Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

ModSecurity Auto Updater

Discussion in 'Security' started by Secmas, Feb 13, 2010.

  1. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    Try to save the script in your root directory or any other directory that is not inside "/conf/modsec_rules"

    Regards,

    Sergio
     
  2. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    Your welcome.

    Sergio
     
  3. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    ** PUNTAPIRATA-BADOMAINS.TXT updated with more than 2,400 domains used for spam blogs, forums, etc.

    You can download that file from my site.

    Regards,

    Sergio
     
  4. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    I will be updating the blacklisted domain file every Sunday night.

    The last update contains 2,620 domains used to spam any kind of post, you can use this file with my autoupdater or you can add the content of this file to your own "domain-blacklist.txt" from GotRoot.

    Regards,

    Sergio
     
  5. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    New mod security 2.5.12 issued by cpanel

    NEW MOD SECURITY 2.5.12 ISSUED BY CPANEL
    If you have already installed 2.5.12 chances are that you will have the following error in your MODSEC:

    To fix this error you need to do the following:
    1. Add to your PHP.INI the following commands:
    2. Add to your MODSEC2.USER.CONF file the following commands:
    This will fix any issues with the new 2.5.12

    Regards,

    Sergio
     
  6. ikillbill

    ikillbill Well-Known Member

    Joined:
    Feb 18, 2008
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    66
    big thanks for this fix!

    BUT , errors still around

    could cpanel pelase check ?
     
    #26 ikillbill, May 10, 2010
    Last edited: May 10, 2010
  7. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    Hi Ikillbill,
    what errors are you facing? Are you still continue to receive the PCRE limit error?

    If you still continue with this error, please run the following command from root:
    This will fix any error in your perl installation and will help to fix the PCRE error.

    Sergio
     
  8. ikillbill

    ikillbill Well-Known Member

    Joined:
    Feb 18, 2008
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    66
    Hi
    run /scripts/checkperlmodules

    still got these errors


    Rule execution error - PCRE limits exceeded (-8): (null).
     
  9. ikillbill

    ikillbill Well-Known Member

    Joined:
    Feb 18, 2008
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    66
    ok, run it twice, errors seems gone now

    May I ask what

    Code:
    pcre.backtrack_limit = 10000000
    pcre.recursion_limit = 10000000 
    and
    Code:
    SecPcreMatchLimit 150000
    SecPcreMatchLimitRecursion 150000


    for?
     
  10. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    Did you run the script a few times?

    This is what I did:
    1. Run the script until it uploaded all the modules that perl needs.
    2. I modified PHP.INI and added the two command lines as I wrote before and each one with a number of 10,000,000 if you fail to add this lines PCRE will continue with the error.
    3. Then I modified MODSEC2.USER.CONF to add the other two lines
    4. Restarted APACHE and everything was working again.

    You will see a lot of PCRE errors in your WHM ModSecurity GUI but don't worry, they will dissapear.

    Regards,

    Sergio
     
  11. ikillbill

    ikillbill Well-Known Member

    Joined:
    Feb 18, 2008
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    66
    ok, run it twice, errors seems gone now

    May I ask what

    Code:
    pcre.backtrack_limit = 10000000
    pcre.recursion_limit = 10000000 
    and
    Code:
    SecPcreMatchLimit 150000
    SecPcreMatchLimitRecursion 150000
     
  12. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
  13. Knyteguy

    Knyteguy Well-Known Member

    Joined:
    May 6, 2009
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    56
    Hi,

    First of all thanks, it looks like you put some work into this and I appreciate you giving it to us for free.

    The only bug I've found so far (I just installed it), is the script moves itself to the httpd conf directory after running. It also moves any files and directories that happen to be in the same folder as it is in. Luckily my /root directory wasn't very full.

    Also, I was wondering what the uninstall process would be in case something does end up not working correctly. I'm using the default config in modsec2.user.conf that cPanel carries, but I appended what you wrote to the top. It seems to be working. The modsec2.conf file also had one line of change from the original cPanel version, which was the line with 127.0.0.1 in it.

    Will there be a problem with simply appending all that stuff to the top?

    Also, Apache wouldn't start because there was no /etc/asl/whitelist file which is required by some config file. This possibly caused my first downtime on the server. It would be nice if you would specify we need to create certain directories before running the install scripts, as I didn't see any mention of this on your original thread, or on the website.

    And lastly, is there any way to confirm this is or is not working? If I still have the default rules running under the cPanel mod sec config, will all of these run concurrently? Will there be any conflicts? If you can fix the couple of bugs that would be great, as then I could add this to a cron.

    Thanks again, and in case you missed it above please list the uninstall steps just in case. I'm not 100% sure what this script did, which was probably not a wise move from me as the server admin for my VPS.

    -Tony
    Starcraft 2 Maps | BlizzMaps.com
    http://www.freeguildwebsite.com
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    Hello Tony,
    thanks a lot for your feed back, I will add some text and / or code to my script to help you on this.

    I just want to mention that if you read at the posts in this thread, in one of them I wrote that the AUTOUPDATER is in fact to help you "update" the rules from GotRoot that you have installed in your VPS/Server.

    My script is not an "installer" and that is why it doesn't creates any directories at all. But you are right, I will mention that in the first post so people don't be confused.

    On the other hand and answering to your questions:
    1. CPanel has a very special way of handling HTTPD via include files. ModSecurity is one of that things and that is why CPanel has created two files a)MODSEC2.CONF and b)MODSEC2.USER.CONF

    Don't write anything to MODSEC2.CONF only use MODSEC2.USER.CONF to handling all the rules that you will be using on your server.

    2. CPanel has a specialized structure about MODSEC and it has a directory located in /usr/local/apache/conf/modsec_rules and is in here that you have to save your modsec rules as the name of the directory suggests.

    My script saves in there the new rules that you are updating and the old ones are saved in your /tmp directory in a directory called MODSECOLD. So, if you want to have everything as it was before the update, you only need to restore the MODSECOLD contents to the /usr/local/apache/conf/modsec_rules directory and restart apache. It is not hard to do a restore from the last update, even in my first post I have wrote directions about this.

    3. If you are planning to use the modsec rules that CPanel has, don't use it, they are just a starting point and are not as good as the ones that GotRoot has.

    Finally, I really appreciate your comments and I will proceed to have a revisited version of the script. Also, I suggest that you create the following folders in your server in order for GotRoot rules to work:
    These directories will not be used for saving any data at all, they only are used because some of the rules checks for them.

    Best Regards,

    Sergio
     
  15. 9xlinux

    9xlinux Well-Known Member

    Joined:
    Dec 20, 2009
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    There are some error log in apache error log,
    Code:
    ModSecurity: Failed to access DBM file "/var/asl/data/msa/global": Permission denied 
    ModSecurity: Failed to access DBM file "/var/asl/data/msa/ip": Permission denied 
    Please help in this regards.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    Hi 9xlinux,
    on this directories, set chmod 770.

    Sergio
     
    #36 Secmas, May 14, 2010
    Last edited: May 14, 2010
  17. 9xlinux

    9xlinux Well-Known Member

    Joined:
    Dec 20, 2009
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    Which directory?
    /var/asl/data/msa/global
    or
    /var/asl/data/msa/

    Please guide.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    You have to create 3 directories in order for GotRoot rules to work, they are:
    /var/asl/data/msa/
    /var/asl/data/audit/
    /var/asl/data/suspicious/

    all of them use chmod 770
     
  19. ikillbill

    ikillbill Well-Known Member

    Joined:
    Feb 18, 2008
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    66
    Hi

    this sounds a wield question, but we do not have those folder to be 770, but no errors like one mentioned above?

    we just mkdir those folders and that is it...
     
  20. 9xlinux

    9xlinux Well-Known Member

    Joined:
    Dec 20, 2009
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    It's maybe due to that you are still using old verson of MOD_SECURITY.
    Recompile with latest easyapache build and let see.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice