The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity Auto Updater

Discussion in 'Security' started by Secmas, Feb 13, 2010.

  1. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    Hi all,
    after playing a while with my own auto updater, finally, I decided to make it public so you can update your modsec rules from GotRoot.com payed or not.

    Please note, this script is an "UPDATER" not an "installer",
    if you are installing GotRoot rules for the first time you
    will need to do that before using my script, thanks.​


    HOW TO USE IT:
    1. Download GotRoot rules from Welcome : Got Root and save it in your /tmp file.
    2. Save the script in its own folder and make the script executable (chmod u+x)
    3. At running time the script will ask you for the file version, nothing else, then it will do everything automatically for you.
    So, for example, if the rule file is called modsec-201001121214.tar.gz, you will have to write "201001121214".
    The script will test Apache to check everything was fine, if it is, you could restart apache from there or do it later manually.
    4. Read any text inside the file for any last minute update.

    The script will save a backup with your actual rules before it does the update, if Apache gives any error, you can manually restore everything on its place.

    How the script works:
    1. The script checks that the rule file is already saved on the /tmp directory.
    2. It unpacks everything in a temporary folder.
    3. Modifies some rules to be 100% compatible with CPanel.
    4. Saves the actual rules in a directory, just in case needed to do a manual restore.
    5. Replaces all the modsec_rule files with the new ones.
    6. Checks that Apache runs with the new rules.
    7. Deletes all the temporary files used.
    8. The script ends.

    If you use this script is at your own risk and we don't assume any responsibility.

    To use the script, you need to download it from my web site PuntaPirata Home Page, if you have any comments, please use this thread.


    Hope you save a lot of time as I have done with it.

    Regards,
    Sergio

    HOW TO UNINSTALL THE UPDATE
    If you have any troubles updating your rules and need to set everything back, you can do it very easily, just do the following steps:
    1. Enter as root into your server.
    2. Delete all the rules inside the directory /usr/local/apache/conf/modsec_rules/
    3. Go to your /tmp file and look for any directory called "MODSECOLD" or that starts with that name.
    4. Copy the rules that are inside the MODSECOLD directory to your /usr/local/apache/conf/modsec_rules/
    5. Restart APACHE and thats all to do.

    If you have done any modifications to your MODSEC2.CONF or MODSEC2.USER.CONF files just delete the lines that you added before restarting APACHE.


    NEW MOD SECURITY 2.5.12 ISSUED BY CPANEL
    If you have already installed 2.5.12 chances are that you will have the following error in your MODSEC:
    To fix this error you need to do the following:
    1. Add to your PHP.INI the following commands:
    2. Add to your MODSEC2.USER.CONF file the following commands:
    This will fix any issues with the new 2.5.12

    AUTOUPDATER ver 1.03: (April 9, 2010 - 09:30)
    New version 1.03 is realeased.
    It fixes a mynor bugs.

    NEW SECTION IN WEB SITE (July, 19, 2010 - 12:31)
    We have added a new section called "ModSec Rules", in there we will adding rules that can be used in your modsecurity.
    If you have any rule that you want to share, you are welcome.

    PUNTAPIRATA-BADOMAINS 2,100 domains (April 11, 2010 - 23:30)
    PUNTAPIRATA-BADOMAINS 2,400 domains (April 18, 2010 - 20:45)
    PUNTAPIRATA-BADOMAINS 2,620 domains (April 25, 2010 - 22:18)
    PUNTAPIRATA-BADOMAINS 2,965 domains (May 09, 2010 - 09:06)
    PUNTAPIRATA-BADOMAINS 3,543 domains (May 16, 2010 - 21:26)
    PUNTAPIRATA-BADOMAINS 6,533 domains (July 19, 2010 - 12:31)
    Last file contains more than 6,500 blacklisted domains used to spam blogs, forums, any type of posts.
     
    #1 Secmas, Feb 13, 2010
    Last edited: Jul 19, 2010
  2. cookiesunshinex

    cookiesunshinex Well-Known Member

    Joined:
    Jun 10, 2005
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    6
    Your site seems to be having problems.
     
  3. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    No, the site is working just fine, it could be that your IP could be blocked, please send me via PM your IP and I will check it for you.

    Sergio.
     
  4. fcmgadmin

    fcmgadmin Member

    Joined:
    May 1, 2009
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cant access your site

    I can't access your site either, tried via a couple of proxys as well
     
  5. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    Please send me your IP via PM and I will check if it is not blocked in my firewall, thanks.

    Sergio.
     
  6. fcmgadmin

    fcmgadmin Member

    Joined:
    May 1, 2009
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    It's loading now

    I'ts OK the site is loading now, many thanks for the reply though.
     
  7. fcmgadmin

    fcmgadmin Member

    Joined:
    May 1, 2009
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Many thanks sergio

    Just to say thanks for all your help today and for the tip about some of the rules from gotroot. I have posted what you said here to help others as well.
    '
    Thanks again....

    Sergio said if using ASL rules (gotroot)

    "I will suggest that you search inside the file updater.sh and modify the following lines

    from:
    # rm -f 00_asl_rbl.conf
    # rm -f 05_asl_scanner.conf
    # rm -f 11_asl_data_loss.conf

    to:
    rm -f 00_asl_rbl.conf
    rm -f 05_asl_scanner.conf
    rm -f 11_asl_data_loss.conf

    these 3 files doesn't work very well with cpanel modsec and modifying this, the updater will delete them and make your modsec run much better."



    If you don't fancy doing that when the script is run it creates a folder /usr/local/apache/conf/modsec_rules where it places all the rules files, you can just delete the three from there.
     
  8. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    I don't delete this files on purpose, because I know there are a lot of people that use them, but in my case I can't use the rbl.conf file as it gives me a lot of false positives and the scanner.conf doesn't work as it should be due to the fact that thre rules are made for the ASL hardening and it is complelty different as what a CPanel has.

    On the last file, ASL tolds me that the use of that file is not needed any more, so is ok not to use it.

    Sergio.
     
  9. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    A new version 1.02 has been released, it includes now an addon that let you add your own blacklisted domains to the rules.

    Also, main web page has been modified. Now is easier to read on the new ADDONS that will be added to the updater.

    Regards,

    Sergio
     
  10. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    NEW VERSION 1.03:
    - A minor fix was made to the updater on the addon.
    - New file PUNTAPIRATA-BADOMAIN with more than 2,100 blacklisted domains.

    Enjoy,

    Sergio
     
  11. ikillbill

    ikillbill Well-Known Member

    Joined:
    Feb 18, 2008
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    Hi Sergio

    Does your auto updates work with configserver 's CMC product?

    How to use your auto update and CMC together?

    You said these on your site

    do we need to create those dirs manually though? such as /var/asl/data/audit?
     
  12. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    Well, my autoupdater doesn't has anything to do with CMC, as CMC is an standalone addon in WHM and the autoupdater is a shebang file that "updates" the rules that GotRoot has.

    So, you can use both CMC and the autoupdater without any problems at all.

    Remember that the main chore of CMC is to make your life easier in managing modsec rules. With CMC you can white list rules by server or by account and that is one of the great things about CMC.

    Regarding the directories:
    Yes, you need to manually create the following directories ONLY if you are using GotRoot rules:

    /var/asl/data/suspicious
    /var/asl/data/msa
    /var/asl/data/audit

    Regards,

    Sergio
     
  13. ikillbill

    ikillbill Well-Known Member

    Joined:
    Feb 18, 2008
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    Hi

    do they need to be 777?
    what if we don't set suggested user.conf, anythign bad will happen?
     
  14. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    You NEVER have to set a directory on 777 that is a security issue, just set them as 770 on the last directory path, the other directories mentioned in the path could be 755.

    If you don't create the modsec2.user.conf file your ModSec rules will not work at all, that rules are needed for GotRoot to work properly.

    Remember that you are using a system that will help you to harden your server and it has to be set accordingly.

    Regards,

    Sergio
     
  15. ikillbill

    ikillbill Well-Known Member

    Joined:
    Feb 18, 2008
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
  16. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Have a error:
    Code:
    .......Taking rid of 'asl directories' and Moving files into their positions... please wait.
    ./updaterules.sh: line 82: cd: /usr/local/apache/conf/modsec_rules/modsec: No such file or directory
    sed: can't read 00_asl_whitelist.conf: No such file or directory                                    
    sed: can't read 00_asl_rbl.conf: No such file or directory                                          
    rmdir: `/usr/local/apache/conf/modsec_rules/modsec': No such file or directory                      
    Testing rules to be sure there are no errors                                                        
    
    Syntax OK
    Apache configuration PASSED!
    And also, after the script updaterules.sh runs, it deletes itself !!
     
  17. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    My site in PuntaPirata is updated very often, the other post in ASL forum was some time ago.

    Also, if you see carefully in my page, yes I mentioned de SecDataDir, but now it is located at:
    SecDataDir /var/asl/data/msa

    Regards,

    Sergio
     
  18. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    Ok, the errors shown are because you have not installed GotRoot as it should be for the firs time:
    The directory /usr/local/apache/conf/modsec_rules had to be created by you the first time when you installed your modsec rules. Remember that my script is an "updater" not an "installer". But, even if you have not created the directory the script will creat it for you.
    These errors indicate that you have not installed GotRoot rules, also.

    Where did you save the autoupdater script?

    Regards,

    Sergio
     
  19. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Hi,
    Thanks for the advice. The updater script was saved in a directory I named gotroot. After executing the script it deleted itself.
    What part of gotroot is not installed? modsecurity is already installed and using cpanels rules. and I downloaded the gotroot rules to /temp
     
    #19 kernow, Apr 11, 2010
    Last edited: Apr 11, 2010
  20. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Secmas all fixed now.
    Thanks for the scripts :)
     
Loading...

Share This Page