The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OWASP modsecurity: Activate DoS Rule

Discussion in 'Security' started by prakashnplink, Aug 24, 2015.

  1. prakashnplink

    prakashnplink Active Member

    Joined:
    Apr 8, 2014
    Messages:
    29
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hello,

    I have activated OWASP rules for modsecurity and enable "rules/REQUEST-12-DOS-PROTECTION.conf" from WHM.

    But when I review OWASP configuration file from terminal

    Code:
    less /usr/local/apache/conf/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf
    there is following section which says

    Code:
    # -- [[ DoS Protection ]] ----------------------------------------------------------------
    #
    # If you are using the DoS Protection rule set, then uncomment the following
    # lines and set the following variables:
    # - Burst Time Slice Interval: time interval window to monitor for bursts
    # - Request Threshold: request # threshold to trigger a burst
    # - Block Period: temporary block timeout
    #
    #SecAction "id:'900015', phase:request, nolog, pass, t:none, setvar:'tx.dos_burst_time_slice=60', setvar:'tx.dos_counter_threshold=100', setvar:'tx.dos_block_timeout=600'"
    
    1. Do I have to remove "#" so that DoS will be activated or it is activated already because I have enabled it from GUI (WHM). It is just confusing.
    2. If possible can someone tell me how to block ip if it attempt 3 login failure?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    1. The OWASP individual rules are enabled or disabled through WHM. You can click on "Edit" next to the OWASP rules list in:

    "WHM Home » Security Center » ModSecurity™ Vendors"

    You don't have to modify the configuration file from the command line.

    2. You may want to utilize a third-party firewall management utility such as CSF if you want to implement these types of firewall rules.

    Thank you.
     
  3. prakashnplink

    prakashnplink Active Member

    Joined:
    Apr 8, 2014
    Messages:
    29
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    You mean to say that I do not have to remove "#" tag from
    modsecurity_crs_10_setup.conf
    , right? But the OWASP rules didn't work at all to stop brute force attack. :confused:I already have csf in server and LF_MODSEC=5.

    Let's say I want to stop brute force attack on wp-login.php and /administrator/index.php, can I add like following

    Code:
    SecAction "id:'900014', phase:request, nolog, pass, t:none, setvar:'tx.brute_force_protected_urls=/wp-login.php', setvar:'tx.brute_force_burst_time_slice=60', setvar:'tx.brute_force_counter_threshold=2', setvar:'tx.brute_force_block_timeout=300'"
    
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    If the beginning of a line starts with a pound sign (#) then it is considered a "comment" and is not treated as code. "uncommenting" refers to removing that character, basically "activating" that line of code.

    So yes, you would have to remove the "#" character for the rule to be active (also you have to restart Apache).

    It is likely you could modify the rule for the proper URL(s) as you are suggesting. I would advise, however, leaving the rule "commented out" in the main file if that is how it comes, and rather copy the rule uncommented to modsec2.user.conf with your modifications. This way, when the OWASP rules update, your changes will not be over-written.
     
  5. prakashnplink

    prakashnplink Active Member

    Joined:
    Apr 8, 2014
    Messages:
    29
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Thanks for your brief description about # sign, quizknows
     
Loading...

Share This Page