The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_security v1.9.5 ?

Discussion in 'Security' started by ashworth102680, Aug 13, 2013.

  1. ashworth102680

    ashworth102680 Active Member

    Joined:
    May 3, 2007
    Messages:
    26
    Likes Received:
    1
    Trophy Points:
    3
    I've been reading all this stuff over here about 2.7, but when I look into my system I see 1.9.5.

    EasyApache mod_security Module

    Is there something wrong with my Easy::Apache (v3.22.4) where it's not using the newest mod_security or something? Totally confused here.

    I'd love to use Atomicorp's rules, but they'll fail unless I'm using the right version.

    Here's how I searched for my mod_security version. Maybe I did it wrong?

    # cat /home/cpeasyapache/src/modsecurity-apache_1.9.5/apache2/mod_security.c | grep MODULE_RELEASE
    #define MODULE_RELEASE "1.9.5"

    - - - Updated - - -

    If it helps, here are version numbers for my WHM installation:

    WHM 11.38.1 (build 15)
    Apache 2.2.25
    PHP 5.3.27
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    /home/cpeasyapache/src/ will contain source for both apache 1 and 2. You're looking at the source for httpd 1.x which won't be built anyway.

    Much easier to check for the actual module, as long as you build httpd 2.x in EA, and select ModSecurity, then ModSecurity 2.7.x will build. Once it's done you can check at root shell:

    httpd -M |grep security

    This should return:

    security2_module (shared)
    Syntax OK

    If so, then modsec 2 is installed.
     
  3. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    262
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    You can also verify the version by searching for the line starting with "Producer" in:

    /usr/local/apache/logs/modsec_audit.log

    or you can view the log if you use:

    ConfigServer ModSecurity Control
     
  4. ashworth102680

    ashworth102680 Active Member

    Joined:
    May 3, 2007
    Messages:
    26
    Likes Received:
    1
    Trophy Points:
    3
    Thanks guys!

    This doesn't give me anything:

    Definitely on mod_security v2. What I don't know is specifically which version of 2 (ie., v2.x) I'm on. So far, I haven't been able to determine that. It's just compiled via Easy Apache. Nothing more.

    Multiple guides online to get gotroot rules to run on cPanel haven't worked, and produce an error like this one:

    Am I supposed to just give it an ID and use whatever the hell number I want?! :)

    - - - Updated - - -

    I downloaded 2.5 and 2.7, but both fail. It's possible I'm still not using the newest, though. I'll check that now.

    According to ASL:

    - - - Updated - - -

    Yeah, these are definitely the newest rules:

    http://updates.atomicorp.com/channels/rules/delayed/modsec-2.7-free-latest.tar.gz
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,724
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The Mod_Security version is logged to the Apache error_log upon starting or restarting Apache. The specific version can be determined using the following command via root SSH access:

    Code:
    grep "modsecurity" /usr/local/apache/logs/error_log
    You will see output such as:

    Code:
    [Tue Aug 13 22:37:04 2013] [notice] ModSecurity for Apache/2.7.5 (http://www.modsecurity.org/) configured.
    Thank you.
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    A couple things could be happening here.

    Unlikely, but if there is no rule ID on that line of that file, try adding one.

    It's also possible whatever conf file is calling "Include /usr/local/apache/conf/modsec_rules/00_asl_whitelist.conf" (probably your modsec2.user.conf) has a rule right before that include line that is missing an ID.

    If a rule ID is missing, it's easy to add, but make sure if it's a multi line rule (i.e. the first line says "chain" in the actions) that you ID the first line.

    I.e.

    SecRule REQUEST_URI "This_is_bad" "deny,chain"
    SecRule HTTP_User-Agent "Second bad condition"

    You would add to the "deny,chain" part:

    SecRule REQUEST_URI "This_is_bad" "deny,chain,id:29725"
    SecRule HTTP_User-Agent "Second bad condition"
     
  7. ashworth102680

    ashworth102680 Active Member

    Joined:
    May 3, 2007
    Messages:
    26
    Likes Received:
    1
    Trophy Points:
    3
    That helped a ton. Thanks Michael!
     
Loading...

Share This Page