The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What ModSecurity rules are in place with the new WHM module?

Discussion in 'Security' started by Kent Brockman, Dec 4, 2014.

  1. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,146
    Likes Received:
    3
    Trophy Points:
    68
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi! I've just upgraded and see an interesting new backend UI, showing some default settings and a Hit List. Nice. Really.
    But I want more control: what rules are in place by default? Where can I find them? If I used the ConfigServer ModSecurity plugin and my host included some Atomicorp rules, are all both still available and in use? Can anybody confirm this? Does this new UI include internal functions replacing/overwriting/invalidating those abovementioned methods?

    I'm wondering all this because 1) the UI allows to edit "Custom Rules" but doesn't mention if default basic rules are in place and 2) even your Documentation pages doesnt explain anything further that what one could easily infer by scanning the UI :) ... If my currently previously loaded rules are being used, the new UI should allow to edit them. While that's not a possibility, I'll stick to ConfigServer Mod Security plugin since it gives me FULL control on EVERY config for ModSecurity.

    You may want to review and improve the current completeness of these pages:

    It's just constructive criticism, but all the clarification you could bring to light will be acknowledged :)
     
    #1 Kent Brockman, Dec 4, 2014
  2. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,146
    Likes Received:
    3
    Trophy Points:
    68
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    BTW, I found the editor, a bit hidden for my taste, at... "scripts2/show_mod_security//editCustomRules" where you can see some settings, but not every one of them. Because there are files not present in the list, and that's worrying me:

    This is what's shown in the new Custom Rules screen:

    Code:
    SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecResponseBodyLimitAction ProcessPartial
Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf
Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf
Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf
Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf
Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf
Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf
Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf
Include /usr/local/apache/conf/modsec2.whitelist.conf
    But these are the files I really have in place, visible thru the ConfigServer ModSec UI:

    Code:
    modsec2.conf
modsec2.cpanel.conf
modsec2.exploit.conf
modsec2.user.conf
modsec2.whitelist.conf
modsec_rules/00_asl_z_antievasion.conf
modsec_rules/00_asl_zz_strict.conf
modsec_rules/01_asl_content.conf
modsec_rules/01_asl_rules_special.conf
modsec_rules/03_asl_dos.conf
modsec_rules/09_asl_rules.conf
modsec_rules/10_asl_antimalware.conf
modsec_rules/10_asl_rules.conf
modsec_rules/11_asl_adv_rules.conf
modsec_rules/11_asl_data_loss.conf
modsec_rules/12_asl_brute.conf
modsec_rules/15_asl_paranoid_rules.conf
modsec_rules/20_asl_useragents.conf
modsec_rules/30_asl_antispam.conf
modsec_rules/31_asl_urispam.conf
modsec_rules/50_asl_rootkits.conf
modsec_rules/51_asl_rootkits.conf
modsec_rules/60_asl_recons.conf
modsec_rules/61_asl_recons_dlp.conf
modsec_rules/99_asl_jitp.conf
modsec_rules/domain-blacklist-local.txt
modsec_rules/domain-blacklist.txt
modsec_rules/domain-spam-whitelist.conf
modsec_rules/malware-blacklist.txt
modsec_rules/malware_names.txt
modsec_rules/spam.data
modsec_rules/sql.txt
    So, what may be going wrong here? Is the new UI not seeing the full picture? or is it scanning just one location?
     
    #2 Kent Brockman, Dec 4, 2014
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    982
    Likes Received:
    75
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    You don't always include all rules files available. Basically you have (for example) modsec_rules/61_asl_recons_dlp.conf available, but it's not called as in includes in your main conf file. The rules in your first code section are the ones actually in use.

    For the record, at this time, cPanel does not provide rules so these may have come from your hosting provider if you did not install them. As of 11.48 cPanel may be offering rule sets to be enabled to make things easier.
     
    #3 quizknows, Dec 4, 2014
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,617
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Honestly kent, a quick search of the forums, for posts in the last year, for the term: ModSecurity would have been more useful than your silly image you attached to your post, now removed.

    This thread should be of some use to you:
    New ModSecurity - cPanel Forums

    The new ModSecurity interface rolled out a while back in upper tiers and questions about it have been asked multiple times and all of them to date, have been answered by Staff, his name is Brian. Please review that thread, and if you need more, try the search tool, top of the forums.

    I hope that shines some light on your query.
     
    #4 Infopro, Dec 4, 2014
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,617
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Also quizknows is right, cPanel is rolling out new rules that you'll make use of, or not, manually in the near future.

    cPanel just did an hour long Webinar on this, yesterday, that you must have missed. No worries though, a video of that Webinar, not specifically concerning ModSecurity so much as all the new things in 11.46 that will be available as soon as today, I believe.

    I just looked for it and cannot locate it. But it should be available soon, it was recorded, AFAIK.

    HTH!
     
    #5 Infopro, Dec 4, 2014
  6. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,146
    Likes Received:
    3
    Trophy Points:
    68
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    @quizknows: so,... you will be keeping this feature inactive until 11.48?

    @InfoPro: sorry for the silly image, but it just brought your attention to the thread and some good links and answers were received in exchange :) And I deeply thank you for that. I'll follow up the thread you mentioned. And regarding the Release version and the webinars, I bet I'm in the category of the zillions of cPanel licensees who just cannot 1) have an available box to test Release/Edge versions to submit feedback and 2) nor even enough available time to accomodate for a webinar. Hopefully it's recorded and I can watch to it later this weekend.

    I have a whole bunch of questions regarding this feature and will ask them in the abovementioned thread.

    Thanks both of you for the comments.
    Best regards
     
    #6 Kent Brockman, Dec 4, 2014
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,617
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    The image didn't bring me to this thread, I read as many threads each day here as I can. This was one of them. ;)

    Please read thru all the current threads concerning ModSecurity as many questions have already been asked and answered. Don't just simply pop over to that thread and lay out some new quest... oh, you already did. :rolleyes:

    The video is now live. Please review it at your earliest convenience:

    https://www.youtube.com/watch?v=5fO3mjCLd5Q
     
    #7 Infopro, Dec 4, 2014
    Kent Brockman likes this.
  8. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,146
    Likes Received:
    3
    Trophy Points:
    68
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    #8 Kent Brockman, Jan 7, 2015
(You must log in or sign up to post here.)
Loading...
Similar Threads - ModSecurity rules place
  1. zoner

    SecRemoteRules - ModSecurity Vendor

    zoner, Jul 19, 2017, in forum: Security
    Replies:
    4
    Views:
    130
    quizknows
    Jul 25, 2017
  2. rinkleton

    ModSecurity - Edit Custom Rules

    rinkleton, May 2, 2017, in forum: Security
    Replies:
    11
    Views:
    456
    rarod
    May 5, 2017
  3. oSM

    OWASP ModSecurity v3 - Best Rulesets to use?

    oSM, Dec 26, 2016, in forum: Security
    Replies:
    2
    Views:
    705
    jfall123
    Dec 27, 2016
  4. postcd

    Several ModSecurity rules, what do You think about these?

    postcd, Apr 12, 2016, in forum: Security
    Replies:
    3
    Views:
    741
    quizknows
    Aug 24, 2016
  5. jazee

    ModSecurity Rules Backup

    jazee, Mar 1, 2016, in forum: Data Protection
    Replies:
    1
    Views:
    439
    Infopro
    Mar 1, 2016

Share This Page