Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

ModSecurity Auto Updater

Discussion in 'Security' started by Secmas, Feb 13, 2010.

  1. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    68
    Does this script download the rules daily, or does it simply install rules that I must download manually (or via cron)?

    Also, as easy as it looks, it also looks somewhat complicated with creating directories, dealing with possible error messages, etc. Is it really straightforward for the most part?
     
  2. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    Hello Markb,
    the script is very straightforward to use if you have already installed and configured GotRoot rules to work in your server. After you have configured the server, this script will help you to update the rules that you manually downloaded.

    Sergio
     
  3. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    68
    Thanks.

    Does your script run automatically each day, or does it need to be invoked?
     
  4. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    It has to be invoked manually as you need to enter the numeric portion of the modsec rule that you have downloaded.

    Sergio
     
  5. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    9
    Trophy Points:
    68
    Location:
    Athens Greece
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    Hello k-planethost,
    1. Don't uninstall mod sec nor disable it, leave it as it is. Just update it using easyapache in WHM.
    2. If you are using my autoupdater, just follow the instructions in my web page, that's it.

    Best Regards,

    Sergio
     
  7. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    9
    Trophy Points:
    68
    Location:
    Athens Greece
    i should run first easy apache update thanks for the update
    how can i see after witch version of mod sec cpanel will install ?
    also on your webpage you say download the rules from gotroot probably you mean from here?the free rules
    Atomicorp
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    You can check in EasyApache what version of Mod_Security you will install, that is the best place to check what is the last version CPanel has.

    GotRoot and AtomiCorp are the same company, so, that link is ok.

    Regards,

    Sergio
     
  9. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    9
    Trophy Points:
    68
    Location:
    Athens Greece
    grep "modsecurity" /usr/local/apache/logs/error_log
    [Thu Dec 02 03:51:20 2010] [notice] ModSecurity for Apache/2.5.12 (http://www.mo
    dsecurity.org/) configured.

    so i have 2.5.12 already installed
    lets say that i want to install modsec-201008191901.tar.bz2

    if i fire the script to execute

    Please be sure to backup any customizations that you have previously been made.

    Rules will be copied at: /usr/local/apache/conf/modsec_rules
    A backup directory will be created just in case you need it back.

    Please give me the name of the TAR file?
    "201008191901"
    You didn't enter a valid GotRoot or ASL file rules
    try again.
    mod sec rules are on /tmp partition and the script on /usr/src on a specific folder
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    You don't need write double quotes, only the version number, I mean, just write: 201008191901

    Regards,

    Sergio
     
  11. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    9
    Trophy Points:
    68
    Location:
    Athens Greece
    the same thing with 201008191901 is not working i think with the free rules
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
  13. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    9
    Trophy Points:
    68
    Location:
    Athens Greece
    same error mate on 3 servers
    exept from the rules saved on /tmp what else your script needs to run
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    From my site:

    "Here is an automatic modsec rules auto updater, is easy to use, and you have to follow just a few guidelines to use it. It is free to use and we don't assume any responsibility in the use of the script, use it at your own risk.

    How to use it:

    1. Download GotRoot rules from Welcome : Got Root and save it in your /tmp file.
    2. Save the script in its own folder and make the script executable (chmod u+x)
    3. At running time the script will ask you for the file version, nothing else, then it will do everything automatically for you.
    4. So, for example, if the rule file is called modsec-201001121214.tar.gz, you will have to write "201001121214".
    The script will test Apache to check everything was fine, if it is, you could restart apache from there or do it later manually.
    5. The script will save a backup with your actual rules before it does the update, if Apache gives any error, you can manually restore everything on its place.
    6. Read any text inside the file for any last minute config or update."

    On the other hand, you have to create the following directories:

    - /var/asl/data/suspicious
    - /var/asl/data/msa
    - /var/asl/data/audit

    they are not needed in WHM, but GotRoot uses them for their rules, so, you need to create them in order for the rules to work, set chmod to 770 on all of them. The creation of the directories has to be done in the process of installing for the first time GotRoot rules and remember that my script is not an installer, it is an script to update the rules that had been previously installed.

    Happy Estear,

    Sergio
     
  15. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    306
    Likes Received:
    1
    Trophy Points:
    316
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    Hi there -

    I am getting these errors -

    ModSecurity: Failed to access DBM file "/var/asl/data/msa/ip
    ModSecurity: Failed to access DBM file "/var/asl/data/msa/global

    I have created the subdirectories and used chmod 700 as directed. What might be causing this issue?

    Thanks.

    Mike
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    Hello Mike,
    What rules are you using, the free rules or the payed ones?
    Have you created the subdirectories paths that the error said?
    How is you Modsec2.user.conf file written?

    Sergio
     
    #96 Secmas, Apr 23, 2011
    Last edited: Apr 23, 2011
  17. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    9
    Trophy Points:
    68
    Location:
    Athens Greece
    finally sergio i install the rules by hand happy easter as well
    on modsec2user.conf i have these rules for the moment loaded i dont have any errors
    which other you will suggest exept from the follows

    05_asl_exclude.conf
    10_asl_antimalware.conf
    10_asl_rules.conf
    11_asl_data_loss.conf
    20_asl_useragents.conf
    30_asl_antispam.conf
    50_asl_rootkits.conf
    60_asl_recons.conf
    99_asl_jitp.conf
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    This is the list of the rules that I use:
    00_asl_0_global.conf
    00_asl_whitelist.conf
    05_asl_exclude.conf
    10_asl_antimalware.conf
    10_asl_antimalware_output.conf
    10_asl_rules.conf
    11_asl_adv_rules.conf
    20_asl_useragents.conf
    30_asl_antimalware.conf
    30_asl_antispam.conf
    30_asl_antispam_referrer.conf
    40_asl_apache2-rules.conf
    50_asl_rootkits.conf
    60_asl_recons.conf
    61_asl_recons_dlp.conf
    98_asl_jitp.conf
    99_asl_exclude.conf
    99_asl_jitp.conf
    99_asl_redactor.conf
    99_asl_redactor_post.conf

    Among my own set of rules.

    Sergio
     
  19. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    306
    Likes Received:
    1
    Trophy Points:
    316
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    Hi Sergio -

    We are currently using the free rules. I'll buy a subscription if I like the way things work.

    As stated in my previous post, I created exactly those directories as the error and you have stated. However, it is specifically throwing an error for missing files -

    [Sat Apr 23 19:09:55 2011] [error] [client xx.56.1.254] ModSecurity: Failed to access DBM file "/var/asl/data/msa/global": Permission denied xxxhosting.com"] [uri "/json-api/loadavg"] [unique_id "TbNcQ0MTB9oAAE3zSyIAAAAK" ]
    [Sat Apr 23 19:09:55 2011] [error] [client xx.56.1.254] ModSecurity: Failed to access DBM file "/var/asl/data/msa/ip": Permission denied [hostname "whm.xxxhosting.com"] [uri "/json-api/loadavg"] [unique_id "TbNcQ0MTB9oAAE3zSyIAAAAK"]

    My modsec2.user.conf file is as follows -

    Code:
    SecComponentSignature 201002131758
    SecRequestBodyAccess On
    SecResponseBodyAccess On
    SecResponseBodyMimeType (null) text/html text/plain text/xml
    SecResponseBodyLimit 2621440
    SecServerSignature Apache
    SecUploadDir /var/asl/data/suspicious
    SecUploadKeepFiles Off
    SecAuditLogParts ABIFHZ
    SecArgumentSeparator "&" 
    SecCookieFormat 0
    SecRequestBodyInMemoryLimit 131072
    SecDataDir /var/asl/data/msa
    SecTmpDir /tmp
    SecAuditLogStorageDir /var/asl/data/audit
    SecResponseBodyLimitAction ProcessPartial
    
    # USE THE FOLLOWING TWO COMMANDS ONLY IF YOU HAVE MOD_SEC 2.5.12
    SecPcreMatchLimit 150000
    SecPcreMatchLimitRecursion 15000
     
    # ConfigServer ModSecurity whitelist file remove the mark if you are using ConfigServer CMC.
    # Include /usr/local/apache/conf/modsec2.whitelist.conf
    
    #ASL Rules
    Include /usr/local/apache/conf/modsec_rules/*asl*.conf
    Thanks.

    Mike
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    168
    Mike,
    what is the name of the file that you have downloaded? Where did you download that file?

    Sergio
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice