Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity Auto Updater

Discussion in 'Security' started by Secmas, Feb 13, 2010.

  1. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    If you are using GotRoot rules without modifying the MODSEC2.USER.CONF as I said in my page, then the 770 has to be used in order for the rules to save the info that the rules are generating, that is why (ikillbill) you don't need to chmod that directories, as you have modsec2.user.con as in my web site. So, you are ok with that.

    Sergio
     
    #41 Secmas, May 14, 2010
    Last edited: May 14, 2010
  2. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    9xlinux,
    no, that is not the case.

    It is because you have your GotRoot rules installation to use that directories in order for them to work. Check in your modsec2.user.conf if you are using the following commands:

    If you are, then you need to REM them out or delete that lines from your modsec2.user.conf

    The problem using that two lines is that all the rules activities are written in that directories but you will never see them again in your WHM MODSECURITY GUI nor CSF will work blocking them. On the other hand, your /var directory will fill up very quickly as this directories will be saving a lot of data in there.

    That directories are only used for people that has installed the ASL Hardening service and it is not for cpanel.

    Sergio
     
  3. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Lewisville, Tx
    Your script is forcing you to run from /tmp which is fine, but there is a major issue with it. When it cleans up the files that are unpacked you are using the rm -rf /tmp it looks like which wipes EVERYTHING out of the /tmp.
     
  4. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    If you look closely I don't use "-rf" as you said, I only use "-f" so, it will not wipe all the TMP directory. Also, I have declared what to delete, again, please look at the script and it says:

    meaning that only will be deleting one (1) file.

    Sergio
     
  5. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    May 16/2010, read in this post:


    1. NEW PUNTAPIRATA-BADOMAINS.TXT
    2. NEW VALUES FOR PCRE COMMANDS IN MODSEC2.USER.CONF


    1. New domains added:
    I have uploaded the new Puntapirata-Badomains.txt, with more than 3,500 spam domains used in blogs, forums, forms, etc. This last week the activity in my servers blocking spam was more than the normal thing, how was yours?


    2. New values for PCRE commands:
    If you have installed the new ver 2.5.12 in your servers and used the new two commands for PCRE recursion, you will need to modify the values, Brian Rectanus from Breach and Owasp, gave me a nice lesson on why I need to lower that values, here is an excerpt of what he is suggesting:

    "For example, using a simple aaaaaaaaaaaaaaaaaab style pattern in a parameter payload repeated 50 times makes a request go from .1 seconds to 5.5 seconds with a bad regex and 150,000 limit set. Making the pattern repeat 100 times yields 22.4 seconds to process it! During this time the Apache process is using 100% of one CPU core. This is on a 2.6Ghz dual core box w/4g RAM..."


    He also recommended to read the following information:
    Regular expression Denial of Service - ReDoS - OWASP

    So, the new values that I am testing now are as follows:
    With this settings I am getting just a few PCRE errors now, but I feel comfortable with that after reading Brian suggestions.

    If you had my initial values, I recommend to change them as soon as possible.

    Best Regards,

    Sergio
     
  6. rligg

    rligg Well-Known Member

    Joined:
    Sep 16, 2003
    Messages:
    277
    Likes Received:
    0
    Trophy Points:
    166
    I have followed this but I still get the error for a particular site. I made sure they have no custom php.ini. I'm baffled.
    Is placement in the php.ini and mdsec user conf important?

    When I run the following, it seems the ruleset is right:

    PCRE version 8.02 2010-03-19
    Compiled with
    UTF-8 support
    Unicode properties support
    Newline sequence is LF
    \R matches all Unicode newlines
    Internal link size = 2
    POSIX malloc threshold = 10
    Default match limit = 10000000
    Default recursion depth limit = 10000000
    Match recursion uses stack

    Yet I still get: ModSecurity: Rule execution error - PCRE limits exceeded (-8)

    I have updated the per modules like 7 times.
     
    #46 rligg, May 20, 2010
    Last edited: May 20, 2010
  7. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    Hello Rligg,
    would you mind to share with us what is the IP that is triggering this rule?

    I have seen that some CRAWLS from Google or any other searcher triggers this error, but is because the way they try to spider your site.

    Also, it will be good to see what values have you set in your modsec2.user.conf file for PCRE.

    Regards,

    Sergio
     
  8. rligg

    rligg Well-Known Member

    Joined:
    Sep 16, 2003
    Messages:
    277
    Likes Received:
    0
    Trophy Points:
    166
    user.conf pcre contents:

    SecPcreMatchLimit 50000
    SecPcreMatchLimitRecursion 5000


    #Generic attack rules pcre format
    #cross site scripting attempt IMG onerror or onload
    SecRule REQUEST_URI "\<IMG.*/\bonerror\b[\s]*="


    The error happens when any ip hits a specific link.
     
  9. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    How is your php.ini? Do you have the following two lines in it?
    I have added this two lines at the end of my PHP.INI, just check if you have it.
     
  10. rligg

    rligg Well-Known Member

    Joined:
    Sep 16, 2003
    Messages:
    277
    Likes Received:
    0
    Trophy Points:
    166
    Yes I have those two lines in my php.ini
     
  11. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    Well, in that case I will suggest to test what value could be used in your MODSEC2.USER.CONF file command:
    SecPcreMatchLimitRecursion 5000

    I really don't like the idea to increase the values as I mentioned in a prior post, due to this article:
    Regular expression Denial of Service - ReDoS - OWASP

    OTOH, it will be a good idea to check why that specific site is triggering the PCRE error and fix it from the source.

    Sergio
     
  12. rligg

    rligg Well-Known Member

    Joined:
    Sep 16, 2003
    Messages:
    277
    Likes Received:
    0
    Trophy Points:
    166
    Well that is very hard to do. pcre effects many blog type sites where articles are posted via php.

    PCRE limits exceeded (-8)
    What does the (-8) represent here?
     
  13. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    So, set the values on both commands in MODSEC2.USER.CONF to use 50,000 and check what happens.
     
  14. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    July 19/2010, read in this post:

    1. NEW PUNTAPIRATA-BADBOTS RULE.
    2. ATTACKS FROM THE LAST WEEKS.
    3. PUNTAPIRATA-BADOMAINS.TXT FILE UPDATED.


    1. New section added:
    In PuntaPirata.com we have added a new section called "ModSec Rules", we will like to share rules that you can add into your own modsecurity rules. The first rule that we have added is one to block bad bots or crawlers. We have seen that a lot of people uses .HTACESS to block this type or attacks but using .HTACESS will only block this for one site only, while the rule that we have wrote can do that on a server wide basis, this includes a file that you can update yourself to include your own bad bots or strings that are found on the User-Agent.

    If you have any rule that you want to share, please let me know.

    2. Attacks from the last weeks:
    A few days ago, we saw an attack to the AWSTAT.PL file. ModSecurity took rid of them but is interesting to see that an oldie is live again.

    3. PuntaPirata-Badomains.txt update:
    Since our last update, we have collected more than 6,500 domains that spammers are trying to write in any kind of post or forms, the update is already in our site.

    Regards,

    Sergio
     
  15. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    270
    Likes Received:
    7
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    This was mentioned before. The poster didn't stated what he changed that the script run outofthebox again.

    Might be just a problem with tar and extracting.
    When using CENTOS 5.5 i686 and tar (GNU tar) 1.15.1 the extracting
    isn't creating the missing subdirectory modsec inside modsec_rules.

    1.The script backups the old modsec_rules directory.
    2.Creates a new modsec_rules directory.
    3.Unpacks the rules archive from tmp to the modsec_rules directory.
    4. The script tries to cd /usr/local/apache/conf/modsec_rules/modsec

    The subdirectory modsec is not there because it wasn't created.

    The files offered at http://downloads.prometheus-group.com/delayed/rules/
    are not packed with a subdirectory modsec.

    Would be nice if someone could comment if that is only the case with the delayed rules.
     
  16. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    Hello Lorio,
    thanks for letting me know about this issue with my script, a fix will be available shortly.

    I have been using my script with the payed subscription and it does include the modsec directory.

    Regards,

    Sergio
     
  17. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    @ Lorio,
    a new UPDATER script has been uploaded, it checks if the directory "modsec" is created or not and acts accordingly.

    Please download the new ver. 1.04 and let me know your toughts.

    Regards,

    Sergio
     
  18. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    270
    Likes Received:
    7
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Sorry for answering late. Looks fine. Except for choosen name of the dirpath var ;-) Think this will save you some questions about why it isn't working.
    Thanks for improving the script.
     
  19. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    I really appreciate your input and that is why the var name :)

    Regards,

    Sergio
     
  20. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    320
    Likes Received:
    3
    Trophy Points:
    68
    I'm quite confused on this, I do wish to try, Now I have already installed mod_security via easy apache, Now how do you update the rules ? I don't quite follow it properly.

    Is there just one cmd to run via ssh or..... ?


    Thanks
     
Loading...

Share This Page