The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Modsecurity rules vendors?

Discussion in 'Security' started by Cron0, May 7, 2015.

  1. Cron0

    Cron0 Member
    PartnerNOC

    Joined:
    Mar 30, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel/WHM 11.48 allow Modsecurity rules vendors to provide their rules in a format that can be integrated very easily. The vendor we currently use do not seem to provide them under that format.

    Does anybody know if there are known modsecurity rules vendors providing their rules in the format supported by cPanel/WHM?

    Thanks!
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Are you having trouble adding your vendor's existing rules, or are you simply seeking a way to make it easier to add them through WHM? We do have support for custom vendors:

    ModSecurity Vendors

    However, you may want to contact your vendor to see if they are aware of this new functionality in 11.48.

    Thank you.
     
  4. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    There's also a request to add Comodo as a vendor: https://features.cpanel.net/topic/comodo-waf-as-a-modsecurity-vendor

    If you'd like to see them included as one of the standard vendors, please let your voice be heard on the request.
     
  5. Cron0

    Cron0 Member
    PartnerNOC

    Joined:
    Mar 30, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Our current vendor is Atomicorp. They have told us they will not implement the vendor functionnality because their own update mechanism is "better" (we download and install their rules manually right now)

    https://www.atomicorp.com/wiki/index.php/Aum

    When I contacted them, they said
    Their system is not very well documented. It installs a cron job, recompiles apache with their own modsecurity version and install a 3rdparty yum repository. To me this looks way more complex and error-prone than the cPanel rules vendoring system which is fully integrated into WHM.

    If they do not integrate well with cPanel/WHM we will switch to another vendor or straight up OWASP and a few of our own custom rules.

    Feedback?
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Cron0, to be honest, atomicorp rules really are the best on the market. Trustwave is close, owasp is pretty much still a joke at this point. Comodo rules aren't bad, I'd put them somewhere just above owasp. Hopefully the community reporting for owasp can help salvage something usable out of that rule set.

    I manage modsec rules for a major host, and we use RPM updates still. I've considered using the cPanel vendor system, however, we've been using RPMs for many years and it allows us to update everyone on legacy systems all the way through the newest WHM builds. To switch to the vendor system would be a major overhaul which would only work for people who keep everything up to date (which in a perfect world would be everyone, but in practice we all know how often people disable or neglect updates). Also it would give our users an easy one-click way to shut off all the rules we work so hard to make to protect them if they were to shut off our "vendor." Instead, I make sure that our RPM works alongside additional vendor configs. This is not to say anything bad about the vendor system, I actually like it, but because it didn't exist in the past we already created our own solution of using RPMs to deploy modsecurty rules to cPanel servers, and we can't exactly ditch that very easily.

    I hate to say it but I can understand atomics stance on it, and I'd never be in a hurry to ditch their rules. They really are the best vetted rules in the industry.

    On the flip side though, I will say that when evaluating them as a vendor, they did try to push the rest of the ASL stuff on us when we just wanted to purchase modsec rules. We had nothing but troubles trying to get ASL to work properly as a whole, and eventually ditched the whole idea and pretty much just manage our own rules. When an entire team of our sysadmins had less than a 20% success rate installing ASL at all, it really rubbed us the wrong way.

    At this point I (personally) use custom rules, with comodo on top as additional protection since it's easy enough and seems to have a very low false positive rate when compared with OWASP.
     
    #6 quizknows, May 12, 2015
    Last edited: May 12, 2015
    Infopro likes this.
Loading...

Share This Page