The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problem with mod_security 1.9.5?

Discussion in 'cPanel Developers' started by BigBirdy, Aug 8, 2007.

  1. BigBirdy

    BigBirdy Active Member

    Joined:
    Jun 10, 2007
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    I am basically trying to get mod_security configured properly. Since I also run ConfigServer CSF and LFD, I wanted to ensure that however I set things up, the CSF control panel area would show the mod_security settings/log entires. I also wanted to ensure I had the lastest mod_security version.

    I first installed it as a cpanel plugin which installed 1.9.1 I think and a small cgi applet in the WHM addons section. So far so good and everything was working and I could see the warnings in the logs. But I then upgraded mod_security to the latest 1.9.4 which promptly got overwritten with 1.9.1 the next cpanel/whm upgrade. So I checked the cpanel forums and learned I could avoid this by removing the addon, and installing manually.

    So far so good, installed the latest 1.9.5 with

    # /usr/local/apache/bin/apxs -cia mod_security.c


    and all seemed fine. Proper loadmodule line in httpd.conf and I updated /usr/local/apache/conf/mod_security.conf with my directives, and some new ones suggested in the basic modsec.conf in the 1.9.5 docs and then restarted apache.

    However, although apache started fine I didnt see the usual " [Wed Aug 8 21:08:42 2007] [notice] mod_security/1.9.5 configured", line and no /usr/local/apache/logs/audit.conf or modsec_debug.log file gets created?

    I also have a directive (SecServerSignature "No Info Here") which should show when apache starts but instead I get the default signature as below:

    [Wed Aug 8 21:35:11 2007] [notice] SIGHUP received. Attempting to restart
    [Wed Aug 8 21:35:11 2007] [notice] Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/5.2.1 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b configured -- resuming normal operations
    [Wed Aug 8 21:35:11 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
    [Wed Aug 8 21:35:11 2007] [notice] Accept mutex: sysvsem (Default: sysvsem)

    So it would appear that something is not loading correctly.

    Maybe I didnt build the module correctly? But it seemed to build fine:

    root@serendipity:/usr/src/modsecurity-apache_1.9.5/apache1# /usr/local/apache/bin/apxs -cia mod_security.c
    gcc -DLINUX=22 -DHAVE_SET_DUMPABLE -I/usr/include/gdbm -DMOD_SSL=208128 -DUSE_HSREGEX -DEAPI -fpic -DSHARED_MODULE -I/usr/local/apache/include -c mod_security.c
    gcc -shared -o mod_security.so mod_security.o
    [activating module `security' in /usr/local/apache/conf/httpd.conf]
    cp mod_security.so /usr/local/apache/libexec/mod_security.so
    chmod 755 /usr/local/apache/libexec/mod_security.so
    cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.bak
    cp /usr/local/apache/conf/httpd.conf.new /usr/local/apache/conf/httpd.conf
    rm /usr/local/apache/conf/httpd.conf.new

    *Contents of modsec.conf:*

    <IfModule mod_security.c>
    # Enable ModSecurity
    SecFilterEngine On

    # Reject requests with status 403
    SecFilterDefaultAction "deny,log,status:500"

    # Ignore the localhost monitoring calls
    #SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow

    # Some sane defaults
    SecFilterScanPOST On
    SecFilterCheckURLEncoding On
    SecFilterCheckUnicodeEncoding Off

    # Accept almost all byte values
    SecFilterForceByteRange 1 255

    # Server masking is optional
    SecServerSignature "No Info Here"

    # Designate a directory for temporary files
    # storage. It is a good idea to change the
    # value below to a private directory, just as
    # an additional measure against race conditions
    SecUploadDir /tmp
    SecUploadKeepFiles Off

    # Only record the interesting stuff
    SecAuditEngine RelevantOnly
    # Uncomment below to record responses with unusual statuses
    # SecAuditLogRelevantStatus ^5
    SecAuditLog logs/audit.log

    # You normally won't need debug logging
    SecFilterDebugLevel 0
    SecFilterDebugLog logs/modsec_debug.log

    # Only accept request encodings we know how to handle
    # we exclude GET requests from this because some (automated)
    # clients supply "text/html" as Content-Type
    SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
    SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"

    # Do not accept GET or HEAD requests with bodies
    SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
    SecFilterSelective HTTP_Content-Length "!^$"

    # Require Content-Length to be provided with
    # every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"

    # Don't accept transfer encodings we know we don't handle
    SecFilterSelective HTTP_Transfer-Encoding "!^$"

    # WEB-ATTACKS wget command attempt
    SecFilterSelective THE_REQUEST "wget "

    # WEB-ATTACKS uname -a command attempt
    SecFilterSelective THE_REQUEST "uname -a"

    # WEB-ATTACKS .htgroup access
    SecFilterSelective THE_REQUEST "\.htgroup"

    # WEB-ATTACKS .htaccess access
    SecFilterSelective THE_REQUEST "\.htaccess"

    # WEB-CLIENT Javascript URL host spoofing attempt
    SecFilter "javascript\://"

    # WEB-MISC cross site scripting \(img src=javascript\) attempt
    SecFilter "img src=javascript"

    # WEB-MISC cd..
    SecFilterSelective THE_REQUEST "cd\.\."

    # WEB-MISC ///cgi-bin access
    SecFilterSelective THE_REQUEST "///cgi-bin"

    # WEB-MISC /cgi-bin/// access
    SecFilterSelective THE_REQUEST "/cgi-bin///"

    # WEB-MISC /~root access
    SecFilterSelective THE_REQUEST "/~root"

    # WEB-MISC /~ftp access
    SecFilterSelective THE_REQUEST "/~ftp"

    # WEB-MISC htgrep attempt
    SecFilterSelective THE_REQUEST "/htgrep" chain
    SecFilter "hdr=/"

    # WEB-MISC htgrep access
    SecFilterSelective THE_REQUEST "/htgrep" log,pass

    # WEB-MISC .history access
    SecFilterSelective THE_REQUEST "/\.history"
    # WEB-MISC .bash_history access
    SecFilterSelective THE_REQUEST "/\.bash_history"

    # WEB-MISC /~nobody access
    SecFilterSelective THE_REQUEST "/~nobody"

    # WEB-PHP PHP-Wiki cross site scripting attempt
    SecFilterSelective THE_REQUEST "<script"

    # WEB-PHP strings overflow
    SecFilterSelective THE_REQUEST "\?STRENGUR"

    # WEB-PHP PHPLIB remote command attempt
    SecFilter "_PHPLIB\[libdir\]"

    # Require HTTP_USER_AGENT and HTTP_HOST in all requests
    SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"


    </IfModule>
     
  2. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    You need ServerTokens set to Full for this to work.
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Also, your SecAuditLog line ought to read:

    SecAuditLog logs/audit_log
     
  4. BigBirdy

    BigBirdy Active Member

    Joined:
    Jun 10, 2007
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Thanks, found the problem. The include directive was missing to add my modsec.conf settings
     
  5. bodhost.co.uk

    bodhost.co.uk Registered

    Joined:
    Aug 9, 2007
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
Loading...

Share This Page