ModSecurity Auto Updater

Secmas

Well-Known Member
Feb 18, 2005
376
19
168
I'm quite confused on this, I do wish to try, Now I have already installed mod_security via easy apache, Now how do you update the rules ? I don't quite follow it properly.

Is there just one cmd to run via ssh or..... ?


Thanks
Hi GaryT,
if you have installed via EasyApache and you are using WHM/CPanel, the installation have created some folders for you:
- /usr/local/apache/conf
here is where all the .CONF files resides
- /usr/local/apache/modesec_rules
here is where your modsecurity rules ara located.

When you just have created your modsecurity, CPanel saves a set of rules that just for start are not as good as the ones created by Prometeous Group AKA GotRoot and the ones created by BREACH, there could be others.

My auto updater uses the ones from GotRoot. So, if you are going to use my script you will have to remember that my script is not an installer, for the installation you will need to read the GotRoot web site and do it what they said to do, only after that you could use my auto updater in a daily basis if you wish to have the latest rules installed in your server.

Sergio
 

GaryT

Well-Known Member
May 19, 2010
320
3
68
Yeah in WHM I see mod security in the plugins already, And in the edit_config it has a few rules now, Just when I go to the gotroot website it does not say anything about just updating the rules. just the installation of mod_security which I need to skip as I already have this.
 

Secmas

Well-Known Member
Feb 18, 2005
376
19
168
Yeah in WHM I see mod security in the plugins already, And in the edit_config it has a few rules now, Just when I go to the gotroot website it does not say anything about just updating the rules. just the installation of mod_security which I need to skip as I already have this.
That is good as you already have everything done. But just checking, have you created the following directories?
- /var/asl/data/suspicious
- /var/asl/data/msa
- /var/asl/data/audit

they will not be needed in WHM, but GotRoot uses them for their rules, so, you need to create them.

If everything is fine, then just follow the instructions in my web site.

If you want to do the update manually, just copy the modesec rules from gotroot to the folder at /usr/local/apache/conf/modsec_rules and that's it.

Sergio
 

Secmas

Well-Known Member
Feb 18, 2005
376
19
168
Ok I looked here:

http://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules

I made the following directorys - The rest just baffles me as it requests me to install it "Again"

I would prefer to do it manually but I cannot see the rules to actually copy it :s
Please take a look at the first post of this forum, in there you will read all the info about my auto updater and how to do it. By the way, my web site is ModSec Taylor Made and Tweaks by Sergio

To have the latest rule you have to buy a subscription from GotRoot, but you can use the "delayed" option that are free, look at this URL Welcome : Got Root look in there for the 90 delayed rules.

Sergio
 

ikillbill

Well-Known Member
Feb 18, 2008
119
0
66
we follow everything, but till got

Rule execution error - PCRE limits exceeded (-8): (null).

on our newly loaded server

any changes?

*compile with easyapache 's mod_security
*run /scripts/checkperlmodules more than 5 times
*edit modsec2.user.conf as

SecComponentSignature 201002131758
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

# ConfigServer ModSecurity whitelist file remove the mark if you are using ConfigServer CMC.
Include /usr/local/apache/conf/modsec2.whitelist.conf

#ASL Rules
Include /usr/local/apache/conf/modsec_rules/*asl*.conf

SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 5000
*edit php.ini and added

pcre.backtrack_limit = 10000000

pcre.recursion_limit = 10000000

anything else?
 

Secmas

Well-Known Member
Feb 18, 2005
376
19
168
@ ikillbill

The commands:
SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 5000
Have to be modify to your needs, if you increase the values, the error will dissapear.

So, increase your values but take in account this recommendation:

Brian Rectanus from Breach and Owasp, gave me a nice lesson on why I need to lower that values, here is an excerpt of what he is suggesting:

"For example, using a simple aaaaaaaaaaaaaaaaaab style pattern in a parameter payload repeated 50 times makes a request go from .1 seconds to 5.5 seconds with a bad regex and 150,000 limit set. Making the pattern repeat 100 times yields 22.4 seconds to process it! During this time the Apache process is using 100% of one CPU core. This is on a 2.6Ghz dual core box w/4g RAM..."


He also recommended to read the following information:
Regular expression Denial of Service - ReDoS - OWASP
Regards.

Sergio
 

bunciscakep

Registered
May 8, 2008
3
0
51
Hi Secmas,

after we configure mod_sec from gotroot, we found problem that website loading is slower than default mod_sec about (3 - 4 times slower).

i know its caused by many rules that checked.

is there any way to optimize the rule?
 

Secmas

Well-Known Member
Feb 18, 2005
376
19
168
Hi Secmas,

after we configure mod_sec from gotroot, we found problem that website loading is slower than default mod_sec about (3 - 4 times slower).

i know its caused by many rules that checked.

is there any way to optimize the rule?
Hi bunciscakep,
as far as I know there is no way to optimize the rules, but I assure you that even if your site is slower than before, it will be compensated by the security that now is on your server.

Also, it will be nice if you contact GotRoot´s Support and you let them know about this issue, I am sure that they will help you even if you are not a regular customer of them.

Sergio
 

9xlinux

Well-Known Member
Verifed Vendor
Dec 20, 2009
185
0
66
cPanel Access Level
Root Administrator
Sergio is correct, if you have any issues with the GotRoot/Atomicorp rules just shoot us an email. You are also encourage to register on our forums:

Atomicorp Forums

gotroot free rules are not updated from long ago e.g. since April 5.
As per free rule policy you should update free rules after every 90 days.
Are you still providing free rules?
 

wgalafassijr

Active Member
Jun 23, 2005
25
0
151
Hi Sergio,

I have a cpanel server running with mod_security and the config server tool to control the rules. I can install your script without any problem to mantain the rules updated?
 

Secmas

Well-Known Member
Feb 18, 2005
376
19
168
Hi Sergio,

I have a cpanel server running with mod_security and the config server tool to control the rules. I can install your script without any problem to mantain the rules updated?
Yes, you can use it without any troubles at all, that is how I have it in my server.

Sergio
 

LBJ

Well-Known Member
Nov 1, 2003
108
21
168
cPanel Access Level
DataCenter Provider
G'day Sergio,

Thank you for making your script available.

Your current version has a bug at line 82 which causes failures in subsequent lines when installing the 90 day delayed version of the gotroot definitions.

Line 82...

Code:
$LORIODIR="/usr/local/apache/conf/modsec_rules/modsec"
...should be just...

Code:
LORIODIR="/usr/local/apache/conf/modsec_rules/modsec"
Best regards,

LBJ
 

Secmas

Well-Known Member
Feb 18, 2005
376
19
168
G'day Sergio,

Thank you for making your script available.

Your current version has a bug at line 82 which causes failures in subsequent lines when installing the 90 day delayed version of the gotroot definitions.

Line 82...

Code:
$LORIODIR="/usr/local/apache/conf/modsec_rules/modsec"
...should be just...

Code:
LORIODIR="/usr/local/apache/conf/modsec_rules/modsec"
Best regards,

LBJ
Thanks a lot for pointing this out, it has been fixed.

Sergio
 

keddie

Well-Known Member
Nov 17, 2007
50
0
56
Hi Sergio,

I just tried updating the free GotRoot rules with your script and got the following error:

Apache Configuration FAILED!

Syntax error on line 1 of /usr/local/apache/conf/modsec_rules/domain-spam-whitelist.conf:
Invalid command '.googlesyndication.com/pagead/ads?client=', perhaps misspelled or defined by a module not included in the server configuration

Check the error above and resolve any conflicts before attempting the installation again
The content of domain-spam-whitelist.conf is:

.googlesyndication.com/pagead/ads?client=
Any ideas?
 

mikegotroot

Well-Known Member
Verifed Vendor
Apr 29, 2008
85
1
58
Hi Sergio,

I just tried updating the free GotRoot rules with your script and got the following error:

Apache Configuration FAILED!



The content of domain-spam-whitelist.conf is:



Any ideas?
Yes, that file is not meant to be loaded with the rules its a dependency file loaded by the rules themselves. Instructions for installation the Atomicorp/Gotroot rules is available here:

https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules

Specifically, you should only tell apache to load *asl*conf files:

Include /full/path/to/your/rules/modsecurity.d/*asl*.conf

But read the entire article referenced above, it includes all the instructions to get your setup.
 

Secmas

Well-Known Member
Feb 18, 2005
376
19
168
Hi Sergio,

I just tried updating the free GotRoot rules with your script and got the following error:

Apache Configuration FAILED!



The content of domain-spam-whitelist.conf is:



Any ideas?
Hi Keddie,
the error is not from my script it is from the file that comes from the gotroot free rules, as Mike is pointing out there are files that are exclusive to work with ASL package. It seems to me that the free rules are not the same as the payed ones as the payed ones doesn't has this type of errors. Any way, I really suggest that you try to buy a payed subscription with ASL it is really worth to have it as a free rule set were made about 3 months ago and it could fail on blocking new attacks.

Sergio