The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod_Security & Rules Recommendation

Discussion in 'Security' started by debug, Dec 31, 2013.

  1. debug

    debug Member

    Joined:
    Apr 19, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    I am on a managed VPS. I am alone on my VPS and hosting only my own websites. I sell nothing, so no need SSL.

    My config:
    CENTOS 5.10 i686 virtuozzo – 32 bits
    WHM 11.40.1
    Apache 2.2.26
    php 5.3.28
    CSF/LFD 6.39, Mod_security enabled via Easy_Apache v3.22.25.

    - SSH disabled via WHM, I never use it.
    - WHM/Pure FTPD disabled (I re-install it via WHM/FTP Server Selection only when I need it).
    - WHM Host Access Control assigned to my home IP only.
    - SSH 22 port renamed but removed in CSF Firewall Configuration/Incoming/outcoming TCP ports list

    I don't want upgrade/update my server right now to keep the compatibility with my old scripts. Mod_security is installed only with the basics rules. In fact, these rules stop almost nothing. The elementary transversal path http://www.domain/ it not stopping.


    I am not familiar with Mod_Security & rules. I don't know if my server is secure right now. But I think I need a set of effectives rules for Mod_Security.


    My options are after much reading:


    1) Buy the ASL Rules (only the rules package) at $99/year and install it by myself with no automatic update.

    2) Buy the ASL + Rules at $199/year with an automatic install & update.

    3) Buy the $125 Service Package at ConfigServer with the free ASL rules installed but if it require updated rules in the future, I will need to pay ASL for them.

    4) Downgrade to Apache 1.4 & PHP 5.2.17 custom Cpanel product. Mod_securiy 1.95 work fine in this config with a lot of customs rules. Unfortunately, it is not possible to use ModSecurity 1.95 with PHP 5.3.28.

    Correct me if I am wrong in my understanding. I need some guidance.


    Another question:
    If I buy a package and I secure my own VPS. Is this another VPS, non-secure without effective rules on the same host server may compromise my VPS?

    The best solution in this case would be a dedicated server?

    Other alternatives ?


    Regards
     
    #1 debug, Dec 31, 2013
    Last edited: Dec 31, 2013
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,696
    Likes Received:
    656
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I just wanted to point out that downgrading Apache and PHP should not be an option here. It's not supported, and the older versions of Apache/PHP are scheduled for removal from EasyApache in the near future. You will likely receive some user feedback on the other options you presented here.

    Thank you.
     
  3. nootkan

    nootkan Well-Known Member

    Joined:
    Oct 25, 2006
    Messages:
    129
    Likes Received:
    2
    Trophy Points:
    18
    Personally I went with options 1 and 3. I found someone who is an affiliate of Atomicorp and they installed the updater as part of the rules package (if interested, pm me for details). As for the Service Package at Config Server you cannot go wrong with this as I feel it is probably the best package out there for security. If you feel capable you can install the components of the package for free by yourself. The staff at Config Server do a great job with the installation and give you a week of support after installation. Well worth the price in my opinion.
     
    #3 nootkan, Jan 1, 2014
    Last edited: Jan 1, 2014
  4. debug

    debug Member

    Joined:
    Apr 19, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    #4 debug, Jan 2, 2014
    Last edited: Jan 2, 2014
  5. debug

    debug Member

    Joined:
    Apr 19, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Maybe I'm wrong but I just read on the wiki that paid ASL rules are not compatible with products ConfigServer. Is that correct? Do I have to uninstall CSF & CMC ?

    https://www.atomicorp.com/wiki/index.php/ASL_FAQ#Is_ASL_compatible_with_ConfigServer

    Edit: I think it's only with the overall ASL (firewall + Rules). With the paid rules only, it should work with CSF/CMC but I have not tested it.

    In any case, I'm tired with this problem. I hope that cPanel offers as soon as possible a set of effective rules in their package.

    Regards
     
    #5 debug, Jan 11, 2014
    Last edited: Jan 11, 2014
  6. PlotHost

    PlotHost Well-Known Member

    Joined:
    Apr 29, 2011
    Messages:
    253
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    US
    cPanel Access Level:
    Root Administrator
    Twitter:
  7. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    386
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
    Yes, you may try Comodo WAF. We have been testing it and it's working fine till latest release. With new release we get a lot of Seg fault errors. Seems like they need to work a bit more to make it mature. Once it is stable, should be a worth to use it.
     
  8. chrismfz

    chrismfz Well-Known Member

    Joined:
    Jul 4, 2007
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Greece
    cPanel Access Level:
    DataCenter Provider
    You can set a cronjob to rsync rules, extract Atomicorp's rules, replace them and graceful restart Apache after that.
    You said you are unfamiliar with SSH-never used it. You can hire someone to do it it's easy enough. Set it 'n forget it.


    We use those rules for years with great results (you can't imagine what I see in logs).

    I can't say anything about Comodo's rules. I wish somebody could make an audit / penetration testing
    on various platforms and apps and post the results of a ASL vs Comodo but still nothing :D
     
  9. jsnape

    jsnape Well-Known Member

    Joined:
    Mar 11, 2002
    Messages:
    174
    Likes Received:
    0
    Trophy Points:
    16
    No need to buy the rules. I'd support these guys (Comodo), and encourage them to keep the rules updated.
     
    #9 jsnape, Mar 3, 2014
    Last edited by a moderator: Mar 4, 2014
Loading...

Share This Page