The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Updated mod_sec rules

Discussion in 'Security' started by p0liX, Jul 9, 2008.

  1. p0liX

    p0liX Member

    Joined:
    Oct 10, 2006
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    We've updated the mod_security rules on 403security.org to the latest set of non-subscription based rules released by gotroot.com. I've tested the rules thoroughly and ensured that the ruleset is compatible with cPanel and it's applications and modified any rules that required tweaking.

    The new ruleset includes RBL rules, Whitelisting, Exclusion Rules, Malware blacklisting, Pre-defined Malware blacklist, Web Application protection, Bad Useragent Signature blocking, Anti-spam Signatures, Pre-defined Anti-spam blacklist, Enhanced Apache 2.x rules, Anti Rootkit Signatures, "Google Hacks" signatures, and Just In Time Patches.

    I've also created a script to make the installation of the rules much easier. Follow the steps below to download the install script and enable the rules.

    1. Run /scripts/easyapache and follow the on screen menu to enable the mod_security module within Apache 2.x. (This installs mod_security 2.5.5 which is required for this ruleset)
    2. As root, run "wget -O /root/install_modsec_rules http://403security.org/modsec/install_modsec_rules"
    3. As root, run "sh /root/install_modsec_rules" and follow the on screen instructions.

    The script was a quick, last minute thing, so let me know if you run into problems or would like to see enhancements with it. Also, let me know if you have an valid function and/or application that is being blocked by these rules and I will work to modify the ruleset to allow proper functionality, while keeping a secure set of rules in place.

    UPDATE:
    v1.3
    I've modified the installation script a bit to automatically check for a valid Apache configuration before requesting a restart.
    You can now hit enter to automatically set the default rule location
    The includes are configured within the default config file which shows within the Mod_security interface within WHM. This allows the capability to enable or disable a complete set of rules from within the WHM interface.
    Added better functionality when choosing the default data directory

    Please email any enhancement requests to todd@403security.org
     
    #1 p0liX, Jul 9, 2008
    Last edited: Jul 11, 2008
  2. kctt

    kctt Member

    Joined:
    Aug 26, 2005
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Get 406 Not Acceptable error on the home page of 403security.org

    I have a question about mod_security.

    It's easy to block c99 shell as it uses URL parameters but r57 uses POST

    I try to use ARGS and block "/home/" but it doesn't seem to work.

    Do you know how to block web page when a string is matched in POST data.

    Thanks in advanced.
     
  3. hydra

    hydra Well-Known Member

    Joined:
    Mar 26, 2008
    Messages:
    102
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Amsterdam, Netherlands
    Hi p0liX.

    i just followed your instructions.
    No problems so far. I will let you know if something goes wrong.

    Thank you.

    Ronald.
     
  4. richenou

    richenou Well-Known Member
    PartnerNOC

    Joined:
    Feb 17, 2004
    Messages:
    86
    Likes Received:
    0
    Trophy Points:
    6
    hi
    I tested it but it failed:



    15:40:32 (63.0 KB/s) - `/tmp/modsec2.conf.gz' saved [430/430]

    Unpacking configuration file
    Backing up current configuration
    Testing configuration to be sure there are no errors

    Apache Configuration FAILED!


    Restoring backup configuration file
    Moved failed configuration to /usr/local/apache/conf/modsec2.conf.bad
    Check the error above and resolve any conflicts before attempting the installation again
    Cleaning up
    Installation complete
    root@max9 [~]# cat /usr/local/apache/conf/modsec2.conf.bad
    LoadFile /opt/xml2/lib/libxml2.so
    LoadFile /opt/lua/lib/liblua.so
    LoadModule security2_module modules/mod_security2.so

    <IfModule mod_security2.c>
    SecRuleEngine On
    # See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf
    # "Add the rules that will do exactly the same as the directives"
    # SecFilterCheckURLEncoding On
    # SecFilterForceByteRange 0 255
    SecAuditEngine RelevantOnly
    SecAuditLog logs/modsec_audit.log
    SecDebugLog logs/modsec_debug_log
    SecDebugLogLevel 0
    SecDefaultAction "phase:2,deny,log,status:406"
    SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
    #Include "/usr/local/apache/conf/modsec2.user.conf"
    Include /usr/local/apache/conf/modsec_rules/*.conf
    </IfModule>


    Server version: Apache/2.0.63
    Server built: Jul 10 2008 14:50:53
    Cpanel::Easy::Apache v3.2.0 rev4341


    help?
     
  5. p0liX

    p0liX Member

    Joined:
    Oct 10, 2006
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Hmm, looks like the config tests failed, but it didn't give the error as it is supposed to.

    Can you email the entire output from the installation to todd@403security.org?
     
  6. p0liX

    p0liX Member

    Joined:
    Oct 10, 2006
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    This should be resolved, please attempt the installation again.
     
  7. LBJ

    LBJ Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    First off, thanks very much p0liX. I haven't tested the rules themselves yet, but it's excellent that you've made your work available.

    I'm guessing you accepted the default location by entering a blank. That would take you to...

    Code:
    else
            echo "Nothing was entered, Using default directory /usr/local/apache/conf/modsec_rules"
            RULEDIR="/usr/local/apache/conf/modsec_rules"
            if [ -d $RULEDIR ]; then
                    echo "Directory already exists.  Backing up current directory"
                    mv $RULEDIR $RULEDIR.`date +%m%d%Y-%H%M`
                    mkdir $RULEDIR
                    if [ -d $RULEDIR ]; then
            	        echo "Directory created successfully"
                    else
                            echo "Directory creation failed."
                            echo "Installation aborted"
                            exit 0
                            fi
                    fi
    fi
    
    That logic is used when you accept the default destination path by entering a blank. It doesn't handle the situation where the folder doesn't already exist. It only creates the folder after an existing folder has been moved. The creation logic is incorrectly contained in the same if fi block. I think p0liX wanted something more like...

    Code:
    else
            echo "Nothing was entered, Using default directory /usr/local/apache/conf/modsec_rules"
            RULEDIR="/usr/local/apache/conf/modsec_rules"
            if [ -d $RULEDIR ]; then
                    echo "Directory already exists.  Backing up current directory"
                    mv $RULEDIR $RULEDIR.`date +%m%d%Y-%H%M`
            fi
            mkdir $RULEDIR
            if [ -d $RULEDIR ]; then
                    echo "Directory created successfully"
            else
                    echo "Directory creation failed."
                    echo "Installation aborted"
                    exit 0
            fi
    fi
    
    That should correct it.

    Regards,

    LBJ
     
  8. p0liX

    p0liX Member

    Joined:
    Oct 10, 2006
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the suggestion. I've uploaded v1.3 of the install script which handles the default directory better as well as a couple other small improvements.
     
  9. LBJ

    LBJ Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    That's looking very nice now and the rules are working well without causing issues for CPanel or any addons.

    Thanks very much for making your project available for us.

    Regards,

    LBJ
     
  10. p0liX

    p0liX Member

    Joined:
    Oct 10, 2006
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the feedback. If anyone does find a problem with a feature not working or an application hitting a rule, please let me know and send log information so I can tweak the ruleset a bit more. I won't be able to test every scenario out there so any feedback would be appreciated. :)
     
  11. websnail.net

    websnail.net Active Member

    Joined:
    Mar 24, 2002
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Indeed... Thanks multiplied here too... Very useful indeed...

    Have you considered some form of automation for downloading the latest available rules and even one for those with a subscription?

    Might be worth a play :)
     
  12. cele303

    cele303 Member

    Joined:
    Jun 9, 2007
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Thanks p0liX , works great
     
  13. 3guys

    3guys Member

    Joined:
    Nov 24, 2004
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    The site has been down all day, anyone have the rules you can send me?

    Mike
    qdo69 AT gmail.com
     
  14. Mat-d-rat

    Mat-d-rat Well-Known Member

    Joined:
    Jul 30, 2003
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    Still down, I wanted to update my rules as well...
     
  15. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    why 403security.org not working since few days ?

    i found this name recently at another forum, and don't know where to find ruleset so i can safely move to Apache 2.x

    Most of attacks iam getting recently on Apache 1.3x are something like

    what kind of exploit is this, although my gotroot ruleset is blocking it, but i get 50+ such attempts every few hours.
     
  16. p0liX

    p0liX Member

    Joined:
    Oct 10, 2006
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    I'm working to bring 403security.org back online after a few issues with the server. I'll update everyone once it's back online for updates.

    I apologize for the inconvenience.
     
  17. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    thanks for the update, I've heard a lot about your efforts recently.

    I'll be happy if you have any Paid migration plans though. (Apache 1.3x to Apache 2.x with Mod_sec)
     
  18. p0liX

    p0liX Member

    Joined:
    Oct 10, 2006
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Mohit, email me at tshipway@gmail.com with any info you have regarding your migration and I'll be glad to help out.
     
    #18 p0liX, Aug 20, 2008
    Last edited: Aug 20, 2008
  19. p0liX

    p0liX Member

    Joined:
    Oct 10, 2006
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Everything will be back online and functional tomorrow morning. thanks for the help and patience while I resolve the server issues.
     
  20. p0liX

    p0liX Member

    Joined:
    Oct 10, 2006
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Everything is back online and you can continue using the installer as previously stated.

    Please let me know if there are any problems or suggestions for the script. Feel free to contact me if you have any other items that may be useful in an automated script form and I'll see what I can do to whip up a few scripts to make life much easier.
     
Loading...

Share This Page