ModSecurity Auto Updater

Does this script download the rules daily, or does it simply install rules that I must download manually (or via cron)?

Also, as easy as it looks, it also looks somewhat complicated with creating directories, dealing with possible error messages, etc. Is it really straightforward for the most part?

 

Thanks.

Does your script run automatically each day, or does it need to be invoked?

 

i get confused a bit
first of all with cpanel default mod sec rules what i have to do uninstall mod sec?disable it?
after i have to follow this info?
https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules
?
and finally run your script ?

 

i should run first easy apache update thanks for the update
how can i see after witch version of mod sec cpanel will install ?
also on your webpage you say download the rules from gotroot probably you mean from here?the free rules
Atomicorp

 

grep "modsecurity" /usr/local/apache/logs/error_log
[Thu Dec 02 03:51:20 2010] [notice] ModSecurity for Apache/2.5.12 (http://www.mo
dsecurity.org/) configured.

so i have 2.5.12 already installed
lets say that i want to install modsec-201008191901.tar.bz2

if i fire the script to execute

Please be sure to backup any customizations that you have previously been made.

Rules will be copied at: /usr/local/apache/conf/modsec_rules
A backup directory will be created just in case you need it back.

Please give me the name of the TAR file?
"201008191901"
You didn't enter a valid GotRoot or ASL file rules
try again.
mod sec rules are on /tmp partition and the script on /usr/src on a specific folder

 

the same thing with 201008191901 is not working i think with the free rules

 

same error mate on 3 servers
exept from the rules saved on /tmp what else your script needs to run

 

Hi there -

I am getting these errors -

ModSecurity: Failed to access DBM file "/var/asl/data/msa/ip
ModSecurity: Failed to access DBM file "/var/asl/data/msa/global

I have created the subdirectories and used chmod 700 as directed. What might be causing this issue?

Thanks.

Mike

 

finally sergio i install the rules by hand happy easter as well
on modsec2user.conf i have these rules for the moment loaded i dont have any errors
which other you will suggest exept from the follows

05_asl_exclude.conf
10_asl_antimalware.conf
10_asl_rules.conf
11_asl_data_loss.conf
20_asl_useragents.conf
30_asl_antispam.conf
50_asl_rootkits.conf
60_asl_recons.conf
99_asl_jitp.conf

 

Hi Sergio -

We are currently using the free rules. I'll buy a subscription if I like the way things work.

As stated in my previous post, I created exactly those directories as the error and you have stated. However, it is specifically throwing an error for missing files -

[Sat Apr 23 19:09:55 2011] [error] [client xx.56.1.254] ModSecurity: Failed to access DBM file "/var/asl/data/msa/global": Permission denied xxxhosting.com"] [uri "/json-api/loadavg"] [unique_id "TbNcQ0MTB9oAAE3zSyIAAAAK" ]
[Sat Apr 23 19:09:55 2011] [error] [client xx.56.1.254] ModSecurity: Failed to access DBM file "/var/asl/data/msa/ip": Permission denied [hostname "whm.xxxhosting.com"] [uri "/json-api/loadavg"] [unique_id "TbNcQ0MTB9oAAE3zSyIAAAAK"]

My modsec2.user.conf file is as follows -

Code:

SecComponentSignature 201002131758
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&" 
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

# USE THE FOLLOWING TWO COMMANDS ONLY IF YOU HAVE MOD_SEC 2.5.12
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 15000
 
# ConfigServer ModSecurity whitelist file remove the mark if you are using ConfigServer CMC.
# Include /usr/local/apache/conf/modsec2.whitelist.conf

#ASL Rules
Include /usr/local/apache/conf/modsec_rules/*asl*.conf

Thanks.

Mike