ModSecurity Auto Updater

[caisc]

Re: How to install Mod Security rules for the first time

Well, the errors that are showing up are not from ModSecurity installation, it seems that your server had some issues before the modsecurity installation and now that you have restarted apache, the server is showing you what needs to be fixed.

The errors with MOD_SSL are because you don't have a certificate configured for your server, you will need to generate one or ask your data center to help you with this. Certificates or mod_ssl doesn't has to much to deal with mod_security.

To check what SSL could be failing, do the following:
- enter in your WHM, then Service Configuration >> Manage Service SSL Certificates
in there you will see 4 certificates that needs to be running, if you find one or more expired ask your data center to help you.

Regards,

Sergio

Sergio,

what i want to confirm here is - can we keep both new installed rules + default rules offered by cpanel ?

In my case installed new rules as indicated on your website puntapirata and also kept default rules offered by cpanel then restarted apache... Can this be a reason for error msg that i am getting ?


Also To check what SSL could be failing, do the following:
- enter in your WHM, then Service Configuration >> Manage Service SSL Certificates
in there you will see 4 certificates that needs to be running


All 4 SSL are self-signed certificates and are highlighted with green, i guess that indicates they are not expired. they say -

Not Before:	Aug 7 11:38:17 2011 GMT
Not After:	Aug 6 11:38:17 2012 GMT

is it OK ?

Thanks

 

[Secmas]

Re: How to install Mod Security rules for the first time

Sergio,

what i want to confirm here is - can we keep both new installed rules + default rules offered by cpanel ?

No, you don't need the default CPanel rules. GotRoot has new and better rules than the default ones, so, default rules are not needed any more.

In my case installed new rules as indicated on your website puntapirata and also kept default rules offered by cpanel then restarted apache... Can this be a reason for error msg that i am getting ?

I don't think so, as errors from ModSecurity tells you exactly what rule caused the error and the errors that you are showing are not from ModSecurity. The error clearly states "it may be caused by oddities with mod_ssl".

Also To check what SSL could be failing, do the following:
- enter in your WHM, then Service Configuration >> Manage Service SSL Certificates
in there you will see 4 certificates that needs to be running

All 4 SSL are self-signed certificates and are highlighted with green, i guess that indicates they are not expired.

That is good, so this certificates are working. But, do you have another SSL certificates installed in your server?

On the other hand, Have you run "/usr/local/cpanel/scripts/ssl_crt_status" to see what it shows?

Sergio

 

[caisc]

Re: How to install Mod Security rules for the first time

That is good, so this certificates are working. But, do you have another SSL certificates installed in your server?
On the other hand, Have you run "/usr/local/cpanel/scripts/ssl_crt_status" to see what it shows?
Sergio

Sergio,

Currently we have no other SSL certificates installed on server apart from above mentioned.
I executed command on putty - /usr/local/cpanel/scripts/ssl_crt_status but it gave no output

[email protected] [~]# /usr/local/cpanel/scripts/ssl_crt_status
[email protected] [~]#

Also the error msg says something abt PID -

Apache restart failed. Unable to load pid from pid file and no httpd process found in process list.

what is that abt ?

Thanks

 

[Secmas]

Re: How to install Mod Security rules for the first time

Sergio,

Currently we have no other SSL certificates installed on server apart from above mentioned.
I executed command on putty - /usr/local/cpanel/scripts/ssl_crt_status but it gave no output

[email protected] [~]# /usr/local/cpanel/scripts/ssl_crt_status
[email protected] [~]#

Also the error msg says something abt PID -

Apache restart failed. Unable to load pid from pid file and no httpd process found in process list.

what is that abt ?

Thanks

What command have you used to start apache?

Use the following command: apachectl -k restart
and check the error log using: tail -f /usr/local/apache/logs/error_log
that will help to check what is causing this.

On the other hand, have you tried to contact Cpanel Support? I will suggest that you open a ticket with CPanel, so they can check your server and fix the error. Check this other post: http://forums.cpanel.net/f5/easyapa...te-now-get-errors-trying-recompile-98717.html

Sergio

 

[Secmas]

NOTE on new ASL Rule:
payed rules has set a new rule called 00_asl_zz_strict.conf that it seems that is not for ModSec 2.6.0, unfortunately the Wiki that ASL has is not updated and there is no info about this 00_asl_zz_strict.conf file.

But until that info comes out, it is best not to use this rules until 2.6.2 for CPanel comes out.

Regards,

Sergio

 

[Secmas]

FINALLY Mod_Security VER. 2.6.2 is here!
Upgrade Apache using EasyApache and you will get the new ModSecurity 2.6.2.

Sergio

 

[lbeachmike]

Hi there -

As was reported by at least one other person earlier in this thread, I am receiving the following errors -

ModSecurity: Failed to access DBM file "/var/asl/data/msa/global": Permission denied
ModSecurity: Failed to access DBM file "/var/asl/data/msa/ip": Permission denied

In both cases, the msa directory is indeed chmod 770 as prescribed, and ip and global files are both chmod 770

Here is what my msa directory looks like -

[email protected] [/var/asl/data/msa]# ls -l
total 8
drwxrwx--- 2 nobody nobody 4096 Apr 24  2011 ./
drwxrwx--- 5 root   root   4096 Apr 23  2011 ../
-rwxrwx--- 1 root   root      0 Apr 23  2011 global*
-rwxrwx--- 1 root   root      0 Apr 24  2011 global.dir*
-rwxrwx--- 1 root   root      0 Apr 24  2011 global.pag*
-rwxrwx--- 1 root   root      0 Apr 23  2011 ip*
-rwxrwx--- 1 root   root      0 Apr 24  2011 ip.dir*
-rwxrwx--- 1 root   root      0 Apr 24  2011 ip.pag*

I am running the most current version of mod_security (2.6.2) installed via EasyApache.

Thanks.

Mike

 

[Secmas]

Hi there -

As was reported by at least one other person earlier in this thread, I am receiving the following errors -

ModSecurity: Failed to access DBM file "/var/asl/data/msa/global": Permission denied
ModSecurity: Failed to access DBM file "/var/asl/data/msa/ip": Permission denied

In both cases, the msa directory is indeed chmod 770 as prescribed, and ip and global files are both chmod 770

Here is what my msa directory looks like -

[email protected] [/var/asl/data/msa]# ls -l
total 8
drwxrwx--- 2 nobody nobody 4096 Apr 24  2011 ./
drwxrwx--- 5 root   root   4096 Apr 23  2011 ../
-rwxrwx--- 1 root   root      0 Apr 23  2011 global*
-rwxrwx--- 1 root   root      0 Apr 24  2011 global.dir*
-rwxrwx--- 1 root   root      0 Apr 24  2011 global.pag*
-rwxrwx--- 1 root   root      0 Apr 23  2011 ip*
-rwxrwx--- 1 root   root      0 Apr 24  2011 ip.dir*
-rwxrwx--- 1 root   root      0 Apr 24  2011 ip.pag*

I am running the most current version of mod_security (2.6.2) installed via EasyApache.

Thanks.

Mike

Hello Mike,
if you are not using ASL Lite or any other ASL package, then you don't need that directories for modsecurity to work, in my case I have disabled that directories setting the following on modsec2.user.conf file:

# SecAuditLogRelevantStatus "^(?:5|4(?!04))"
# SecAuditLogType Concurrent
SecAuditLogParts ABIFHZ

check your conf file and see if it looks like mine or look at my page in puntapirata where it shows how the modsec2.user.conf has to be set.

Sergio

 

[lbeachmike]

Hello Mike,
if you are not using ASL Lite or any other ASL package, then you don't need that directories for modsecurity to work, in my case I have disabled that directories setting the following on modsec2.user.conf file:

# SecAuditLogRelevantStatus "^(?:5|4(?!04))"
# SecAuditLogType Concurrent
SecAuditLogParts ABIFHZ

check your conf file and see if it looks like mine or look at my page in puntapirata where it shows how the modsec2.user.conf has to be set.

Sergio

Hi there -

No, I am not yet using ASL. I am guessing that we probably had these directives in place previously and perhaps they get overwritten when mod_sec is updated ... ?

Where should I be putting these directives so that EasyApache will not overwrite them?

Also - even though I'm not using ASL, how can I simply have it setup so that it would not throw those errors? I do plan to use ASL eventually, and with the directories in place, I'm not understanding why it is reporting the errors.

Thanks.

Mike

 

[Secmas]

Hi there -

No, I am not yet using ASL. I am guessing that we probably had these directives in place previously and perhaps they get overwritten when mod_sec is updated ... ?

Where should I be putting these directives so that EasyApache will not overwrite them?

Also - even though I'm not using ASL, how can I simply have it setup so that it would not throw those errors? I do plan to use ASL eventually, and with the directories in place, I'm not understanding why it is reporting the errors.

Thanks.

Mike

All modsec configurations in CPanel have two files:
- modsec2.conf
- modsec2.user.conf
you don't have to modify the modsec2.conf as everytime that EasyApache updates ModSecurity, this file is overwritten.
So, the file that you need to modify to your own commands is modsec2.user.conf and that will never be touched by any updates.

I don't know why you have the files that you listed on your prior post as I have never used them nor created them, I only created the directories to be compatible with ASL files but I never used them or saved any info in there. On the other hand, CMC doesn't use that logs anyway.

If you plan to use ASL some day, don't worry, ASL will re install everything for you.

So, if you are receiving that errors is because your modsec2.user.conf is not well configured.

Regards,

Sergio

 

[lbeachmike]

Hi there Sergio -

I appreciate all of your help.

It does not look like what you have indicated is the issue, because the two lines you are indicating to comment out do not exist in my modsec2.user.conf file, and the third line already does exist.

Here are what my conf files look like -

modsec2.user.conf -

SecComponentSignature 201002131758
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

# USE THE FOLLOWING TWO COMMANDS ONLY IF YOU HAVE MOD_SEC 2.5.12
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 15000

# ConfigServer ModSecurity whitelist file remove the mark if you are using ConfigServer CMC.
# Include /usr/local/apache/conf/modsec2.whitelist.conf

#ASL Rules
Include /usr/local/apache/conf/modsec_rules/*asl*.conf

modsec2.conf -

LoadFile /opt/xml2/lib/libxml2.so
 LoadFile /opt/lua/lib/liblua.so
LoadModule security2_module  modules/mod_security2.so
<IfModule mod_security2.c>
SecRuleEngine On
# See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf
#  "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"
</IfModule>

Thanks again for all of your help.

Mike

 

[Secmas]

Hi there Sergio -

I appreciate all of your help.

It does not look like what you have indicated is the issue, because the two lines you are indicating to comment out do not exist in my modsec2.user.conf file, and the third line already does exist.

Here are what my conf files look like -

modsec2.user.conf -

SecComponentSignature 201002131758
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

# USE THE FOLLOWING TWO COMMANDS ONLY IF YOU HAVE MOD_SEC 2.5.12
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 15000

# ConfigServer ModSecurity whitelist file remove the mark if you are using ConfigServer CMC.
# Include /usr/local/apache/conf/modsec2.whitelist.conf

#ASL Rules
Include /usr/local/apache/conf/modsec_rules/*asl*.conf

modsec2.conf -

LoadFile /opt/xml2/lib/libxml2.so
 LoadFile /opt/lua/lib/liblua.so
LoadModule security2_module  modules/mod_security2.so
<IfModule mod_security2.c>
SecRuleEngine On
# See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf
#  "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"
</IfModule>

Thanks again for all of your help.

Mike

Yes, everything looks ok, can you tell where do you get that errors and show me the errors that you get?

Sergio

 

[lbeachmike]

Hi Sergio -

Here is an example of the errors from the apache error log -

These are really jamming up the logs.

[Mon Oct 31 12:19:21 2011] [error] [client xx.227.57.139] ModSecurity: Failed to access DBM file "/var/asl/data/msa/global": Permission denied [hostname "xxxxxxx.com"] [uri "/rsc/js/hoverintent.js"] [unique_id "[email protected]"]
[Mon Oct 31 12:19:21 2011] [error] [client xx.227.57.139] ModSecurity: Failed to access DBM file "/var/asl/data/msa/ip": Permission denied [hostname "xxxxxxx.com"] [uri "/rsc/js/hoverintent.js"] [unique_id "[email protected]"]
[Mon Oct 31 12:19:29 2011] [error] [client xx.227.57.139] ModSecurity: Failed to access DBM file "/var/asl/data/msa/global": Permission denied [hostname "xxxxxxx.com"] [uri "/rsc/js/admin.js"] [unique_id "[email protected]"]
[Mon Oct 31 12:19:29 2011] [error] [client xx.227.57.139] ModSecurity: Failed to access DBM file "/var/asl/data/msa/ip": Permission denied [hostname "xxxxxxx.com"] [uri "/rsc/js/admin.js"] [unique_id "[email protected]"]

Thanks.

Mike

 

[Secmas]

Hi Sergio -

Here is an example of the errors from the apache error log -

These are really jamming up the logs.

[Mon Oct 31 12:19:21 2011] [error] [client xx.227.57.139] ModSecurity: Failed to access DBM file "/var/asl/data/msa/global": Permission denied [hostname "xxxxxxx.com"] [uri "/rsc/js/hoverintent.js"] [unique_id "[email protected]"]
[Mon Oct 31 12:19:21 2011] [error] [client xx.227.57.139] ModSecurity: Failed to access DBM file "/var/asl/data/msa/ip": Permission denied [hostname "xxxxxxx.com"] [uri "/rsc/js/hoverintent.js"] [unique_id "[email protected]"]
[Mon Oct 31 12:19:29 2011] [error] [client xx.227.57.139] ModSecurity: Failed to access DBM file "/var/asl/data/msa/global": Permission denied [hostname "xxxxxxx.com"] [uri "/rsc/js/admin.js"] [unique_id "[email protected]"]
[Mon Oct 31 12:19:29 2011] [error] [client xx.227.57.139] ModSecurity: Failed to access DBM file "/var/asl/data/msa/ip": Permission denied [hostname "xxxxxxx.com"] [uri "/rsc/js/admin.js"] [unique_id "[email protected]"]

Thanks.

Mike

Ok, it seems that the owner of that files has to be nobody, so create empty files of the following inside "msa" directory:
- global.dir
- global.pag
- ip.dir
- ip.pag
chmod 640 and chown nobody:nobody

that will do the trick.

Sergio

 

[lbeachmike]

Thanks Sergio. So far so good, so looks like that probably did the trick, but I'll know better in the morning.

Should this be the same for all servers?

Thanks.

Mike

 

[Secmas]

Thanks Sergio. So far so good, so looks like that probably did the trick, but I'll know better in the morning.

Should this be the same for all servers?

Thanks.

Mike

Yes, it is the same for all servers.

 

[lbeachmike]

Hey Sergio -

I spoke prematurely. That did not work. I am still seeing exactly the same errors.

If the permissions of these files should be nobody:nobody, then wouldn't that suggest that the permissions of the parent directory would also need to be nobody? But this doesn't make sense because mod_security has most definitely been working on this server. It is just dumping a ton of these errors.

At the same time, I am running suexec, so shouldn't that be running as the actual user and not as nobody?

 

[Secmas]

Hey Sergio -

I spoke prematurely. That did not work. I am still seeing exactly the same errors.

If the permissions of these files should be nobody:nobody, then wouldn't that suggest that the permissions of the parent directory would also need to be nobody? But this doesn't make sense because mod_security has most definitely been working on this server. It is just dumping a ton of these errors.

At the same time, I am running suexec, so shouldn't that be running as the actual user and not as nobody?

This is how I have been using in my server since almost 2 years ago:

[root /var/asl/data/msa]# ls -la
total 8
drwxrwx--- 2 nobody nobody 4096 Jan 5 2010 .
drwxr-xr-x 5 root root 4096 Jan 13 2011 ..
-rw-r----- 1 nobody nobody 0 Jan 5 2010 global.dir
-rw-r----- 1 nobody nobody 0 Jan 5 2010 global.pag
-rw-r----- 1 nobody nobody 0 Jan 5 2010 ip.dir
-rw-r----- 1 nobody nobody 0 Jan 5 2010 ip.pag
[root /var/asl/data/msa]#

 

[lbeachmike]

But every server configuration is different, so it is not expected that your server configuration would be the same as everybody else.

This is apache with suexec, so I would not expect it to work with user nobody.

 

[Secmas]

But every server configuration is different, so it is not expected that your server configuration would be the same as everybody else.

This is apache with suexec, so I would not expect it to work with user nobody.

Yes, you are right, but with ModSecurity and ASL rules almost everything is the same.
I did my ModSec installation a long time ago, so, it will be better to check here:
http://www.atomicorp.com/wiki/index...#Special_notes_for_CPANEL_users_not_using_ASL
what ASL saids about that files.

Sergio