The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_security - Rules don't actually work that well

Discussion in 'Security' started by Karl, Jan 4, 2008.

  1. Karl

    Karl Well-Known Member
    PartnerNOC

    Joined:
    Aug 10, 2001
    Messages:
    84
    Likes Received:
    1
    Trophy Points:
    8
    Hi,

    Having a bit of a problem, tried the rule sets from mod_security themselves and the command injection rule doesn't seem to work all that well, it'll detect stuff like:

    url.php?c=telnet.exe

    but even though the rule, says it'll detect ls, perl, python, passwd etc. it does not:

    url.php?c=passwd

    gets loaded fine, even though it shouldn't be.

    Now you're probably thinking this has nothing to do with CPanel, *but* the same command injection rule appears in the CPanel default mod_security rule set and doesn't work either.

    Now it could be something particular to this server, but I doubt it, as it's a clean OS and CPanel install as of 24 hours ago. Is anyone else seeing the same?

    Thanks,
     
  2. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    The default mod_security rules cPanel installs should be removed since they do nothing. Instead you need a custom ruleset that addresses most shell bots and major script holes, I have one available part of my server admin services.

    Also you need to ensure that POST security is enabled, I believe the default that mod_security only turns on GET security. So anything through web forms isn't scanned.
     
  3. Karl

    Karl Well-Known Member
    PartnerNOC

    Joined:
    Aug 10, 2001
    Messages:
    84
    Likes Received:
    1
    Trophy Points:
    8
    CPanel rules (especially the command injection) are based off of the mod_security core rules - unfortunately there seems to be a bug which stops them working as they should - they'd actually detect all the problems we've had on one particular site *if* it worked as it suggests it should i.e. detecting ls, ps etc.

    The core rules do detect POST data, as they use ARGS, which includes GET and POST data.

    I'll assume no one else has the same issue, either that or they've not actually tested to make sure it's actually working.

    Thanks,
     
  4. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    I've never used the default rules. I know the ones I use stop dozens of attempts every day, as I use CSF to ban IP's of repeat offenders and tell me.
     
  5. trhosting.net

    trhosting.net Well-Known Member

    Joined:
    Mar 7, 2006
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Turkey
    Can you post some good but safe rules. I don't want my customers web pages are stop working but , want a good protection.

    Thanks
     
  6. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    mod_security 1 or 2?
     
  7. trhosting.net

    trhosting.net Well-Known Member

    Joined:
    Mar 7, 2006
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Turkey
    :)

    mod_securty for apache 2.2.x
     
  8. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    I'm still using mod_security 1, so my own rules won't work for you. There is a thread here that talks about rules for mod_security 2. Of particular interest is the post part way down that discuss converted Mod_security rules from Kris S. - HostMerit.com to the mod_security2 format. The rules from HostMerit are essentially what I use.

    Good luck :)
     
  9. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    that's my boat I am in and these rule sets for mosec1 have been working great especially with CSF/LFD. I am working now on a set for modsec2 based on the old set. But mine is HUGE like 1000 lines and gets very specific and blocks something every 5 seconds seems like. It would be great if we could all help cPanel develop a killer rule set that would work for most of us. After all there are 10million + cPanel based sites on the net that could benifit. Not everyone is being fully protected by modsec becasue of lacking rules.
     
Loading...

Share This Page