OWASP - mod security and wordpress

[wrender]

I feel your pain of the ModSecurity OWASP false positives. It seems to be that especially with WordPress there are a lot of false positives with different plugins (Probably same reason it always gets hacked). I don't think it is really either a problem with cPanel, or with ModSecurity though.

The OWASP rules for ModSecurity are designed to provide "Generic Attack Detection" so naturally they are going to block out some good web traffic to valid applications too as they are overly secure. In this case they seem to be so secure they create a lot of false positives which is a nightmare for a small business to whitelist.

For us a couple of setups that are working well:

Option 1 - (Commercial rules, with some basic OWASP rules enabled).

1. Buy a subscription to the Trustwave Commercial ModSecurity rules (Or other commercial mod security rule vendor), and run their application specific rules in conjunction with some of the base OWASP rules in anomaly detection mode. For example with these rules loaded in your ModSecurity Vendor Configuration:

modsecurity_crs_10_setup.conf (Set to run in Anomaly Detection Mode by uncommenting that line, and increasing the 255 character limit line to something higher like 512).
rules/REQUEST-01-COMMON-EXCEPTIONS.conf
rules/REQUEST-10-IP-REPUTATION.conf
rules/REQUEST-12-DOS-PROTECTION.conf
rules/REQUEST-13-SCANNER-DETECTION.conf
rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf
rules/REQUEST-21-PROTOCOL-ATTACK.conf
rules/REQUEST-49-BLOCKING-EVALUATION.conf
rules/RESPONSE-59-BLOCKING-EVALUATION.conf
rules/RESPONSE-80-CORRELATION.conf

2. And enable these commercial rules in the bottom of your /usr/local/apache/conf/modsec2.user.conf file:

# Include Trustwave Commercial Modsecurity Rules
Include conf/slr_vuln_rules/modsecurity_slr_10_ip_reputation.conf
Include conf/slr_vuln_rules/modsecurity_slr_46_known_vulns.conf
Include conf/slr_vuln_rules/modsecurity_slr_50_malware_detection.conf
Include conf/slr_vuln_rules/owasp_crs_integration/application_specific/*.conf
Include conf/slr_vuln_rules/botnet_attacks/*.conf
Include conf/slr_vuln_rules/dos_attacks/*.conf
Include conf/slr_vuln_rules/webshell_backdoors/*.conf

* I think this method will always be a better way, because you are basically paying for a commercial rule set that will always have better protection with almost no false positives. (you get what you pay for!)

Option 2 - (Only OWASP Rules Loaded)

1. Enable all of the OWASP rule sets in your ModSecurity Vendors.
2. Create a whitelist repository, and start whitelisting any false positives for each application. (I would strongly recommend setting up an AuditConsole server, as it will really help with this).

I’ve started an OWASP whitelist repository here: /https://github.com/wrender/modsecurity-whitelist-apps If anyone is able to help contribute I think it would be very helpful to anyone running ModSecurity with all of the OWASP rules enabled.

** This is the very labor intensive way, because there are a lot of different false positives depending on which web applications you are running.

 

[Infopro]

What good does yet another github project for modsec accomplish? OWASP needs reports of false positives to make the rules any better, and you're hoping to get folks to contribute to your repository and theirs (I guess) or just yours?

What good does running a paid version ($495 bucks a year?) and a free version accomplish, really?

* I think this method will always be a better way, because you are basically paying for a commercial rule set that will always have better protection with almost no false positives. (you get what you pay for!)

We're getting what we paid for right now. And, it sucks. These OWASP rules just plain suck. Untested it seems on just about everything. But with our help! Things will improve over time.

This, from Brian Oates from cPanel on the EDGE mailing list, just today:

One of our original goals with the OWASP ModSecurity Rule Set distribution was to provide OWASP’s maintainers with constant feedback from server owners utilizing the rule set so that it could be consistently improved upon. Lack of rule set feedback was one of OWASP’s maintainers' chief frustrations that they communicated to us. Therefore, both ourselves and OWASP would like to encourage everyone to utilize this reporting feature.

OWASP's github is all but dead as far as feedback, so are their mailing lists from what I can tell. But hey, lets fragment the discussion into yet another github repository anyway, why not?

Personally, I've got more important things to be doing than assisting OWASP and cPanel to come up with a basic set of rules that work. I may try them again at some point after you guys get the bugs worked out of them, but for now, hell no. The way things are going, that might be years from now, one rule ID at a time.

cPanel's implementation of this new ModSec setup is coming along great, I'm really enjoying seeing the efforts here to make all this easier for us. But, the OWASP rulesets are the weakest, untested, part of the equation right now. And, it seems for some time to come, going by the public feedback I've been reading.

Sign up for and follow the OWASP repository on GitHub and their mailing list. No worries, both are very low traffic.

 

[kernow]

Reading on the Comodo forums I see that cPanel are talking to Comodo about adding them as a vendor. Should that happen you can forget about waiting years for the OWASP rules to be sorted, just switch to the Comodo WAF rules
https://forums.comodo.com/free-mods...1148-plans-t109602.0.html;msg798619#msg798619

 

[wrender]

Infopro,

I think you are a bit confused of the security model for the OWASP ruleset for ModSecurity. It is designed as a "generic attack detection" so it will always have false positives. See here: https://www3.trustwave.com/modsecurity-rules-support.php (Unless this has changed recently and then I am mistaken).

My hopes would be that this whitelist is available to anyone using the OWASP rules, to eliminate false positives per web application type. Yes. That is why we put it on github, and anyone has access to it.

The commercial version of security rules intercept specific attack vector locations, the OWASP rule set does not, and intercepts generic attacks. So that is the advantage of using paid versions of rules: that they don't have as many false positives, and protect against known attacks/attack vector locations.

What good does yet another github project for modsec accomplish? OWASP needs reports of false positives to make the rules any better, and you're hoping to get folks to contribute to your repository and theirs (I guess) or just yours?

What good does running a paid version ($495 bucks a year?) and a free version accomplish, really?


We're getting what we paid for right now. And, it sucks. These OWASP rules just plain suck. Untested it seems on just about everything. But with our help! Things will improve over time.

This, from Brian Oates from cPanel on the EDGE mailing list, just today:



OWASP's github is all but dead as far as feedback, so are their mailing lists from what I can tell. But hey, lets fragment the discussion into yet another github repository anyway, why not?

Personally, I've got more important things to be doing than assisting OWASP and cPanel to come up with a basic set of rules that work. I may try them again at some point after you guys get the bugs worked out of them, but for now, hell no. The way things are going, that might be years from now, one rule ID at a time.

cPanel's implementation of this new ModSec setup is coming along great, I'm really enjoying seeing the efforts here to make all this easier for us. But, the OWASP rulesets are the weakest, untested, part of the equation right now. And, it seems for some time to come, going by the public feedback I've been reading.

Sign up for and follow the OWASP repository on GitHub and their mailing list. No worries, both are very low traffic.

 

[quizknows]

cPanel's implementation of this new ModSec setup is coming along great, I'm really enjoying seeing the efforts here to make all this easier for us. But, the OWASP rulesets are the weakest, untested, part of the equation right now. And, it seems for some time to come, going by the public feedback I've been reading.

Quoted for truth.

 

[Vliegtuig]

What good does yet another github project for modsec accomplish? OWASP needs reports of false positives to make the rules any better, and you're hoping to get folks to contribute to your repository and theirs (I guess) or just yours?

I'd gladly report issues, if the WHM interface would not keep giving me 500's... (see http://forums.cpanel.net/f185/owasp-mod-security-wordpress-452091-p4.html#post1841321)

 

[Infopro]

Not sure if I am the only one with this problem, but when reporting a rule, I get the following error:

The system was unable to submit the request: curl: (22) The requested URL returned error: 500 Internal Server Error

An additional side-effect of this error: we cannot disable it through the web interface.

In particular, we are receiving a *lot* of false positives caused by rule 950901, which looks for SQL tautologies. This rule seems to be very outdated because it lacks word boundaries. This problem ahs been discussed here in 2013: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2013-June/001418.html.

It seems that the ruleset has not been updated to reflect this obvious bug yet.

To clarify, when you see the rule in the Hits list, and then you click, More, to the right side of listing, when that area expands you see the Report this hit button, bottom left corner. When you click that, and fll in all forms and click Review Report, what happens next, exactly?

Thanks.

 

[Infopro]

I'd gladly report issues, if the WHM interface would not keep giving me 500's... (see http://forums.cpanel.net/f185/owasp-mod-security-wordpress-452091-p4.html#post1841321)

Reporting rules to anywhere other than thru the WHM interface is of no help to anyone but the people you report the rule to. The proper place to report any of these rules used by cPanel, is thru the cPanel interface.

HTH!

 

[Vliegtuig]

To clarify, when you see the rule in the Hits list, and then you click, More, to the right side of listing, when that area expands you see the Report this hit button, bottom left corner. When you click that, and fll in all forms and click Review Report, what happens next, exactly?

Thanks.

"Review report" works fine, but when clicking on "Submit" on the next page, I get the following error:View attachment 27211

 

[Infopro]

Please feel free to open a ticket to cPanel Technical Support about this for closer investigation.

 

[JaredR.]

The problem of a 500 error when trying to report ModSecurity rule hits has already been reported to our developers. The internal case for this is 174401. There is no estimate for when this will be addressed in a public build, but when it is, it will be mentioned in our changelog by that case number. You can view our changelog at any time at this URL:

http://changelog.cpanel.net

Or, in the WebHost Manager, you can click Home » cPanel » Change Log.

 

[hekri]

I also have problems with cpanel OWASP and go to https://forums.comodo.com/free-mods...a-modsecurity-vendor-in-cpanel-t110147.0.html and install comoo as vendor. Work without problems that we have with OWASP. Many clients calling that mod_security stop normal working cms and forums then we need usnistall owasp and instal Comodo

 

[Infopro]

Thanks for sharing that link.

 

[cPanelDon]

Not sure if I am the only one with this problem, but when reporting a rule, I get the following error:

The system was unable to submit the request: curl: (22) The requested URL returned error: 500 Internal Server Error

The problem of a 500 error when trying to report ModSecurity rule hits has already been reported to our developers. The internal case for this is 174401. There is no estimate for when this will be addressed in a public build, but when it is, it will be mentioned in our changelog by that case number.

Case 174401 and the Internal Server Error, seen when reporting OWASP rule hits, is now resolved after corrective changes on the modsecurity.org systems that receive and process report submissions.

The only other known issue with reporting at this time is from servers with an OS older than CentOS 6, such as CentOS 5, where an SSL warning is presented because the OS doesn't include a recent-enough CA bundle that is necessary to verify the SSL certificate used on modsecurity.org. This remaining issue is being tracked via internal Case 174373. Upon resolution this case number will be mentioned in an upcoming change-log entry at https://go.cpanel.net/changelog.

 

[sonicthoughts]

I feel your pain of the ModSecurity OWASP false positives. It seems to be that especially with WordPress there are a lot of false positives with different plugins (Probably same reason it always gets hacked). I don't think it is really either a problem with cPanel, or with ModSecurity though.

The OWASP rules for ModSecurity are designed to provide "Generic Attack Detection" so naturally they are going to block out some good web traffic to valid applications too as they are overly secure. In this case they seem to be so secure they create a lot of false positives which is a nightmare for a small business to whitelist.

For us a couple of setups that are working well:

Option 1 - (Commercial rules, with some basic OWASP rules enabled).

1. Buy a subscription to the Trustwave Commercial ModSecurity rules (Or other commercial mod security rule vendor), and run their application specific rules in conjunction with some of the base OWASP rules in anomaly detection mode. For example with these rules loaded in your ModSecurity Vendor Configuration:

modsecurity_crs_10_setup.conf (Set to run in Anomaly Detection Mode by uncommenting that line, and increasing the 255 character limit line to something higher like 512).
rules/REQUEST-01-COMMON-EXCEPTIONS.conf
rules/REQUEST-10-IP-REPUTATION.conf
rules/REQUEST-12-DOS-PROTECTION.conf
rules/REQUEST-13-SCANNER-DETECTION.conf
rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf
rules/REQUEST-21-PROTOCOL-ATTACK.conf
rules/REQUEST-49-BLOCKING-EVALUATION.conf
rules/RESPONSE-59-BLOCKING-EVALUATION.conf
rules/RESPONSE-80-CORRELATION.conf

2. And enable these commercial rules in the bottom of your /usr/local/apache/conf/modsec2.user.conf file:

# Include Trustwave Commercial Modsecurity Rules
Include conf/slr_vuln_rules/modsecurity_slr_10_ip_reputation.conf
Include conf/slr_vuln_rules/modsecurity_slr_46_known_vulns.conf
Include conf/slr_vuln_rules/modsecurity_slr_50_malware_detection.conf
Include conf/slr_vuln_rules/owasp_crs_integration/application_specific/*.conf
Include conf/slr_vuln_rules/botnet_attacks/*.conf
Include conf/slr_vuln_rules/dos_attacks/*.conf
Include conf/slr_vuln_rules/webshell_backdoors/*.conf

* I think this method will always be a better way, because you are basically paying for a commercial rule set that will always have better protection with almost no false positives. (you get what you pay for!)

Option 2 - (Only OWASP Rules Loaded)

1. Enable all of the OWASP rule sets in your ModSecurity Vendors.
2. Create a whitelist repository, and start whitelisting any false positives for each application. (I would strongly recommend setting up an AuditConsole server, as it will really help with this).

I’ve started an OWASP whitelist repository here: /https://github.com/wrender/modsecurity-whitelist-apps If anyone is able to help contribute I think it would be very helpful to anyone running ModSecurity with all of the OWASP rules enabled.

** This is the very labor intensive way, because there are a lot of different false positives depending on which web applications you are running.

In the absence of cpanel taking a stake in providing solid vendor rules, this is a great step forward. thanks!

 

[iso99]

I feel your pain of the ModSecurity OWASP false positives. It seems to be that especially with WordPress there are a lot of false positives with different plugins (Probably same reason it always gets hacked). I don't think it is really either a problem with cPanel, or with ModSecurity though.

The OWASP rules for ModSecurity are designed to provide "Generic Attack Detection" so naturally they are going to block out some good web traffic to valid applications too as they are overly secure. In this case they seem to be so secure they create a lot of false positives which is a nightmare for a small business to whitelist.

For us a couple of setups that are working well:

Option 1 - (Commercial rules, with some basic OWASP rules enabled).

1. Buy a subscription to the Trustwave Commercial ModSecurity rules (Or other commercial mod security rule vendor), and run their application specific rules in conjunction with some of the base OWASP rules in anomaly detection mode. For example with these rules loaded in your ModSecurity Vendor Configuration:

modsecurity_crs_10_setup.conf (Set to run in Anomaly Detection Mode by uncommenting that line, and increasing the 255 character limit line to something higher like 512).
rules/REQUEST-01-COMMON-EXCEPTIONS.conf
rules/REQUEST-10-IP-REPUTATION.conf
rules/REQUEST-12-DOS-PROTECTION.conf
rules/REQUEST-13-SCANNER-DETECTION.conf
rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf
rules/REQUEST-21-PROTOCOL-ATTACK.conf
rules/REQUEST-49-BLOCKING-EVALUATION.conf
rules/RESPONSE-59-BLOCKING-EVALUATION.conf
rules/RESPONSE-80-CORRELATION.conf

2. And enable these commercial rules in the bottom of your /usr/local/apache/conf/modsec2.user.conf file:

# Include Trustwave Commercial Modsecurity Rules
Include conf/slr_vuln_rules/modsecurity_slr_10_ip_reputation.conf
Include conf/slr_vuln_rules/modsecurity_slr_46_known_vulns.conf
Include conf/slr_vuln_rules/modsecurity_slr_50_malware_detection.conf
Include conf/slr_vuln_rules/owasp_crs_integration/application_specific/*.conf
Include conf/slr_vuln_rules/botnet_attacks/*.conf
Include conf/slr_vuln_rules/dos_attacks/*.conf
Include conf/slr_vuln_rules/webshell_backdoors/*.conf

* I think this method will always be a better way, because you are basically paying for a commercial rule set that will always have better protection with almost no false positives. (you get what you pay for!)

Option 2 - (Only OWASP Rules Loaded)

1. Enable all of the OWASP rule sets in your ModSecurity Vendors.
2. Create a whitelist repository, and start whitelisting any false positives for each application. (I would strongly recommend setting up an AuditConsole server, as it will really help with this).

I’ve started an OWASP whitelist repository here: /GitHub - wrender/modsecurity-whitelist-apps: This repository is for people to contribute common ModSecurity web application false positive whitelists. If anyone is able to help contribute I think it would be very helpful to anyone running ModSecurity with all of the OWASP rules enabled.

** This is the very labor intensive way, because there are a lot of different false positives depending on which web applications you are running.

I'm re-thinking of using OWASP again on my new server. It's good that I've found your project. Thanks for this! I'll try to contribute as much as possible.

 

[epaslv]

My personal experience has been terrible.

I enabled the OWASP ModSecurity Rules thinking they were ready for production, being available in RELEASE tier. It pretty much screwed up more that 50% of CMS sites.

Various redirections not working, infinate loops, unable to login etc, and our support department spent the whole day screening issues.

I quickly uninstalled it from all our servers to restore services. I am surprised they are even made available, were they even tested?

 

[cPanelMichael]

Hello,

For others who are considering the OWASP ruleset for the first time, it's important to review the following document:

OWASP ModSecurity CRS - cPanel Knowledge Base - cPanel Documentation

In particular, pay close attention to this section:

What are the risks?
As with any mechanism that blocks web traffic, there is the risk that the rules could block legitimate traffic (false positives). While both OWASP and cPanel, Inc. aim to curate the OWASP rule set to reduce the potential for false positives, there is a risk that the rule set may block legitimate traffic. Review theModSecurity Tools (Home >> Security Center >> ModSecurity™ Tools) interface routinely to evaluate the traffic that the rule set blocks and whether these blocks affect legitimate users.

This is a core rule set that requires monitoring and fine tuning.

Thank you.

 

[Infopro]

While both OWASP and cPanel, Inc. aim to curate the OWASP rule set...

I'm still looking forward to the curated rules, although it doesn't look good going by dates:
github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/base_rules

 

[hrace009]

2. And enable these commercial rules in the bottom of your /usr/local/apache/conf/modsec2.user.conf file:

# Include Trustwave Commercial Modsecurity Rules
Include conf/slr_vuln_rules/modsecurity_slr_10_ip_reputation.conf
Include conf/slr_vuln_rules/modsecurity_slr_46_known_vulns.conf
Include conf/slr_vuln_rules/modsecurity_slr_50_malware_detection.conf
Include conf/slr_vuln_rules/owasp_crs_integration/application_specific/*.conf
Include conf/slr_vuln_rules/botnet_attacks/*.conf
Include conf/slr_vuln_rules/dos_attacks/*.conf
Include conf/slr_vuln_rules/webshell_backdoors/*.conf

* I think this method will always be a better way, because you are basically paying for a commercial rule set that will always have better protection with almost no false positives. (you get what you pay for!)

Option 2 - (Only OWASP Rules Loaded)

1. Enable all of the OWASP rule sets in your ModSecurity Vendors.
2. Create a whitelist repository, and start whitelisting any false positives for each application. (I would strongly recommend setting up an AuditConsole server, as it will really help with this).

I’ve started an OWASP whitelist repository here: github.com/wrender/modsecurity-whitelist-apps If anyone is able to help contribute I think it would be very helpful to anyone running ModSecurity with all of the OWASP rules enabled.

** This is the very labor intensive way, because there are a lot of different false positives depending on which web applications you are running.

After find this, i would like to use OWASP again, instead commodo WAF