Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity Auto Updater

Discussion in 'Security' started by Secmas, Feb 13, 2010.

  1. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    I have an automatic autoupdater for the ones that kindly donate in my site.

    But among the posts that are in this thread, someone wrote a modification to convert my autoupdater in automatic.

    Sergio
     
  2. nzpli

    nzpli Member

    Joined:
    Nov 2, 2005
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Nelson NZ
    cPanel Access Level:
    Root Administrator
    Hi Sergio

    Thanks for your tip via configserver forum re asl rules at ModSec Taylor Made and Tweaks by Sergio

    I installed the rules and rebooted apache, and that went well

    Through ConfigServer ModSecurity Control, I went had a look at the log

    Bit concerned about the searchengines rule - results below

    www.website1.co.nz 66.249.74.94 303800 [31/Oct/2013:17:37:58 +1300]
    Match of "endsWith .googlebot.com" against "REMOTE_HOST" required. [file "/usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf"] [line "64"] [id "303800"] [rev "3"] [msg "Atomicorp.com WAF Rules: Fake Googlebot webcrawler"]

    www.website2.co.nz 66.249.74.188 303800 [31/Oct/2013:17:35:10 +1300]
    Match of "endsWith .googlebot.com" against "REMOTE_HOST" required. [file "/usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf"] [line "64"] [id "303800"] [rev "3"] [msg "Atomicorp.com WAF Rules: Fake Googlebot webcrawler"]

    www.website1.co.nz 157.55.32.112 303801 [31/Oct/2013:17:33:11 +1300]
    Match of "rx (^msnbot-[0-9]+-[0-9]+-[0-9]+-[0-9]+\\.search\\.msn\\.com$)" against "REMOTE_HOST" required. [file "/usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf"] [line "79"] [id "303801"] [rev "6"] [msg "Atomicorp.com WAF Rules: Fake msnbot/bingbot webcrawler"]

    www.website3.com 199.21.99.70 303808 [31/Oct/2013:17:37:55 +1300]
    Match of "rx (\\.yandex\\.(?:ru|com|net)$)" against "REMOTE_HOST" required. [file "/usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf"] [line "164"] [id "303808"] [rev "1"] [msg "Atomicorp.com WAF Rules: Fake Yandex webcrawler."]

    the above all to me seem legit - IP's as expected for those search engines

    I changed the modsec2.user.conf back to what it was, cause I dont need those search engines blocked

    What has been your experience?

    thanks
    Peter
     
    #202 nzpli, Oct 30, 2013
    Last edited: Oct 30, 2013
  3. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    168
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    I suggest you just exclude that rules file (00_asl_y_searchengines.conf).
     
  4. nzpli

    nzpli Member

    Joined:
    Nov 2, 2005
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Nelson NZ
    cPanel Access Level:
    Root Administrator
    Thanks: Do you mean removing the rule, or is there a way of excluding it?

    Peter
     
  5. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    168
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    The file is included when you have line like this in modsec2.user.conf
    Code:
    Include /usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf
    
    if you change it to:
    Code:
    # Include /usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf
    
    i.e. "comment it out", the file is excluded.
     
  6. nzpli

    nzpli Member

    Joined:
    Nov 2, 2005
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Nelson NZ
    cPanel Access Level:
    Root Administrator
    I dont have that in my file

    I followed ModSec Taylor Made and Tweaks by Sergio and the original modsec2.user.conf had only the following in it
    Include /usr/local/apache/conf/modsec2.whitelist.conf

    so now I have just
    # ASL/GOTROOT Rules
    Include /usr/local/apache/conf/modsec_rules/*asl*.conf

    can I use say
    Ignore /usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf

    will that work?

    Peter
     
  7. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    168
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    Ok with that kind of configuration you just delete the file 00_asl_y_searchengines.conf

    Nope.
     
  8. nzpli

    nzpli Member

    Joined:
    Nov 2, 2005
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Nelson NZ
    cPanel Access Level:
    Root Administrator
    thanks - help appreciated
     
  9. WhiteDog

    WhiteDog Well-Known Member

    Joined:
    Feb 19, 2008
    Messages:
    127
    Likes Received:
    1
    Trophy Points:
    66
    As the free GotRoot feed is no longer available, I dediced to revert towards the Trustwave Paid Ruleset. I am also working on a free cPanel/WHM plugin to download, install and manage the Trustwave Ruleset. If anyone is using them and is interested to try this plugin just send me a DM.
     
  10. texo

    texo Well-Known Member

    Joined:
    Mar 28, 2007
    Messages:
    144
    Likes Received:
    2
    Trophy Points:
    168
    @WhiteDog that sounds very interesting. Will this work with the Configserver ModSec manager we have installed, to update the rulesets?
     
  11. WhiteDog

    WhiteDog Well-Known Member

    Joined:
    Feb 19, 2008
    Messages:
    127
    Likes Received:
    1
    Trophy Points:
    66
    The plugin is mainly to download the updated files daily and make it "easy" for us to implement this. I'm sure many of you hate creating bash scripts, configuring cron jobs and "testing" half done solutions as much as I do :) That is the reason I create plugins for things.

    So all you have to do is install the plugin, enter your Trustwave serial and select your desired options and rulesets. A cron job set up by the plugin will then download the updates and activate them.

    So yes this will work with CSF ModSec Manager, the plugin will just create it's own modsec conf file there and insert a one-liner in your user.conf to activate them. ModSec will pick this up.

    My goal towards all of you is to make things easier and understandable. The plugin is nearly finished. I'm at the moment talking to the fine people of Trustwave to get some basic support and "best practices". I can share some screenshots though, please see attachments.

    PS: the plugin is pretty "universal" and can be modified to download any other rulesets out there if needed.
     

    Attached Files:

Loading...

Share This Page