ModSecurity Auto Updater

[markb14391]

Does this script download the rules daily, or does it simply install rules that I must download manually (or via cron)?

Also, as easy as it looks, it also looks somewhat complicated with creating directories, dealing with possible error messages, etc. Is it really straightforward for the most part?

 

[Secmas]

Does this script download the rules daily, or does it simply install rules that I must download manually (or via cron)?

Also, as easy as it looks, it also looks somewhat complicated with creating directories, dealing with possible error messages, etc. Is it really straightforward for the most part?

Hello Markb,
the script is very straightforward to use if you have already installed and configured GotRoot rules to work in your server. After you have configured the server, this script will help you to update the rules that you manually downloaded.

Sergio

 

[markb14391]

Thanks.

Does your script run automatically each day, or does it need to be invoked?

 

[Secmas]

Thanks.

Does your script run automatically each day, or does it need to be invoked?

It has to be invoked manually as you need to enter the numeric portion of the modsec rule that you have downloaded.

Sergio

 

[k-planethost]

i get confused a bit
first of all with cpanel default mod sec rules what i have to do uninstall mod sec?disable it?
after i have to follow this info?
https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules
?
and finally run your script ?

 

[Secmas]

i get confused a bit
first of all with cpanel default mod sec rules what i have to do uninstall mod sec?disable it?
after i have to follow this info?
https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules
?
and finally run your script ?

Hello k-planethost,
1. Don't uninstall mod sec nor disable it, leave it as it is. Just update it using easyapache in WHM.
2. If you are using my autoupdater, just follow the instructions in my web page, that's it.

Best Regards,

Sergio

 

[k-planethost]

i should run first easy apache update thanks for the update
how can i see after witch version of mod sec cpanel will install ?
also on your webpage you say download the rules from gotroot probably you mean from here?the free rules
Atomicorp

 

[Secmas]

i should run first easy apache update thanks for the update
how can i see after witch version of mod sec cpanel will install ?
also on your webpage you say download the rules from gotroot probably you mean from here?the free rules
Atomicorp

You can check in EasyApache what version of Mod_Security you will install, that is the best place to check what is the last version CPanel has.

GotRoot and AtomiCorp are the same company, so, that link is ok.

Regards,

Sergio

 

[k-planethost]

grep "modsecurity" /usr/local/apache/logs/error_log
[Thu Dec 02 03:51:20 2010] [notice] ModSecurity for Apache/2.5.12 (http://www.mo
dsecurity.org/) configured.

so i have 2.5.12 already installed
lets say that i want to install modsec-201008191901.tar.bz2

if i fire the script to execute

Please be sure to backup any customizations that you have previously been made.

Rules will be copied at: /usr/local/apache/conf/modsec_rules
A backup directory will be created just in case you need it back.

Please give me the name of the TAR file?
"201008191901"
You didn't enter a valid GotRoot or ASL file rules
try again.
mod sec rules are on /tmp partition and the script on /usr/src on a specific folder

 

[Secmas]

grep "modsecurity" /usr/local/apache/logs/error_log
[Thu Dec 02 03:51:20 2010] [notice] ModSecurity for Apache/2.5.12 (http://www.mo
dsecurity.org/) configured.

so i have 2.5.12 already installed
lets say that i want to install modsec-201008191901.tar.bz2

if i fire the script to execute

Please be sure to backup any customizations that you have previously been made.

Rules will be copied at: /usr/local/apache/conf/modsec_rules
A backup directory will be created just in case you need it back.

Please give me the name of the TAR file?
"201008191901"
You didn't enter a valid GotRoot or ASL file rules
try again.
mod sec rules are on /tmp partition and the script on /usr/src on a specific folder

You don't need write double quotes, only the version number, I mean, just write: 201008191901

Regards,

Sergio

 

[k-planethost]

the same thing with 201008191901 is not working i think with the free rules

 

[Secmas]

the same thing with 201008191901 is not working i think with the free rules

Download the following rules:
http://updates.atomicorp.com/channels/rules/delayed/modsec-201101180757.tar.gz

Why are you downloading rules from 2010 when there are rules from 2011?

Regards,

Sergio

PS: Use the following address to download the free rules:
http://updates.atomicorp.com/channels/rules/delayed/

 

[k-planethost]

same error mate on 3 servers
exept from the rules saved on /tmp what else your script needs to run

 

[Secmas]

same error mate on 3 servers
exept from the rules saved on /tmp what else your script needs to run

From my site:

"Here is an automatic modsec rules auto updater, is easy to use, and you have to follow just a few guidelines to use it. It is free to use and we don't assume any responsibility in the use of the script, use it at your own risk.

How to use it:

1. Download GotRoot rules from Welcome : Got Root and save it in your /tmp file.
2. Save the script in its own folder and make the script executable (chmod u+x)
3. At running time the script will ask you for the file version, nothing else, then it will do everything automatically for you.
4. So, for example, if the rule file is called modsec-201001121214.tar.gz, you will have to write "201001121214".
The script will test Apache to check everything was fine, if it is, you could restart apache from there or do it later manually.
5. The script will save a backup with your actual rules before it does the update, if Apache gives any error, you can manually restore everything on its place.
6. Read any text inside the file for any last minute config or update."

On the other hand, you have to create the following directories:

- /var/asl/data/suspicious
- /var/asl/data/msa
- /var/asl/data/audit

they are not needed in WHM, but GotRoot uses them for their rules, so, you need to create them in order for the rules to work, set chmod to 770 on all of them. The creation of the directories has to be done in the process of installing for the first time GotRoot rules and remember that my script is not an installer, it is an script to update the rules that had been previously installed.

Happy Estear,

Sergio

 

[lbeachmike]

Hi there -

I am getting these errors -

ModSecurity: Failed to access DBM file "/var/asl/data/msa/ip
ModSecurity: Failed to access DBM file "/var/asl/data/msa/global

I have created the subdirectories and used chmod 700 as directed. What might be causing this issue?

Thanks.

Mike

 

[Secmas]

Hi there -

I am getting these errors -

ModSecurity: Failed to access DBM file "/var/asl/data/msa/ip
ModSecurity: Failed to access DBM file "/var/asl/data/msa/global

I have created the subdirectories and used chmod 700 as directed. What might be causing this issue?

Thanks.

Mike

Hello Mike,
What rules are you using, the free rules or the payed ones?
Have you created the subdirectories paths that the error said?
How is you Modsec2.user.conf file written?

Sergio

 

[k-planethost]

finally sergio i install the rules by hand happy easter as well
on modsec2user.conf i have these rules for the moment loaded i dont have any errors
which other you will suggest exept from the follows

05_asl_exclude.conf
10_asl_antimalware.conf
10_asl_rules.conf
11_asl_data_loss.conf
20_asl_useragents.conf
30_asl_antispam.conf
50_asl_rootkits.conf
60_asl_recons.conf
99_asl_jitp.conf

 

[Secmas]

finally sergio i install the rules by hand happy easter as well
on modsec2user.conf i have these rules for the moment loaded i dont have any errors
which other you will suggest exept from the follows

05_asl_exclude.conf
10_asl_antimalware.conf
10_asl_rules.conf
11_asl_data_loss.conf
20_asl_useragents.conf
30_asl_antispam.conf
50_asl_rootkits.conf
60_asl_recons.conf
99_asl_jitp.conf

This is the list of the rules that I use:
00_asl_0_global.conf
00_asl_whitelist.conf
05_asl_exclude.conf
10_asl_antimalware.conf
10_asl_antimalware_output.conf
10_asl_rules.conf
11_asl_adv_rules.conf
20_asl_useragents.conf
30_asl_antimalware.conf
30_asl_antispam.conf
30_asl_antispam_referrer.conf
40_asl_apache2-rules.conf
50_asl_rootkits.conf
60_asl_recons.conf
61_asl_recons_dlp.conf
98_asl_jitp.conf
99_asl_exclude.conf
99_asl_jitp.conf
99_asl_redactor.conf
99_asl_redactor_post.conf

Among my own set of rules.

Sergio

 

[lbeachmike]

Hello Mike,
What rules are you using, the free rules or the payed ones?
Have you created the subdirectories paths that the error said?
How is you Modsec2.user.conf file written?

Sergio

Hi Sergio -

We are currently using the free rules. I'll buy a subscription if I like the way things work.

As stated in my previous post, I created exactly those directories as the error and you have stated. However, it is specifically throwing an error for missing files -

[Sat Apr 23 19:09:55 2011] [error] [client xx.56.1.254] ModSecurity: Failed to access DBM file "/var/asl/data/msa/global": Permission denied xxxhosting.com"] [uri "/json-api/loadavg"] [unique_id "TbNcQ0MTB9oAAE3zSyIAAAAK" ]
[Sat Apr 23 19:09:55 2011] [error] [client xx.56.1.254] ModSecurity: Failed to access DBM file "/var/asl/data/msa/ip": Permission denied [hostname "whm.xxxhosting.com"] [uri "/json-api/loadavg"] [unique_id "TbNcQ0MTB9oAAE3zSyIAAAAK"]

My modsec2.user.conf file is as follows -

SecComponentSignature 201002131758
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&" 
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

# USE THE FOLLOWING TWO COMMANDS ONLY IF YOU HAVE MOD_SEC 2.5.12
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 15000
 
# ConfigServer ModSecurity whitelist file remove the mark if you are using ConfigServer CMC.
# Include /usr/local/apache/conf/modsec2.whitelist.conf

#ASL Rules
Include /usr/local/apache/conf/modsec_rules/*asl*.conf

Thanks.

Mike

 

[Secmas]

Hi Sergio -

We are currently using the free rules. I'll buy a subscription if I like the way things work.

As stated in my previous post, I created exactly those directories as the error and you have stated. However, it is specifically throwing an error for missing files -

[Sat Apr 23 19:09:55 2011] [error] [client xx.56.1.254] ModSecurity: Failed to access DBM file "/var/asl/data/msa/global": Permission denied xxxhosting.com"] [uri "/json-api/loadavg"] [unique_id "TbNcQ0MTB9oAAE3zSyIAAAAK" ]
[Sat Apr 23 19:09:55 2011] [error] [client xx.56.1.254] ModSecurity: Failed to access DBM file "/var/asl/data/msa/ip": Permission denied [hostname "whm.xxxhosting.com"] [uri "/json-api/loadavg"] [unique_id "TbNcQ0MTB9oAAE3zSyIAAAAK"]

My modsec2.user.conf file is as follows -

SecComponentSignature 201002131758
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&" 
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

# USE THE FOLLOWING TWO COMMANDS ONLY IF YOU HAVE MOD_SEC 2.5.12
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 15000
 
# ConfigServer ModSecurity whitelist file remove the mark if you are using ConfigServer CMC.
# Include /usr/local/apache/conf/modsec2.whitelist.conf

#ASL Rules
Include /usr/local/apache/conf/modsec_rules/*asl*.conf

Thanks.

Mike

Mike,
what is the name of the file that you have downloaded? Where did you download that file?

Sergio