mod_security rules, Atomic and CSF

11Laurence

Member
May 27, 2013
7
0
1
cPanel Access Level
Root Administrator
Re: CENTOS 6.4 x86_64 standard – WHM11.36.1 (build 6)

This question is adressed tot he community of cpanel because I’m not sure if I can get help outside.

To increase the level of security ConfigServer Mail scanner, ConfigServerSecurity&Firewall, Mod Security control have been installed.

I follow this tuto from ukhost4u.co.uk and wrote in config plugin /mod security/WHM:

SecRequestBodyAccess On
SecAuditLogType Concurrent
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf
Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf
Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf
Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf
Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf
Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf
Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf
Include /usr/local/apache/conf/modsec2.whitelist.conf
I add these two lines from safesrv.net

# cxs web script scanning
# SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" "log,auditlog,deny,severity:2,id:'1010101'"
Then I pay for .... the paid rules at atomiccorp and receive a username and password.
I read the wiki and saw for the first time the FAQ :

Does a rules subscription include support for setting up mod_security?
No. Rules only subscriptions do not include support for installing, setting up or configuring mod_security. No third-party support.
Then there is a link to get the rules: updates.atomicorp.com/channels/rules/subscription/
The browser sends a warning : « security problem »

(Not sure it is a good start !!! they don'have updated the ssl?)

I say to the browser it’s an exception and get the following list

sc May 24 2013 11:40:54 1kb
geomap-201305261133.tar.gz May 26 2013 11:35:13 3135kb
geomap-201305261133.tar.gz.asc May 26 2013 11:35:13 1kb
modsec-201303271858.tar.gz Mar 27 2013 18:58:16 308kb
modsec-201303271858.tar.gz.asc Mar 27 2013 18:58:16 1kb
modsec-201303280916.tar.gz Mar 28 2013 09:16:24 308kb
modsec-201303280916.tar.gz.asc Mar 28 2013 09:16:24 1kb
modsec-201303280927.tar.gz Mar 28 2013 09:27:43 308kb
modsec-201303280927.tar.gz.asc Mar 28 2013 09:27:43 1kb
modsec-201303282050.tar.gz Mar 28 2013 20:50:31 308kb
modsec-201303282050.tar.gz.asc Mar 28 2013 20:50:31 1kb
modsec-201303291009.tar.gz
I don’t want to change my config and keep csf.
These are my questions :
1) What is the way (code) to get the paid rules and to give to their server my username /password in the plugin „mod security“ (edit config) from whm - see tuto ukhost4u.co.uk
2) How do we know what is related to what rule (for instance file modsec-201303280927.tar.gz.asc is related to 51_asl_rootkits.conf ?)
3) Is there a known conflict between cpanel, configserver security or config modsec and arules from atomiccorp.

Thanks
Best regards
Francois

N.B.: Perhap's it's a language problem and I miss a step?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

You will likely get a more detailed response from Atomicorp as it relates to their custom rules. I found the following document on their website that may be helpful:

Atomicorp Wiki

Thank you.
 

11Laurence

Member
May 27, 2013
7
0
1
cPanel Access Level
Root Administrator
Hello :)

You will likely get a more detailed response from Atomicorp as it relates to their custom rules. I found the following document on their website that may be helpful:

Atomicorp Wiki

Thank you.
Hello,

I read these pages. It seems to me they talk about rules installed with ASL (I don’t want this product). I ask here beacause I’m pretty sure other fellows have perfomed this job.

Thanks
regards