Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Problem with mod_security 1.9.5?

Discussion in 'cPanel Developers' started by BigBirdy, Aug 8, 2007.

  1. BigBirdy

    BigBirdy Active Member

    Joined:
    Jun 10, 2007
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    151
    I am basically trying to get mod_security configured properly. Since I also run ConfigServer CSF and LFD, I wanted to ensure that however I set things up, the CSF control panel area would show the mod_security settings/log entires. I also wanted to ensure I had the lastest mod_security version.

    I first installed it as a cpanel plugin which installed 1.9.1 I think and a small cgi applet in the WHM addons section. So far so good and everything was working and I could see the warnings in the logs. But I then upgraded mod_security to the latest 1.9.4 which promptly got overwritten with 1.9.1 the next cpanel/whm upgrade. So I checked the cpanel forums and learned I could avoid this by removing the addon, and installing manually.

    So far so good, installed the latest 1.9.5 with

    # /usr/local/apache/bin/apxs -cia mod_security.c


    and all seemed fine. Proper loadmodule line in httpd.conf and I updated /usr/local/apache/conf/mod_security.conf with my directives, and some new ones suggested in the basic modsec.conf in the 1.9.5 docs and then restarted apache.

    However, although apache started fine I didnt see the usual " [Wed Aug 8 21:08:42 2007] [notice] mod_security/1.9.5 configured", line and no /usr/local/apache/logs/audit.conf or modsec_debug.log file gets created?

    I also have a directive (SecServerSignature "No Info Here") which should show when apache starts but instead I get the default signature as below:

    [Wed Aug 8 21:35:11 2007] [notice] SIGHUP received. Attempting to restart
    [Wed Aug 8 21:35:11 2007] [notice] Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/5.2.1 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b configured -- resuming normal operations
    [Wed Aug 8 21:35:11 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
    [Wed Aug 8 21:35:11 2007] [notice] Accept mutex: sysvsem (Default: sysvsem)

    So it would appear that something is not loading correctly.

    Maybe I didnt build the module correctly? But it seemed to build fine:

    root@serendipity:/usr/src/modsecurity-apache_1.9.5/apache1# /usr/local/apache/bin/apxs -cia mod_security.c
    gcc -DLINUX=22 -DHAVE_SET_DUMPABLE -I/usr/include/gdbm -DMOD_SSL=208128 -DUSE_HSREGEX -DEAPI -fpic -DSHARED_MODULE -I/usr/local/apache/include -c mod_security.c
    gcc -shared -o mod_security.so mod_security.o
    [activating module `security' in /usr/local/apache/conf/httpd.conf]
    cp mod_security.so /usr/local/apache/libexec/mod_security.so
    chmod 755 /usr/local/apache/libexec/mod_security.so
    cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.bak
    cp /usr/local/apache/conf/httpd.conf.new /usr/local/apache/conf/httpd.conf
    rm /usr/local/apache/conf/httpd.conf.new

    *Contents of modsec.conf:*

    <IfModule mod_security.c>
    # Enable ModSecurity
    SecFilterEngine On

    # Reject requests with status 403
    SecFilterDefaultAction "deny,log,status:500"

    # Ignore the localhost monitoring calls
    #SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow

    # Some sane defaults
    SecFilterScanPOST On
    SecFilterCheckURLEncoding On
    SecFilterCheckUnicodeEncoding Off

    # Accept almost all byte values
    SecFilterForceByteRange 1 255

    # Server masking is optional
    SecServerSignature "No Info Here"

    # Designate a directory for temporary files
    # storage. It is a good idea to change the
    # value below to a private directory, just as
    # an additional measure against race conditions
    SecUploadDir /tmp
    SecUploadKeepFiles Off

    # Only record the interesting stuff
    SecAuditEngine RelevantOnly
    # Uncomment below to record responses with unusual statuses
    # SecAuditLogRelevantStatus ^5
    SecAuditLog logs/audit.log

    # You normally won't need debug logging
    SecFilterDebugLevel 0
    SecFilterDebugLog logs/modsec_debug.log

    # Only accept request encodings we know how to handle
    # we exclude GET requests from this because some (automated)
    # clients supply "text/html" as Content-Type
    SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
    SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"

    # Do not accept GET or HEAD requests with bodies
    SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
    SecFilterSelective HTTP_Content-Length "!^$"

    # Require Content-Length to be provided with
    # every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"

    # Don't accept transfer encodings we know we don't handle
    SecFilterSelective HTTP_Transfer-Encoding "!^$"

    # WEB-ATTACKS wget command attempt
    SecFilterSelective THE_REQUEST "wget "

    # WEB-ATTACKS uname -a command attempt
    SecFilterSelective THE_REQUEST "uname -a"

    # WEB-ATTACKS .htgroup access
    SecFilterSelective THE_REQUEST "\.htgroup"

    # WEB-ATTACKS .htaccess access
    SecFilterSelective THE_REQUEST "\.htaccess"

    # WEB-CLIENT Javascript URL host spoofing attempt
    SecFilter "javascript\://"

    # WEB-MISC cross site scripting \(img src=javascript\) attempt
    SecFilter "img src=javascript"

    # WEB-MISC cd..
    SecFilterSelective THE_REQUEST "cd\.\."

    # WEB-MISC ///cgi-bin access
    SecFilterSelective THE_REQUEST "///cgi-bin"

    # WEB-MISC /cgi-bin/// access
    SecFilterSelective THE_REQUEST "/cgi-bin///"

    # WEB-MISC /~root access
    SecFilterSelective THE_REQUEST "/~root"

    # WEB-MISC /~ftp access
    SecFilterSelective THE_REQUEST "/~ftp"

    # WEB-MISC htgrep attempt
    SecFilterSelective THE_REQUEST "/htgrep" chain
    SecFilter "hdr=/"

    # WEB-MISC htgrep access
    SecFilterSelective THE_REQUEST "/htgrep" log,pass

    # WEB-MISC .history access
    SecFilterSelective THE_REQUEST "/\.history"
    # WEB-MISC .bash_history access
    SecFilterSelective THE_REQUEST "/\.bash_history"

    # WEB-MISC /~nobody access
    SecFilterSelective THE_REQUEST "/~nobody"

    # WEB-PHP PHP-Wiki cross site scripting attempt
    SecFilterSelective THE_REQUEST "<script"

    # WEB-PHP strings overflow
    SecFilterSelective THE_REQUEST "\?STRENGUR"

    # WEB-PHP PHPLIB remote command attempt
    SecFilter "_PHPLIB\[libdir\]"

    # Require HTTP_USER_AGENT and HTTP_HOST in all requests
    SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"


    </IfModule>
     
  2. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    769
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    /dev/null
    You need ServerTokens set to Full for this to work.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Also, your SecAuditLog line ought to read:

    SecAuditLog logs/audit_log
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. BigBirdy

    BigBirdy Active Member

    Joined:
    Jun 10, 2007
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    151
    Thanks, found the problem. The include directive was missing to add my modsec.conf settings
     
  5. bodhost.co.uk

    bodhost.co.uk Registered

    Joined:
    Aug 9, 2007
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice