mod_security v1.9.5 ?

[ashworth102680]

I've been reading all this stuff over here about 2.7, but when I look into my system I see 1.9.5.

EasyApache mod_security Module

Is there something wrong with my Easy::Apache (v3.22.4) where it's not using the newest mod_security or something? Totally confused here.

I'd love to use Atomicorp's rules, but they'll fail unless I'm using the right version.

Here's how I searched for my mod_security version. Maybe I did it wrong?

# cat /home/cpeasyapache/src/modsecurity-apache_1.9.5/apache2/mod_security.c | grep MODULE_RELEASE
#define MODULE_RELEASE "1.9.5"

- - - Updated - - -

If it helps, here are version numbers for my WHM installation:

WHM 11.38.1 (build 15)
Apache 2.2.25
PHP 5.3.27

 

[quizknows]

/home/cpeasyapache/src/ will contain source for both apache 1 and 2. You're looking at the source for httpd 1.x which won't be built anyway.

Much easier to check for the actual module, as long as you build httpd 2.x in EA, and select ModSecurity, then ModSecurity 2.7.x will build. Once it's done you can check at root shell:

httpd -M |grep security

This should return:

security2_module (shared)
Syntax OK

If so, then modsec 2 is installed.

 

[kdean]

You can also verify the version by searching for the line starting with "Producer" in:

/usr/local/apache/logs/modsec_audit.log

or you can view the log if you use:

ConfigServer ModSecurity Control

 

[ashworth102680]

Thanks guys!

This doesn't give me anything:

[email protected] [/usr/local/apache/conf/modsec_rules]# cat /usr/local/apache/logs/modsec_audit.log | grep Producer
[email protected] [/usr/local/apache/conf/modsec_rules]#

[email protected] [/usr/local/apache/conf/modsec_rules]# httpd -M |grep security
security2_module (shared)
Syntax OK

Definitely on mod_security v2. What I don't know is specifically which version of 2 (ie., v2.x) I'm on. So far, I haven't been able to determine that. It's just compiled via Easy Apache. Nothing more.

Multiple guides online to get gotroot rules to run on cPanel haven't worked, and produce an error like this one:

[email protected] [/usr/local/apache/conf/modsec_rules]# service httpd configtest
Syntax error on line 37 of /usr/local/apache/conf/modsec_rules/00_asl_whitelist.conf:
ModSecurity: No action id present within the rule

Am I supposed to just give it an ID and use whatever the hell number I want?!

- - - Updated - - -

I downloaded 2.5 and 2.7, but both fail. It's possible I'm still not using the newest, though. I'll check that now.

According to ASL:

No action id present within the rule
This means that you using out of date rules. If you are using Atomicorp rules, then this means you are not using the latest real time rules. The latest real time rules have an id action for every rule.

- - - Updated - - -

Yeah, these are definitely the newest rules:

http://updates.atomicorp.com/channels/rules/delayed/modsec-2.7-free-latest.tar.gz

 

[cPanelMichael]

Hello

The Mod_Security version is logged to the Apache error_log upon starting or restarting Apache. The specific version can be determined using the following command via root SSH access:

grep "modsecurity" /usr/local/apache/logs/error_log

You will see output such as:

[Tue Aug 13 22:37:04 2013] [notice] ModSecurity for Apache/2.7.5 (http://www.modsecurity.org/) configured.

Thank you.

 

[quizknows]

A couple things could be happening here.

Unlikely, but if there is no rule ID on that line of that file, try adding one.

It's also possible whatever conf file is calling "Include /usr/local/apache/conf/modsec_rules/00_asl_whitelist.conf" (probably your modsec2.user.conf) has a rule right before that include line that is missing an ID.

If a rule ID is missing, it's easy to add, but make sure if it's a multi line rule (i.e. the first line says "chain" in the actions) that you ID the first line.

I.e.

SecRule REQUEST_URI "This_is_bad" "deny,chain"
SecRule HTTP_User-Agent "Second bad condition"

You would add to the "deny,chain" part:

SecRule REQUEST_URI "This_is_bad" "deny,chain,id:29725"
SecRule HTTP_User-Agent "Second bad condition"

 

[ashworth102680]

That helped a ton. Thanks Michael!