mod_security rules, Atomic and CSF

11Laurence · May 27, 2013

Re: CENTOS 6.4 x86_64 standard – WHM11.36.1 (build 6)

This question is adressed tot he community of cpanel because I’m not sure if I can get help outside.

To increase the level of security ConfigServer Mail scanner, ConfigServerSecurity&Firewall, Mod Security control have been installed.

I follow this tuto from ukhost4u.co.uk and wrote in config plugin /mod security/WHM:

SecRequestBodyAccess On
SecAuditLogType Concurrent
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf
Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf
Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf
Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf
Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf
Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf
Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf
Include /usr/local/apache/conf/modsec2.whitelist.conf

I add these two lines from safesrv.net

# cxs web script scanning
# SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" "log,auditlog,deny,severity:2,id:'1010101'"

Then I pay for .... the paid rules at atomiccorp and receive a username and password.
I read the wiki and saw for the first time the FAQ :

Does a rules subscription include support for setting up mod_security?
No. Rules only subscriptions do not include support for installing, setting up or configuring mod_security. No third-party support.

Then there is a link to get the rules: updates.atomicorp.com/channels/rules/subscription/
The browser sends a warning : « security problem »

(Not sure it is a good start !!! they don'have updated the ssl?)

I say to the browser it’s an exception and get the following list

sc May 24 2013 11:40:54 1kb
geomap-201305261133.tar.gz May 26 2013 11:35:13 3135kb
geomap-201305261133.tar.gz.asc May 26 2013 11:35:13 1kb
modsec-201303271858.tar.gz Mar 27 2013 18:58:16 308kb
modsec-201303271858.tar.gz.asc Mar 27 2013 18:58:16 1kb
modsec-201303280916.tar.gz Mar 28 2013 09:16:24 308kb
modsec-201303280916.tar.gz.asc Mar 28 2013 09:16:24 1kb
modsec-201303280927.tar.gz Mar 28 2013 09:27:43 308kb
modsec-201303280927.tar.gz.asc Mar 28 2013 09:27:43 1kb
modsec-201303282050.tar.gz Mar 28 2013 20:50:31 308kb
modsec-201303282050.tar.gz.asc Mar 28 2013 20:50:31 1kb
modsec-201303291009.tar.gz

I don’t want to change my config and keep csf.
These are my questions :
1) What is the way (code) to get the paid rules and to give to their server my username /password in the plugin „mod security“ (edit config) from whm - see tuto ukhost4u.co.uk
2) How do we know what is related to what rule (for instance file modsec-201303280927.tar.gz.asc is related to 51_asl_rootkits.conf ?)
3) Is there a known conflict between cpanel, configserver security or config modsec and arules from atomiccorp.

Thanks
Best regards
Francois

N.B.: Perhap's it's a language problem and I miss a step?

cPanelMichael · May 27, 2013

Hello

You will likely get a more detailed response from Atomicorp as it relates to their custom rules. I found the following document on their website that may be helpful:

Atomicorp Wiki

Thank you.

11Laurence · May 27, 2013

cPanelMichael said:
Hello

You will likely get a more detailed response from Atomicorp as it relates to their custom rules. I found the following document on their website that may be helpful:

Atomicorp Wiki

Thank you.

Hello,

I read these pages. It seems to me they talk about rules installed with ASL (I don’t want this product). I ask here beacause I’m pretty sure other fellows have perfomed this job.

Thanks
regards

11Laurence · May 28, 2013

No answer.
paid rules from atomicoep are no more used? deprecated?

robb3369 · May 28, 2013

Look at ASL-Lite... it says its no longer supported, but it does work...

https://www.atomicorp.com/wiki/index.php/ASL_Lite

11Laurence · May 29, 2013

robb3369 said:
Look at ASL-Lite... it says its no longer supported, but it does work...

https://www.atomicorp.com/wiki/index.php/ASL_Lite

Hello,

Actually, not.
I can get asl-lite, but it works (display) not properly and we cannot put username or password

centOS 6.4 Linux 3.8.13-xxxx-std-ipv6-64 #2 SMP Fri May 17 05:54:07 CEST 2
Putty

Other way?

thanks

regards

Thread starter	Similar threads	Forum	Replies	Date
C	Mod_Security rules for Joomla login failures	Security	2	Apr 4, 2022
V	Centos 8 - mod_security v3 not working custom rules	Security	7	Nov 7, 2020
E	Let customers view and whitelist mod_security rules?	Security	2	Aug 26, 2017
	Mod_security rules to prevent spam registrations and comments on wordpress sites	Security	12	Feb 7, 2017
B	Older mod_security ruleset still active	Security	3	May 3, 2016

Search

Search

mod_security rules, Atomic and CSF

11Laurence

Member

cPanelMichael

Administrator

11Laurence

Member

11Laurence

Member

robb3369

Well-Known Member

11Laurence

Member