ModSecurity Auto Updater

[Secmas]

Hi all,
after playing a while with my own auto updater, finally, I decided to make it public so you can update your modsec rules from GotRoot.com payed or not.

Please note, this script is an "UPDATER" not an "installer",
if you are installing GotRoot rules for the first time you
will need to do that before using my script, thanks.​

HOW TO USE IT:
1. Download GotRoot rules from Welcome : Got Root and save it in your /tmp file.
2. Save the script in its own folder and make the script executable (chmod u+x)
3. At running time the script will ask you for the file version, nothing else, then it will do everything automatically for you.
So, for example, if the rule file is called modsec-201001121214.tar.gz, you will have to write "201001121214".
The script will test Apache to check everything was fine, if it is, you could restart apache from there or do it later manually.
4. Read any text inside the file for any last minute update.

The script will save a backup with your actual rules before it does the update, if Apache gives any error, you can manually restore everything on its place.

How the script works:
1. The script checks that the rule file is already saved on the /tmp directory.
2. It unpacks everything in a temporary folder.
3. Modifies some rules to be 100% compatible with CPanel.
4. Saves the actual rules in a directory, just in case needed to do a manual restore.
5. Replaces all the modsec_rule files with the new ones.
6. Checks that Apache runs with the new rules.
7. Deletes all the temporary files used.
8. The script ends.

If you use this script is at your own risk and we don't assume any responsibility.

To use the script, you need to download it from my web site PuntaPirata Home Page, if you have any comments, please use this thread.


Hope you save a lot of time as I have done with it.

Regards,
Sergio

HOW TO UNINSTALL THE UPDATE
If you have any troubles updating your rules and need to set everything back, you can do it very easily, just do the following steps:
1. Enter as root into your server.
2. Delete all the rules inside the directory /usr/local/apache/conf/modsec_rules/
3. Go to your /tmp file and look for any directory called "MODSECOLD" or that starts with that name.
4. Copy the rules that are inside the MODSECOLD directory to your /usr/local/apache/conf/modsec_rules/
5. Restart APACHE and thats all to do.

If you have done any modifications to your MODSEC2.CONF or MODSEC2.USER.CONF files just delete the lines that you added before restarting APACHE.


NEW MOD SECURITY 2.5.12 ISSUED BY CPANEL
If you have already installed 2.5.12 chances are that you will have the following error in your MODSEC:

Rule execution error - PCRE limits exceeded (-8): (null).

To fix this error you need to do the following:
1. Add to your PHP.INI the following commands:

pcre.backtrack_limit = 10000000
pcre.recursion_limit = 10000000

2. Add to your MODSEC2.USER.CONF file the following commands:

SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 5000

This will fix any issues with the new 2.5.12

AUTOUPDATER ver 1.03: (April 9, 2010 - 09:30)
New version 1.03 is realeased.
It fixes a mynor bugs.

NEW SECTION IN WEB SITE (July, 19, 2010 - 12:31)
We have added a new section called "ModSec Rules", in there we will adding rules that can be used in your modsecurity.
If you have any rule that you want to share, you are welcome.

PUNTAPIRATA-BADOMAINS 2,100 domains (April 11, 2010 - 23:30)
PUNTAPIRATA-BADOMAINS 2,400 domains (April 18, 2010 - 20:45)
PUNTAPIRATA-BADOMAINS 2,620 domains (April 25, 2010 - 22:18)
PUNTAPIRATA-BADOMAINS 2,965 domains (May 09, 2010 - 09:06)
PUNTAPIRATA-BADOMAINS 3,543 domains (May 16, 2010 - 21:26)
PUNTAPIRATA-BADOMAINS 6,533 domains (July 19, 2010 - 12:31)
Last file contains more than 6,500 blacklisted domains used to spam blogs, forums, any type of posts.

 

[cookiesunshinex]

Hi all,
after playing a while with my own auto updater, finally, I decided to make it public so you can update your modsec rules from GotRoot.com payed or not.

HOW TO USE IT:
1. Download GotRoot rules from Welcome : Got Root and save it in your /tmp file.
2. Save the script in its own folder and make the script executable (chmod u+x)
3. At running time the script will ask you for the file version, nothing else, then it will do eveything automatically for you.
So, for example, if the rule file is called modsec-201001121214.tar.gz, you will have to write "201001121214".
The script will test Apache to check everything was fine, if it is, you could restart apache from there or do it later manually.
4. Read any text inside the file for any last minute update.

The script will save a backup with your actual rules before it does the update, if Apache gives any error, you can manually restore everything on its place.

How the script works:
1. The script checks that the rule file is already saved on the /tmp directory.
2. It unpacks everything in a temporary folder.
3. Modifies some rules to be 100% compatible with CPanel.
4. Saves the actual rules in a directory, just in case needed to do a manual restore.
5. Replaces all the modsec_rule files with the new ones.
6. Checks that Apache runs with the new rules.
7. Deletes all the temporary files used.
8. The script ends.

If you use this script is at your own risk and we don't assume any responsability.

To use the script, you need to download it from my web site PuntaPirata Home Page, if you have any comments, please use this thread.


Hope you save a lot of time as I have done with it.

Regards,
Sergio

Your site seems to be having problems.

 

[Secmas]

Your site seems to be having problems.

No, the site is working just fine, it could be that your IP could be blocked, please send me via PM your IP and I will check it for you.

Sergio.

 

[fcmgadmin]

cant access your site

I can't access your site either, tried via a couple of proxys as well

 

[Secmas]

I can't access your site either, tried via a couple of proxys as well

Please send me your IP via PM and I will check if it is not blocked in my firewall, thanks.

Sergio.

 

[fcmgadmin]

It's loading now

Please send me your IP via PM and I will check if it is not blocked in my firewall, thanks.

Sergio.

I'ts OK the site is loading now, many thanks for the reply though.

 

[fcmgadmin]

Many thanks sergio

Just to say thanks for all your help today and for the tip about some of the rules from gotroot. I have posted what you said here to help others as well.
'
Thanks again....

Sergio said if using ASL rules (gotroot)

"I will suggest that you search inside the file updater.sh and modify the following lines

from:
# rm -f 00_asl_rbl.conf
# rm -f 05_asl_scanner.conf
# rm -f 11_asl_data_loss.conf

to:
rm -f 00_asl_rbl.conf
rm -f 05_asl_scanner.conf
rm -f 11_asl_data_loss.conf

these 3 files doesn't work very well with cpanel modsec and modifying this, the updater will delete them and make your modsec run much better."



If you don't fancy doing that when the script is run it creates a folder /usr/local/apache/conf/modsec_rules where it places all the rules files, you can just delete the three from there.

 

[Secmas]

Just to say thanks for all your help today and for the tip about some of the rules from gotroot. I have posted what you said here to help others as well.
'
Thanks again....

Sergio said if using ASL rules (gotroot)

"I will suggest that you search inside the file updater.sh and modify the following lines

from:
# rm -f 00_asl_rbl.conf
# rm -f 05_asl_scanner.conf
# rm -f 11_asl_data_loss.conf

to:
rm -f 00_asl_rbl.conf
rm -f 05_asl_scanner.conf
rm -f 11_asl_data_loss.conf

these 3 files doesn't work very well with cpanel modsec and modifying this, the updater will delete them and make your modsec run much better."



If you don't fancy doing that when the script is run it creates a folder /usr/local/apache/conf/modsec_rules where it places all the rules files, you can just delete the three from there.

I don't delete this files on purpose, because I know there are a lot of people that use them, but in my case I can't use the rbl.conf file as it gives me a lot of false positives and the scanner.conf doesn't work as it should be due to the fact that thre rules are made for the ASL hardening and it is complelty different as what a CPanel has.

On the last file, ASL tolds me that the use of that file is not needed any more, so is ok not to use it.

Sergio.

 

[Secmas]

A new version 1.02 has been released, it includes now an addon that let you add your own blacklisted domains to the rules.

Also, main web page has been modified. Now is easier to read on the new ADDONS that will be added to the updater.

Regards,

Sergio

 

[Secmas]

NEW VERSION 1.03:
- A minor fix was made to the updater on the addon.
- New file PUNTAPIRATA-BADOMAIN with more than 2,100 blacklisted domains.

Enjoy,

Sergio

 

[ikillbill]

Hi Sergio

Does your auto updates work with configserver 's CMC product?

How to use your auto update and CMC together?

You said these on your site

SecComponentSignature 201002131758
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

# ConfigServer ModSecurity whitelist file remove the mark if you are using ConfigServer CMC.
# Include /usr/local/apache/conf/modsec2.whitelist.conf

#ASL Rules
Include /usr/local/apache/conf/modsec_rules/*asl*.conf

do we need to create those dirs manually though? such as /var/asl/data/audit?

 

[Secmas]

Well, my autoupdater doesn't has anything to do with CMC, as CMC is an standalone addon in WHM and the autoupdater is a shebang file that "updates" the rules that GotRoot has.

So, you can use both CMC and the autoupdater without any problems at all.

Remember that the main chore of CMC is to make your life easier in managing modsec rules. With CMC you can white list rules by server or by account and that is one of the great things about CMC.

Regarding the directories:
Yes, you need to manually create the following directories ONLY if you are using GotRoot rules:

/var/asl/data/suspicious
/var/asl/data/msa
/var/asl/data/audit

Regards,

Sergio

 

[ikillbill]

Hi

do they need to be 777?
what if we don't set suggested user.conf, anythign bad will happen?

 

[Secmas]

Hi

do they need to be 777?

You NEVER have to set a directory on 777 that is a security issue, just set them as 770 on the last directory path, the other directories mentioned in the path could be 755.

what if we don't set suggested user.conf, anythign bad will happen?

If you don't create the modsec2.user.conf file your ModSec rules will not work at all, that rules are needed for GotRoot to work properly.

Remember that you are using a system that will help you to harden your server and it has to be set accordingly.

Regards,

Sergio

 

[ikillbill]

Hi

here
atomicorp.com • View topic - Announcing the standalone rule updater

you mentioned

SecDataDir /usr/local/apache/logs/data

on modsec2.user.conf


here
http://www.puntapirata.com/ModSec-Updater.php

You did not mention that line

which one is correct for cpanel server?

 

[kernow]

Have a error:

.......Taking rid of 'asl directories' and Moving files into their positions... please wait.
./updaterules.sh: line 82: cd: /usr/local/apache/conf/modsec_rules/modsec: No such file or directory
sed: can't read 00_asl_whitelist.conf: No such file or directory                                    
sed: can't read 00_asl_rbl.conf: No such file or directory                                          
rmdir: `/usr/local/apache/conf/modsec_rules/modsec': No such file or directory                      
Testing rules to be sure there are no errors                                                        

Syntax OK
Apache configuration PASSED!

And also, after the script updaterules.sh runs, it deletes itself !!

 

[Secmas]

Hi

here
atomicorp.com • View topic - Announcing the standalone rule updater

you mentioned
on modsec2.user.conf


here
http://www.puntapirata.com/ModSec-Updater.php

You did not mention that line

which one is correct for cpanel server?

My site in PuntaPirata is updated very often, the other post in ASL forum was some time ago.

Also, if you see carefully in my page, yes I mentioned de SecDataDir, but now it is located at:
SecDataDir /var/asl/data/msa

Regards,

Sergio

 

[Secmas]

Have a error:

.......Taking rid of 'asl directories' and Moving files into their positions... please wait.
./updaterules.sh: line 82: cd: /usr/local/apache/conf/modsec_rules/modsec: No such file or directory
sed: can't read 00_asl_whitelist.conf: No such file or directory                                    
sed: can't read 00_asl_rbl.conf: No such file or directory                                          
rmdir: `/usr/local/apache/conf/modsec_rules/modsec': No such file or directory                      
Testing rules to be sure there are no errors                                                        

Syntax OK
Apache configuration PASSED!

And also, after the script updaterules.sh runs, it deletes itself !!

Ok, the errors shown are because you have not installed GotRoot as it should be for the firs time:

./updaterules.sh: line 82: cd: /usr/local/apache/conf/modsec_rules/modsec: No such file or directory

The directory /usr/local/apache/conf/modsec_rules had to be created by you the first time when you installed your modsec rules. Remember that my script is an "updater" not an "installer". But, even if you have not created the directory the script will creat it for you.

sed: can't read 00_asl_whitelist.conf: No such file or directory
sed: can't read 00_asl_rbl.conf: No such file or directory

These errors indicate that you have not installed GotRoot rules, also.

And also, after the script updaterules.sh runs, it deletes itself !!

Where did you save the autoupdater script?

Regards,

Sergio

 

[kernow]

Hi,
Thanks for the advice. The updater script was saved in a directory I named gotroot. After executing the script it deleted itself.
What part of gotroot is not installed? modsecurity is already installed and using cpanels rules. and I downloaded the gotroot rules to /temp

 

[kernow]

Secmas all fixed now.
Thanks for the scripts