Secmas

Well-Known Member
Feb 18, 2005
331
2
168
why not to make it more automated with downloading the latest rules directly

Code:
http://updates.atomicorp.com/channels/rules/delayed/modsec-2.7-free-latest.tar.gz
and ignore the date based url .
I have an automatic autoupdater for the ones that kindly donate in my site.

But among the posts that are in this thread, someone wrote a modification to convert my autoupdater in automatic.

Sergio
 

nzpli

Member
Nov 2, 2005
16
0
151
Nelson NZ
cPanel Access Level
Root Administrator
Hi Sergio

Thanks for your tip via configserver forum re asl rules at ModSec Taylor Made and Tweaks by Sergio

I installed the rules and rebooted apache, and that went well

Through ConfigServer ModSecurity Control, I went had a look at the log

Bit concerned about the searchengines rule - results below

www.website1.co.nz 66.249.74.94 303800 [31/Oct/2013:17:37:58 +1300]
Match of "endsWith .googlebot.com" against "REMOTE_HOST" required. [file "/usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf"] [line "64"] [id "303800"] [rev "3"] [msg "Atomicorp.com WAF Rules: Fake Googlebot webcrawler"]

www.website2.co.nz 66.249.74.188 303800 [31/Oct/2013:17:35:10 +1300]
Match of "endsWith .googlebot.com" against "REMOTE_HOST" required. [file "/usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf"] [line "64"] [id "303800"] [rev "3"] [msg "Atomicorp.com WAF Rules: Fake Googlebot webcrawler"]

www.website1.co.nz 157.55.32.112 303801 [31/Oct/2013:17:33:11 +1300]
Match of "rx (^msnbot-[0-9]+-[0-9]+-[0-9]+-[0-9]+\\.search\\.msn\\.com$)" against "REMOTE_HOST" required. [file "/usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf"] [line "79"] [id "303801"] [rev "6"] [msg "Atomicorp.com WAF Rules: Fake msnbot/bingbot webcrawler"]

www.website3.com 199.21.99.70 303808 [31/Oct/2013:17:37:55 +1300]
Match of "rx (\\.yandex\\.(?:ru|com|net)$)" against "REMOTE_HOST" required. [file "/usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf"] [line "164"] [id "303808"] [rev "1"] [msg "Atomicorp.com WAF Rules: Fake Yandex webcrawler."]

the above all to me seem legit - IP's as expected for those search engines

I changed the modsec2.user.conf back to what it was, cause I dont need those search engines blocked

What has been your experience?

thanks
Peter
 
Last edited:

quietFinn

Well-Known Member
Feb 4, 2006
1,077
33
178
Finland
cPanel Access Level
Root Administrator
The file is included when you have line like this in modsec2.user.conf
Code:
Include /usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf
if you change it to:
Code:
# Include /usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf
i.e. "comment it out", the file is excluded.
 

nzpli

Member
Nov 2, 2005
16
0
151
Nelson NZ
cPanel Access Level
Root Administrator
I dont have that in my file

I followed ModSec Taylor Made and Tweaks by Sergio and the original modsec2.user.conf had only the following in it
Include /usr/local/apache/conf/modsec2.whitelist.conf

so now I have just
# ASL/GOTROOT Rules
Include /usr/local/apache/conf/modsec_rules/*asl*.conf

can I use say
Ignore /usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf

will that work?

Peter
 

quietFinn

Well-Known Member
Feb 4, 2006
1,077
33
178
Finland
cPanel Access Level
Root Administrator
so now I have just
# ASL/GOTROOT Rules
Include /usr/local/apache/conf/modsec_rules/*asl*.conf
Ok with that kind of configuration you just delete the file 00_asl_y_searchengines.conf

can I use say
Ignore /usr/local/apache/conf/modsec_rules/00_asl_y_searchengines.conf

will that work?
Nope.
 

WhiteDog

Well-Known Member
Feb 19, 2008
138
3
68
As the free GotRoot feed is no longer available, I dediced to revert towards the Trustwave Paid Ruleset. I am also working on a free cPanel/WHM plugin to download, install and manage the Trustwave Ruleset. If anyone is using them and is interested to try this plugin just send me a DM.
 

texo

Well-Known Member
Mar 28, 2007
144
2
168
@WhiteDog that sounds very interesting. Will this work with the Configserver ModSec manager we have installed, to update the rulesets?
 

WhiteDog

Well-Known Member
Feb 19, 2008
138
3
68
@WhiteDog that sounds very interesting. Will this work with the Configserver ModSec manager we have installed, to update the rulesets?
The plugin is mainly to download the updated files daily and make it "easy" for us to implement this. I'm sure many of you hate creating bash scripts, configuring cron jobs and "testing" half done solutions as much as I do :) That is the reason I create plugins for things.

So all you have to do is install the plugin, enter your Trustwave serial and select your desired options and rulesets. A cron job set up by the plugin will then download the updates and activate them.

So yes this will work with CSF ModSec Manager, the plugin will just create it's own modsec conf file there and insert a one-liner in your user.conf to activate them. ModSec will pick this up.

My goal towards all of you is to make things easier and understandable. The plugin is nearly finished. I'm at the moment talking to the fine people of Trustwave to get some basic support and "best practices". I can share some screenshots though, please see attachments.

PS: the plugin is pretty "universal" and can be modified to download any other rulesets out there if needed.
 

Attachments