What ModSecurity rules are in place with the new WHM module?

[Kent Brockman]

Hi! I've just upgraded and see an interesting new backend UI, showing some default settings and a Hit List. Nice. Really.
But I want more control: what rules are in place by default? Where can I find them? If I used the ConfigServer ModSecurity plugin and my host included some Atomicorp rules, are all both still available and in use? Can anybody confirm this? Does this new UI include internal functions replacing/overwriting/invalidating those abovementioned methods?

I'm wondering all this because 1) the UI allows to edit "Custom Rules" but doesn't mention if default basic rules are in place and 2) even your Documentation pages doesnt explain anything further that what one could easily infer by scanning the UI ... If my currently previously loaded rules are being used, the new UI should allow to edit them. While that's not a possibility, I'll stick to ConfigServer Mod Security plugin since it gives me FULL control on EVERY config for ModSecurity.

You may want to review and improve the current completeness of these pages:

• https://documentation.cpanel.net/di...ckendcompression-SecDisableBackendCompression
• https://documentation.cpanel.net/display/ALD/ModSecurity+Tools

It's just constructive criticism, but all the clarification you could bring to light will be acknowledged

 

[Kent Brockman]

BTW, I found the editor, a bit hidden for my taste, at... "scripts2/show_mod_security//editCustomRules" where you can see some settings, but not every one of them. Because there are files not present in the list, and that's worrying me:

This is what's shown in the new Custom Rules screen:

SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecResponseBodyLimitAction ProcessPartial
Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf
Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf
Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf
Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf
Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf
Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf
Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf
Include /usr/local/apache/conf/modsec2.whitelist.conf

But these are the files I really have in place, visible thru the ConfigServer ModSec UI:

modsec2.conf
modsec2.cpanel.conf
modsec2.exploit.conf
modsec2.user.conf
modsec2.whitelist.conf
modsec_rules/00_asl_z_antievasion.conf
modsec_rules/00_asl_zz_strict.conf
modsec_rules/01_asl_content.conf
modsec_rules/01_asl_rules_special.conf
modsec_rules/03_asl_dos.conf
modsec_rules/09_asl_rules.conf
modsec_rules/10_asl_antimalware.conf
modsec_rules/10_asl_rules.conf
modsec_rules/11_asl_adv_rules.conf
modsec_rules/11_asl_data_loss.conf
modsec_rules/12_asl_brute.conf
modsec_rules/15_asl_paranoid_rules.conf
modsec_rules/20_asl_useragents.conf
modsec_rules/30_asl_antispam.conf
modsec_rules/31_asl_urispam.conf
modsec_rules/50_asl_rootkits.conf
modsec_rules/51_asl_rootkits.conf
modsec_rules/60_asl_recons.conf
modsec_rules/61_asl_recons_dlp.conf
modsec_rules/99_asl_jitp.conf
modsec_rules/domain-blacklist-local.txt
modsec_rules/domain-blacklist.txt
modsec_rules/domain-spam-whitelist.conf
modsec_rules/malware-blacklist.txt
modsec_rules/malware_names.txt
modsec_rules/spam.data
modsec_rules/sql.txt

So, what may be going wrong here? Is the new UI not seeing the full picture? or is it scanning just one location?

 

[quizknows]

You don't always include all rules files available. Basically you have (for example) modsec_rules/61_asl_recons_dlp.conf available, but it's not called as in includes in your main conf file. The rules in your first code section are the ones actually in use.

For the record, at this time, cPanel does not provide rules so these may have come from your hosting provider if you did not install them. As of 11.48 cPanel may be offering rule sets to be enabled to make things easier.

 

[Infopro]

Honestly kent, a quick search of the forums, for posts in the last year, for the term: ModSecurity would have been more useful than your silly image you attached to your post, now removed.

This thread should be of some use to you:
New ModSecurity - cPanel Forums

The new ModSecurity interface rolled out a while back in upper tiers and questions about it have been asked multiple times and all of them to date, have been answered by Staff, his name is Brian. Please review that thread, and if you need more, try the search tool, top of the forums.

I hope that shines some light on your query.

 

[Infopro]

Also quizknows is right, cPanel is rolling out new rules that you'll make use of, or not, manually in the near future.

cPanel just did an hour long Webinar on this, yesterday, that you must have missed. No worries though, a video of that Webinar, not specifically concerning ModSecurity so much as all the new things in 11.46 that will be available as soon as today, I believe.

I just looked for it and cannot locate it. But it should be available soon, it was recorded, AFAIK.

HTH!

 

[Kent Brockman]

@quizknows: so,... you will be keeping this feature inactive until 11.48?

@InfoPro: sorry for the silly image, but it just brought your attention to the thread and some good links and answers were received in exchange And I deeply thank you for that. I'll follow up the thread you mentioned. And regarding the Release version and the webinars, I bet I'm in the category of the zillions of cPanel licensees who just cannot 1) have an available box to test Release/Edge versions to submit feedback and 2) nor even enough available time to accomodate for a webinar. Hopefully it's recorded and I can watch to it later this weekend.

I have a whole bunch of questions regarding this feature and will ask them in the abovementioned thread.

Thanks both of you for the comments.
Best regards

 

[Infopro]

The image didn't bring me to this thread, I read as many threads each day here as I can. This was one of them.

Please read thru all the current threads concerning ModSecurity as many questions have already been asked and answered. Don't just simply pop over to that thread and lay out some new quest... oh, you already did.

The video is now live. Please review it at your earliest convenience:

https://www.youtube.com/watch?v=5fO3mjCLd5Q

 

[Kent Brockman]

The video is now live. Please review it at your earliest convenience:
https://www.youtube.com/watch?v=5fO3mjCLd5Q

Man, I never said it: thank you for the video link (and the patience ).