Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity Auto Updater

Discussion in 'Security' started by Secmas, Feb 13, 2010.

  1. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    Hi GaryT,
    if you have installed via EasyApache and you are using WHM/CPanel, the installation have created some folders for you:
    - /usr/local/apache/conf
    here is where all the .CONF files resides
    - /usr/local/apache/modesec_rules
    here is where your modsecurity rules ara located.

    When you just have created your modsecurity, CPanel saves a set of rules that just for start are not as good as the ones created by Prometeous Group AKA GotRoot and the ones created by BREACH, there could be others.

    My auto updater uses the ones from GotRoot. So, if you are going to use my script you will have to remember that my script is not an installer, for the installation you will need to read the GotRoot web site and do it what they said to do, only after that you could use my auto updater in a daily basis if you wish to have the latest rules installed in your server.

    Sergio
     
  2. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    320
    Likes Received:
    3
    Trophy Points:
    68
    Yeah in WHM I see mod security in the plugins already, And in the edit_config it has a few rules now, Just when I go to the gotroot website it does not say anything about just updating the rules. just the installation of mod_security which I need to skip as I already have this.
     
  3. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    That is good as you already have everything done. But just checking, have you created the following directories?
    - /var/asl/data/suspicious
    - /var/asl/data/msa
    - /var/asl/data/audit

    they will not be needed in WHM, but GotRoot uses them for their rules, so, you need to create them.

    If everything is fine, then just follow the instructions in my web site.

    If you want to do the update manually, just copy the modesec rules from gotroot to the folder at /usr/local/apache/conf/modsec_rules and that's it.

    Sergio
     
  4. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    320
    Likes Received:
    3
    Trophy Points:
    68
    #64 GaryT, Aug 11, 2010
    Last edited: Aug 11, 2010
  5. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    Please take a look at the first post of this forum, in there you will read all the info about my auto updater and how to do it. By the way, my web site is ModSec Taylor Made and Tweaks by Sergio

    To have the latest rule you have to buy a subscription from GotRoot, but you can use the "delayed" option that are free, look at this URL Welcome : Got Root look in there for the 90 delayed rules.

    Sergio
     
  6. ikillbill

    ikillbill Well-Known Member

    Joined:
    Feb 18, 2008
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    66
    we follow everything, but till got

    Rule execution error - PCRE limits exceeded (-8): (null).

    on our newly loaded server

    any changes?

    *compile with easyapache 's mod_security
    *run /scripts/checkperlmodules more than 5 times
    *edit modsec2.user.conf as

    *edit php.ini and added

    pcre.backtrack_limit = 10000000

    pcre.recursion_limit = 10000000

    anything else?
     
  7. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    @ ikillbill

    The commands:
    Have to be modify to your needs, if you increase the values, the error will dissapear.

    So, increase your values but take in account this recommendation:

    Regards.

    Sergio
     
  8. bunciscakep

    bunciscakep Registered

    Joined:
    May 8, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    Hi Secmas,

    after we configure mod_sec from gotroot, we found problem that website loading is slower than default mod_sec about (3 - 4 times slower).

    i know its caused by many rules that checked.

    is there any way to optimize the rule?
     
  9. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    Hi bunciscakep,
    as far as I know there is no way to optimize the rules, but I assure you that even if your site is slower than before, it will be compensated by the security that now is on your server.

    Also, it will be nice if you contact GotRoot´s Support and you let them know about this issue, I am sure that they will help you even if you are not a regular customer of them.

    Sergio
     
  10. mikegotroot

    mikegotroot Well-Known Member

    Joined:
    Apr 29, 2008
    Messages:
    85
    Likes Received:
    1
    Trophy Points:
    58
    Sergio is correct, if you have any issues with the GotRoot/Atomicorp rules just shoot us an email. You are also encourage to register on our forums:

    Atomicorp Forums
     
  11. 9xlinux

    9xlinux Well-Known Member

    Joined:
    Dec 20, 2009
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator

    gotroot free rules are not updated from long ago e.g. since April 5.
    As per free rule policy you should update free rules after every 90 days.
    Are you still providing free rules?
     
  12. wgalafassijr

    wgalafassijr Active Member

    Joined:
    Jun 23, 2005
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    151
    Hi Sergio,

    I have a cpanel server running with mod_security and the config server tool to control the rules. I can install your script without any problem to mantain the rules updated?
     
  13. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    Yes, you can use it without any troubles at all, that is how I have it in my server.

    Sergio
     
  14. LBJ

    LBJ Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    77
    Likes Received:
    2
    Trophy Points:
    158
    G'day Sergio,

    Thank you for making your script available.

    Your current version has a bug at line 82 which causes failures in subsequent lines when installing the 90 day delayed version of the gotroot definitions.

    Line 82...

    Code:
    $LORIODIR="/usr/local/apache/conf/modsec_rules/modsec"
    ...should be just...

    Code:
    LORIODIR="/usr/local/apache/conf/modsec_rules/modsec"
    Best regards,

    LBJ
     
  15. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    Thanks a lot for pointing this out, it has been fixed.

    Sergio
     
  16. 7Com

    7Com Registered

    Joined:
    Sep 9, 2003
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    151
  17. keddie

    keddie Well-Known Member

    Joined:
    Nov 17, 2007
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    56
    Hi Sergio,

    I just tried updating the free GotRoot rules with your script and got the following error:

    Apache Configuration FAILED!

    The content of domain-spam-whitelist.conf is:

    Any ideas?
     
  18. mikegotroot

    mikegotroot Well-Known Member

    Joined:
    Apr 29, 2008
    Messages:
    85
    Likes Received:
    1
    Trophy Points:
    58
    Yes, that file is not meant to be loaded with the rules its a dependency file loaded by the rules themselves. Instructions for installation the Atomicorp/Gotroot rules is available here:

    https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules

    Specifically, you should only tell apache to load *asl*conf files:

    Include /full/path/to/your/rules/modsecurity.d/*asl*.conf

    But read the entire article referenced above, it includes all the instructions to get your setup.
     
  19. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
  20. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    Hi Keddie,
    the error is not from my script it is from the file that comes from the gotroot free rules, as Mike is pointing out there are files that are exclusive to work with ASL package. It seems to me that the free rules are not the same as the payed ones as the payed ones doesn't has this type of errors. Any way, I really suggest that you try to buy a payed subscription with ASL it is really worth to have it as a free rule set were made about 3 months ago and it could fail on blocking new attacks.

    Sergio
     
Loading...

Share This Page