# Modify your Server Signature, or turn it off by setting it to empty string.
SecServerSignature "Keep Looking!!"
# Enforce URL encoding validation
SecFilterCheckURLEncoding On
# Unicode Encoding Validation
SecFilterCheckUnicodeEncoding Off
# Byte range
SecFilterForceByteRange 1 255
# The audit engine can be turned On of Off on the per server or
# per directory basis. "On" will log everything, "DynamicOrRelevant"
# will only log dynamic requests or violations, and "RelevantOnly"
# will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog /var/log/httpd/modsecurity_audit_log
# Whether the mod_security should inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:500"
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Prevent path traversal (..) attacks
SecFilter "../"
# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
</IfModule>
