Secmas

Well-Known Member
Feb 18, 2005
331
2
168
Hi,
Thanks for the advice. The updater script was saved in a directory I named gotroot. After executing the script it deleted itself.
What part of gotroot is not installed? modsecurity is already installed and using cpanels rules. and I downloaded the gotroot rules to /temp
Try to save the script in your root directory or any other directory that is not inside "/conf/modsec_rules"

Regards,

Sergio
 

Secmas

Well-Known Member
Feb 18, 2005
331
2
168
** PUNTAPIRATA-BADOMAINS.TXT updated with more than 2,400 domains used for spam blogs, forums, etc.

You can download that file from my site.

Regards,

Sergio
 

Secmas

Well-Known Member
Feb 18, 2005
331
2
168
I will be updating the blacklisted domain file every Sunday night.

The last update contains 2,620 domains used to spam any kind of post, you can use this file with my autoupdater or you can add the content of this file to your own "domain-blacklist.txt" from GotRoot.

Regards,

Sergio
 

Secmas

Well-Known Member
Feb 18, 2005
331
2
168
New mod security 2.5.12 issued by cpanel

NEW MOD SECURITY 2.5.12 ISSUED BY CPANEL
If you have already installed 2.5.12 chances are that you will have the following error in your MODSEC:

Rule execution error - PCRE limits exceeded (-8): (null).
To fix this error you need to do the following:
1. Add to your PHP.INI the following commands:
pcre.backtrack_limit = 10000000
pcre.recursion_limit = 10000000
2. Add to your MODSEC2.USER.CONF file the following commands:
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000
This will fix any issues with the new 2.5.12

Regards,

Sergio
 

ikillbill

Well-Known Member
Feb 18, 2008
119
0
66
big thanks for this fix!

BUT , errors still around

could cpanel pelase check ?
 
Last edited:

Secmas

Well-Known Member
Feb 18, 2005
331
2
168
big thanks for this fix!

BUT , errors still around

could cpanel pelase check ?
Hi Ikillbill,
what errors are you facing? Are you still continue to receive the PCRE limit error?

If you still continue with this error, please run the following command from root:
/scripts/checkperlmodules
This will fix any error in your perl installation and will help to fix the PCRE error.

Sergio
 

ikillbill

Well-Known Member
Feb 18, 2008
119
0
66
Hi
run /scripts/checkperlmodules

still got these errors


Rule execution error - PCRE limits exceeded (-8): (null).
 

ikillbill

Well-Known Member
Feb 18, 2008
119
0
66
ok, run it twice, errors seems gone now

May I ask what

Code:
pcre.backtrack_limit = 10000000
pcre.recursion_limit = 10000000
and
Code:
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000


for?
 

Secmas

Well-Known Member
Feb 18, 2005
331
2
168
Hi
run /scripts/checkperlmodules

still got these errors


Rule execution error - PCRE limits exceeded (-8): (null).
Did you run the script a few times?

This is what I did:
1. Run the script until it uploaded all the modules that perl needs.
2. I modified PHP.INI and added the two command lines as I wrote before and each one with a number of 10,000,000 if you fail to add this lines PCRE will continue with the error.
3. Then I modified MODSEC2.USER.CONF to add the other two lines
4. Restarted APACHE and everything was working again.

You will see a lot of PCRE errors in your WHM ModSecurity GUI but don't worry, they will dissapear.

Regards,

Sergio
 

ikillbill

Well-Known Member
Feb 18, 2008
119
0
66
ok, run it twice, errors seems gone now

May I ask what

Code:
pcre.backtrack_limit = 10000000
pcre.recursion_limit = 10000000
and
Code:
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000
 

Secmas

Well-Known Member
Feb 18, 2005
331
2
168

Knyteguy

Well-Known Member
May 6, 2009
59
0
56
Hi,

First of all thanks, it looks like you put some work into this and I appreciate you giving it to us for free.

The only bug I've found so far (I just installed it), is the script moves itself to the httpd conf directory after running. It also moves any files and directories that happen to be in the same folder as it is in. Luckily my /root directory wasn't very full.

Also, I was wondering what the uninstall process would be in case something does end up not working correctly. I'm using the default config in modsec2.user.conf that cPanel carries, but I appended what you wrote to the top. It seems to be working. The modsec2.conf file also had one line of change from the original cPanel version, which was the line with 127.0.0.1 in it.

Will there be a problem with simply appending all that stuff to the top?

Also, Apache wouldn't start because there was no /etc/asl/whitelist file which is required by some config file. This possibly caused my first downtime on the server. It would be nice if you would specify we need to create certain directories before running the install scripts, as I didn't see any mention of this on your original thread, or on the website.

And lastly, is there any way to confirm this is or is not working? If I still have the default rules running under the cPanel mod sec config, will all of these run concurrently? Will there be any conflicts? If you can fix the couple of bugs that would be great, as then I could add this to a cron.

Thanks again, and in case you missed it above please list the uninstall steps just in case. I'm not 100% sure what this script did, which was probably not a wise move from me as the server admin for my VPS.

-Tony
Starcraft 2 Maps | BlizzMaps.com
http://www.freeguildwebsite.com
 

Secmas

Well-Known Member
Feb 18, 2005
331
2
168
Hi,

First of all thanks, it looks like you put some work into this and I appreciate you giving it to us for free.

The only bug I've found so far (I just installed it), is the script moves itself to the httpd conf directory after running. It also moves any files and directories that happen to be in the same folder as it is in. Luckily my /root directory wasn't very full.

Also, I was wondering what the uninstall process would be in case something does end up not working correctly. I'm using the default config in modsec2.user.conf that cPanel carries, but I appended what you wrote to the top. It seems to be working. The modsec2.conf file also had one line of change from the original cPanel version, which was the line with 127.0.0.1 in it.

Will there be a problem with simply appending all that stuff to the top?

Also, Apache wouldn't start because there was no /etc/asl/whitelist file which is required by some config file. This possibly caused my first downtime on the server. It would be nice if you would specify we need to create certain directories before running the install scripts, as I didn't see any mention of this on your original thread, or on the website.

And lastly, is there any way to confirm this is or is not working? If I still have the default rules running under the cPanel mod sec config, will all of these run concurrently? Will there be any conflicts? If you can fix the couple of bugs that would be great, as then I could add this to a cron.

Thanks again, and in case you missed it above please list the uninstall steps just in case. I'm not 100% sure what this script did, which was probably not a wise move from me as the server admin for my VPS.

-Tony
Starcraft 2 Maps | BlizzMaps.com
http://www.freeguildwebsite.com
Hello Tony,
thanks a lot for your feed back, I will add some text and / or code to my script to help you on this.

I just want to mention that if you read at the posts in this thread, in one of them I wrote that the AUTOUPDATER is in fact to help you "update" the rules from GotRoot that you have installed in your VPS/Server.

My script is not an "installer" and that is why it doesn't creates any directories at all. But you are right, I will mention that in the first post so people don't be confused.

On the other hand and answering to your questions:
1. CPanel has a very special way of handling HTTPD via include files. ModSecurity is one of that things and that is why CPanel has created two files a)MODSEC2.CONF and b)MODSEC2.USER.CONF

Don't write anything to MODSEC2.CONF only use MODSEC2.USER.CONF to handling all the rules that you will be using on your server.

2. CPanel has a specialized structure about MODSEC and it has a directory located in /usr/local/apache/conf/modsec_rules and is in here that you have to save your modsec rules as the name of the directory suggests.

My script saves in there the new rules that you are updating and the old ones are saved in your /tmp directory in a directory called MODSECOLD. So, if you want to have everything as it was before the update, you only need to restore the MODSECOLD contents to the /usr/local/apache/conf/modsec_rules directory and restart apache. It is not hard to do a restore from the last update, even in my first post I have wrote directions about this.

3. If you are planning to use the modsec rules that CPanel has, don't use it, they are just a starting point and are not as good as the ones that GotRoot has.

Finally, I really appreciate your comments and I will proceed to have a revisited version of the script. Also, I suggest that you create the following folders in your server in order for GotRoot rules to work:
/var/asl/data/suspicious
/var/asl/data/msa
/var/asl/data/audit
These directories will not be used for saving any data at all, they only are used because some of the rules checks for them.

Best Regards,

Sergio
 

9xlinux

Well-Known Member
Verifed Vendor
Dec 20, 2009
185
0
66
cPanel Access Level
Root Administrator
There are some error log in apache error log,
Code:
ModSecurity: Failed to access DBM file "/var/asl/data/msa/global": Permission denied 
ModSecurity: Failed to access DBM file "/var/asl/data/msa/ip": Permission denied
Please help in this regards.
 

Secmas

Well-Known Member
Feb 18, 2005
331
2
168
Hi 9xlinux,
on this directories, set chmod 770.

Sergio
 
Last edited:

Secmas

Well-Known Member
Feb 18, 2005
331
2
168
Which directory?
/var/asl/data/msa/global
or
/var/asl/data/msa/

Please guide.
You have to create 3 directories in order for GotRoot rules to work, they are:
/var/asl/data/msa/
/var/asl/data/audit/
/var/asl/data/suspicious/

all of them use chmod 770
 

ikillbill

Well-Known Member
Feb 18, 2008
119
0
66
Hi

this sounds a wield question, but we do not have those folder to be 770, but no errors like one mentioned above?

we just mkdir those folders and that is it...
 

9xlinux

Well-Known Member
Verifed Vendor
Dec 20, 2009
185
0
66
cPanel Access Level
Root Administrator
Hi

this sounds a wield question, but we do not have those folder to be 770, but no errors like one mentioned above?

we just mkdir those folders and that is it...
It's maybe due to that you are still using old verson of MOD_SECURITY.
Recompile with latest easyapache build and let see.