The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Rules for mod_security2

Discussion in 'Security' started by casey, Sep 14, 2007.

  1. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    I used to use Hostmerit's ruleset for mod_security, but it won't work with mod_security2. Does anyone know of some good rulesets for mod_security2? I tried the ones on gotroot.org, but they end up breaking apache so that it throws 500 errors for everything.
     
  2. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    We had so many custom rules under modsecurity_1 and then they go and totally re-write the modsecurity_2 rule syntax. I spent a couple hours playing with it and gave up and just installed the rules they provide:

    http://www.modsecurity.org/download/direct.html

    We had to go in and disable a few things for frontpage and whatnot but I just couldnt deal with all the rewriting of my old stuff.
     
  3. swampy

    swampy Well-Known Member

    Joined:
    Jan 30, 2004
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    0
    nyjimbo did you have any problems with the default rules, I am having this problem

    2007-09-14 15:43:11 ::1 / HTTP/1.0 Access denied with code 406 (phase 2). Invalid Unicode encoding: invalid byte value in character. [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] 406

    but i do not know who the client ::1 is there is no ip either so I think it must be something running on the server have you got any ideas

    i get this in respect to this client in apache error logs not sure if it is related

    [info] [client ::1] (32)Broken pipe: core_output_filter: writing data to the network

    thanks
    Mark
     
    #3 swampy, Sep 14, 2007
    Last edited: Sep 14, 2007
  4. cPanelBilly

    cPanelBilly Guest

    Just remember approx 90% will break cPAnel / Frontpage / Your clients scripts functionality. Double check every rle you put in and know what it does.
     
  5. cooldude7273

    cooldude7273 Well-Known Member

    Joined:
    Jan 11, 2004
    Messages:
    363
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Roswell, GA
    gotroot.com has a ton of rules of mod_sec 2
     
  6. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Well, I installed the rules on the mod_security website, and I get this error:
    Error creating rule: Unknown variable: XML

    The only thing I could find on Google was an apache forum where someone was complaining that libxml was not being installed, but I have libxml2.so.
     
  7. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Thanks for the link.
     
  8. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    In the meantime, I deleted the lines that included xml:* and everything works. It has to be something with the way that libxml is being compiled...
     
  9. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    I just looked at the Makefile in the mod_security installation directory. It does not include the DEFS = -DWITH_LIBXML2 line. Is this an oversight by the cPanel team, or is it intentional?
     
  10. bazzi

    bazzi Well-Known Member

    Joined:
    May 23, 2004
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    I have transleted the Mod_security rules from Kris S. - HostMerit.com to the mod_security2

    You can download it here:
    http://www.TimmiT.nl/modsec2.user.conf

    Please report if I transleted something wrong.
     
  11. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    apache won't restart with this rule set running
     
  12. internetfab

    internetfab Well-Known Member
    PartnerNOC

    Joined:
    Feb 20, 2003
    Messages:
    336
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Gothenburg, Sweden
    cPanel Access Level:
    DataCenter Provider
    Anyone got any good modsec2 rules? Seems that gotroot.com is more or less missing in action - no updates for a year or so and no posts on the forum for a good while.
     
  13. bazzi

    bazzi Well-Known Member

    Joined:
    May 23, 2004
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16

    What does apache configtest say?

    We didn't encounter that problem on all our servers...
     
  14. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    I have try the rules and I was in the putty and use command line edit the file and paste all the rules to the modsec2.user.conf file, I failed restart apache cause there are some lines wraped, maybe his problem is caused by that.

    After using configserver's CSF interface in WHM to edit the file and submit again, apache runs fine on my box.

    Thanks.
     
  15. bazzi

    bazzi Well-Known Member

    Joined:
    May 23, 2004
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    a little tip:

    When you start Pico, you can include a command that will turn off word wrap and allow you to edit long lines. To do this, at the Unix prompt, enter:
    pico -w filename
     
  16. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    I found a lot of warning in mod_security logs like this:

    Pattern match "/_vti_bin/" at REQUEST_LINE

    I wonder if we should disable it or not ?
     
  17. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Thank you for doing that. I have since switched back to Apache 1, but I'll give these rules a go when I upgrade.
     
  18. activa

    activa Well-Known Member

    Joined:
    May 23, 2006
    Messages:
    204
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Morocco
    cPanel Access Level:
    Root Administrator
    i have the same isseu , and i have removed this line from mod_security config and it work now perfectly


    Code:
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',severity:'4'"
    maybe this will help others ...
     
  19. lehels

    lehels Well-Known Member

    Joined:
    Jul 10, 2006
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    This is not really a solution to "UTF8 Encoding Abuse Attack Attempt" modsec2 rule, being marked: Typical Severity: High
    [http://capec.mitre.org/data/definitions/80.html]

    In our case the rule is catched by a word containing letters: "ö, ü" as: K%F6sz%F6nj%FCk

    Any other suggestions but deactivating that rule or deactivating mod_sec for that domain?
    In other questions how do we pass those letters?

    Thank you,
    Lehel
     
  20. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Thanks, again, bazzi. I finally upgraded, and I'm using the rules you converted without a problem.
     
Loading...

Share This Page