ModSecurity Auto Updater

Secmas

Well-Known Member
Feb 18, 2005
378
20
168
MODSECURITY UPDATER, UPDATE:
The updater has been modified in order to delete the file called 99_asl_scanner.conf as it is giving a lot of errors with:
Code:
Exec: Execution failed while reading output: /usr/bin/modsec-clamscan.pl
if your server is showing a list of this errors, you should add the following line to your UPDATERULES.SH:
Code:
##########
# IF YOU DON'T LIKE THE FOLLOWING RULES IN YOUR SERVER, MAKE THEM ACTIVE:
##########
# rm -f 00_asl_rbl.conf
# rm -f 05_asl_scanner.conf
# rm -f 11_asl_data_loss.conf
# rm -f 99_asl_scanner.conf
##########
Files 99_asl_scanner.conf and 05_asl_scanner.conf are the same file as of 07/03/2011, so it is recommended to delete both files to get rid of the error.

A new UPDATERULE.SH has been set in my site.

Sergio
 

Secmas

Well-Known Member
Feb 18, 2005
378
20
168
ADDENDUM to above post:

The error reported is generated only on the payed rules, if you are using the free rules this error will not show up.

Sergio
 

Secmas

Well-Known Member
Feb 18, 2005
378
20
168
thanks for the update and the pm
something else
i see on the install webpage that clamav can be used as well
is this for the paid version as well?
There is no rule that uses clamav directly payed or not, clamav is used in other type of hardening that could use modsecurity.

Config server has a really nice script called CXS that uses CLAMAV, check this page ConfigServer eXploit Scanner (cxs)
I really recommend that you install this in your server if you don't have it.

Sergio
 

Secmas

Well-Known Member
Feb 18, 2005
378
20
168
NEW UPDATE
The last set of payed rules includes a new file called:
11_asl_adv_rules.conf
that can knock your server httpd down, it is adviced to delete the file in CPanel servers, my autoupdater has a new line that shows:
Code:
##########
# IF YOU DON'T LIKE THE FOLLOWING RULES IN YOUR SERVER, MAKE THEM ACTIVE:
##########
# rm -f 00_asl_rbl.conf
# rm -f 05_asl_scanner.conf
# rm -f 11_asl_data_loss.conf
# rm -f 11_asl_adv_rules.conf
# rm -f 99_asl_scanner.conf
##########
This is only for the payed version.

Sergio
Please rate this thread.
 

Secmas

Well-Known Member
Feb 18, 2005
378
20
168
(This change is no longer needed if you already have ModSec 2.6.0 running in your server)

NEW UPDATE - URGENT (08/11/2011)
ASL payed rules set new rules for ModSecurity 2.6.1 that doesn't works with CPanel old ModSec 2.5.13, if you install this new set chances are that HTTPD will not work after restart.

My AutoUpdater has been modified to include the following lines:

##########
# CHANGES NEEDED IF YOU DON'T HAVE VER. 2.6.1
# MODIFY RULES THAT ARE FOR 2.6.1 TO WORK IN 2.5.13
##########
# sed -i 's/REQBODY_ERROR/REQBODY_PROCESSOR_ERROR/g' 09_asl_rules.conf
##########

Download the latest file ver 1.06 and make active the sed line only if you have the payed rules. If you use the free rules you don't need this for now and with a little luck CPanel will have the latest modsecurity 2.6.X in less than a month (crossing fingers) and you will not need to use this line.

Regards,

Sergio
 
Last edited:

Secmas

Well-Known Member
Feb 18, 2005
378
20
168
Today cPanelDon announced that EasyApache 3.5.2 has been released and with it the ModSecurity 2.6.0 has arrived.

In order to set ModSec 2.6.0 in your server, you need to run EasyApache, but before you do this, remember to set the file 09_asl_rules.conf as it came, I mean, if you have changed REQBODY_ERROR for REQBODY_PROCESSOR_ERROR, revert the change.

Sergio
 

Secmas

Well-Known Member
Feb 18, 2005
378
20
168
what about the free latest rules if i run easy apache update should be work with ModSecurity 2.6.0
I don't think this will be an issue as I have already changed to 2.6.0 and all the OLD rules are working great and the only rule for 2.6.x has not been deployed to the free rules.

If you want to be 100% sure, it will be better to ask this directly to ASL.

Sergio
 

mikegotroot

Well-Known Member
Verifed Vendor
Apr 29, 2008
85
1
58
The rules work fine with 2.5.13. We forked all the new features that require 2.6.x into new rule files for the small minority of cPanel users that are not using Atomic Secured Linux (ASL). If you look at the wiki, it will tell you which rulesets require a minimum version of modsecurity (the advanced rules for example require 2.6.1).

For those cPanel users running ASL, you're already running modsecurity 2.6.1 which ASL automatically upgraded for you, and you already have all the 2.6.1 features enabled, which protect against new attacks that 2.5.13 does not.

For everyone else, you are strongly encouraged to upgrade to modsecurity 2.6.1. (cPanel users with ASL have had modsecurity 2.6.1 for weeks already.)

However, if you just want to do things the DIY way and run an older version of modsecurity (or are forced to do so), then please check the wiki for any version restrictions on modsecurity rules, each rule family if its restricted to a minimum version of modsecurity, will include a note to that effect:

https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules

Then manually configure the rule files your version of modsecurity supports. The default recommended configuration for DIY users works fine with 2.5.13 and does not include any rulesets for 2.6.x. If you are running 2.6.1 and up, you will want to enable those advanced rulesets.

Or, if you are running ASL for cPanel, this is automatic and you dont need to do anything. You are already running the latest modsecurity (2.6.1), and all 2.6.1 features are enabled automatically. Anytime an update for modsecurity is available, ASL will upgrade your system for you.

Again, the rules work fine with 2.5.13, and any 2.6.x rules and new security features that require 2.6.1 are included in their own rule files, this is true for the real time and delayed rules.
 
Last edited:

Secmas

Well-Known Member
Feb 18, 2005
378
20
168
ERRATA
Thank you Michael for writing about the different rules.

As for today, rule 09_asl_rules.conf has changed and is not including the rule that my AutoUpdater v.1.07 did fix.

So, as I can't edit anymore the above post, I am writing this to let you know that post #127 is no longer needed, please disregard it.

On the other hand, as Mike request, I encourage to all of you that are subscribed to this thread, to read the following URL:
https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#What_does_each_rule_family_do.3F
in order to have an up to date document about the rules and use them accordingly to the version of ModSecurity that you are using.

I know that a lof of readers are still using the free rules and my autoupdater is used to update that set of rules, if you are one of them, my new AutoUpdater ver. 1.07 has a nice future to revert any changes made if the rules that you are updating contains rules that doesn't work with your actual ModSecurity. If you see this happens, try to update your ModSecurity so this will no happen again.

Regards,

Sergio
 

mikegotroot

Well-Known Member
Verifed Vendor
Apr 29, 2008
85
1
58
I know that a lof of readers are still using the free rules and my autoupdater is used to update that set of rules, if you are one of them, my new AutoUpdater ver. 1.07 has a nice future to revert any changes made if the rules that you are updating contains rules that doesn't work with your actual ModSecurity. If you see this happens, try to update your ModSecurity so this will no happen again.
Both asl-lite and ASL do this automatically. They will also automatically keep modsecurity up to date for you.
 

lbeachmike

Well-Known Member
Dec 27, 2001
307
4
318
Long Beach, NY
cPanel Access Level
Root Administrator
Of course, we can see exactly what platforms download, install and update each. The rules only feed is a small fraction of our cpanel users.
Of course - I am not saying that there may not be lots of cpanel users using ASL, but from what I see in the various forums, it looks as if there are many more users of CSF than of ASL.

To make the statement, you would need to know the percentage of cpanel servers that are also using ASL.

I do not believe that the *vast majority* (which would be opposite of the small minority) of cpanel servers are using ASL at this time.

It is worth noting that I am expressing no preference here between one or the other because I still have not yet tried ASL; however, I am looking forward to doing so.

Thanks.

mrk
 

mikegotroot

Well-Known Member
Verifed Vendor
Apr 29, 2008
85
1
58
I think you may have misunderstood what was being discussed and what I said. Heres what is being discussed. Heres what Sergio said:

ASL payed rules set new rules for ModSecurity 2.6.1 that doesn't works with CPanel old ModSec 2.5.13, if you install this new set chances are that HTTPD will not work after restart.
And here is my reply:

The rules work fine with 2.5.13. We forked all the new features that require 2.6.x into new rule files for the small minority of cPanel users that are not using Atomic Secured Linux (ASL).
We are discussing the real time rules and cpanel users, and everyone using both falls into one of two categories:

1. Running ASL (which includes the real time rules)

or

2. Just running the real time rules

Of those users the vast majority of them are running ASL.

And since this issue concerns just those users with access to the real time rules, and no one else, its important to let them know who is and is not effected by this. This issue does not affect users running ASL, which again is the majority. ASL automatically upgrades modsecurity on cpanel when new rule classes require it.

If you are in the minority, (not running ASL and running the real time rules) as you follow the instructions on the wiki you won't run into the issue Sergio mentioned, because the wiki provides guidance about which rule sets require a higher version of modsecurity. The down side is that you wont be protected by these new features, so upgrade to 2.6.1 (or use ASL).

If you are not using our real time rules, this discussion don't concern you. Delayed rules users don't have access to the new rule classes that require 2.6.x. they can upgrade if you want, but as they don't have access to these new rules its moot anyway.

And what any of this has to do with CSF I have no idea, so I'm not even sure why you mentioned it. :-p

So I think you may have misunderstood what we are discussing and what I said, and I hope this helps you to understand both. :)
 
Last edited:

caisc

Well-Known Member
Oct 5, 2011
73
3
58
India
cPanel Access Level
Root Administrator
How to install Mod Security rules for the first time

Hello,

I have installed mod_security via easyapache

I followed steps mentioned here at - http://www*puntapirata*com/How-to-Insta ... -Rules.php
to install mod-security rules.


After all the above steps when i restarted Apache it showed following errors -

Code:
Apache restart failed. Unable to load pid from pid file and no httpd process found in process list.

If apache restart reported success but it failed soon after, it may be caused by oddities with mod_ssl.

You  should run /usr/local/cpanel/scripts/ssl_crt_status as part of your  troubleshooting process. Pass it --help for more details.

Also be sure to examine apache's various log files.
Apache Restart Output:

Log:
[Tue  Oct 04 01:06:06 2011] [error] [client 123.201.122.83] File does not  exist: /home/acallin/public_html/loading2.gif, referer:  http://www*xxxxxxxxx*in/heading.html
[Tue Oct 04 01:06:06 2011]  [error] [client 123.201.122.83] File does not exist:  /home/acallin/public_html/404.shtml, referer:  http://www*xxxxxxxxx*in/heading.html
[Tue Oct 04 01:06:08 2011]  [error] [client 123.201.122.83] File does not exist:  /home/acallin/public_html/css/images, referer:  http://www*xxxxxxxxx*in/css/style.css
[Tue Oct 04 01:06:08 2011]  [error] [client 123.201.122.83] File does not exist:  /home/acallin/public_html/404.shtml, referer:  http://www*xxxxxxxxx*in/css/style.css
[Tue Oct 04 01:06:10 2011]  [alert] [client 220.181.51.121]  /home/webnivar/public_html/social/.htaccess: Invalid command  '69.84.207.147', perhaps misspelled or defined by a module not included  in the server configuration
[Tue Oct 04 01:06:10 2011] [alert]  [client 220.181.51.121] /home/webnivar/public_html/social/.htaccess:  Invalid command '69.84.207.147', perhaps misspelled or defined by a  module not included in the server configuration
[Tue Oct 04 01:06:10  2011] [error] [client 123.201.122.83] File does not exist:  /home/acallin/public_html/live/T-files/images/body-bg1.gif, referer:  http://www*xxxxxxxxx*in/live/T-files/style.css
[Tue Oct 04 01:06:10  2011] [error] [client 123.201.122.83] File does not exist:  /home/acallin/public_html/404.shtml, referer:  http://www*xxxxxxxxx*in/live/T-files/style.css
[Tue Oct 04 01:06:10  2011] [error] [client 123.201.122.83] File does not exist:  /home/acallin/public_html/live/T-files/images/body-bg.gif, referer:  http://www*xxxxxxxxx*in/live/T-files/style.css
[Tue Oct 04 01:06:10  2011] [error] [client 123.201.122.83] File does not exist:  /home/acallin/public_html/404.shtml, referer:  http://www*xxxxxxxxx*in/live/T-files/style.css
[Tue Oct 04 01:06:16 2011] [notice] caught SIGTERM, shutting down

How to fix this, and continue. Also i know that after successful installation i will get several false positives, if there is any HOW To guide to deal with them plz mention its link.

Thanks
 

Secmas

Well-Known Member
Feb 18, 2005
378
20
168
Re: How to install Mod Security rules for the first time

Well, the errors that are showing up are not from ModSecurity installation, it seems that your server had some issues before the modsecurity installation and now that you have restarted apache, the server is showing you what needs to be fixed.

The errors with MOD_SSL are because you don't have a certificate configured for your server, you will need to generate one or ask your data center to help you with this. Certificates or mod_ssl doesn't has to much to deal with mod_security.

To check what SSL could be failing, do the following:
- enter in your WHM, then Service Configuration >> Manage Service SSL Certificates
in there you will see 4 certificates that needs to be running, if you find one or more expired ask your data center to help you.

Regards,

Sergio
 
Last edited: