The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What ModSecurity rules are in place with the new WHM module?

Discussion in 'Security' started by Kent Brockman, Dec 4, 2014.

  1. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi! I've just upgraded and see an interesting new backend UI, showing some default settings and a Hit List. Nice. Really.
    But I want more control: what rules are in place by default? Where can I find them? If I used the ConfigServer ModSecurity plugin and my host included some Atomicorp rules, are all both still available and in use? Can anybody confirm this? Does this new UI include internal functions replacing/overwriting/invalidating those abovementioned methods?

    I'm wondering all this because 1) the UI allows to edit "Custom Rules" but doesn't mention if default basic rules are in place and 2) even your Documentation pages doesnt explain anything further that what one could easily infer by scanning the UI :) ... If my currently previously loaded rules are being used, the new UI should allow to edit them. While that's not a possibility, I'll stick to ConfigServer Mod Security plugin since it gives me FULL control on EVERY config for ModSecurity.

    You may want to review and improve the current completeness of these pages:

    It's just constructive criticism, but all the clarification you could bring to light will be acknowledged :)
     
  2. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    BTW, I found the editor, a bit hidden for my taste, at... "scripts2/show_mod_security//editCustomRules" where you can see some settings, but not every one of them. Because there are files not present in the list, and that's worrying me:

    This is what's shown in the new Custom Rules screen:

    Code:
    SecRequestBodyAccess On
    SecResponseBodyAccess On
    SecResponseBodyMimeType (null) text/html text/plain text/xml
    SecResponseBodyLimit 2621440
    SecServerSignature Apache
    SecUploadDir /var/asl/data/suspicious
    SecUploadKeepFiles Off
    SecArgumentSeparator "&"
    SecCookieFormat 0
    SecRequestBodyInMemoryLimit 131072
    SecDataDir /var/asl/data/msa
    SecTmpDir /tmp
    SecResponseBodyLimitAction ProcessPartial
    Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf
    Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf
    Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf
    Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf
    Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf
    Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf
    Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf
    Include /usr/local/apache/conf/modsec2.whitelist.conf
    
    But these are the files I really have in place, visible thru the ConfigServer ModSec UI:

    Code:
    modsec2.conf
    modsec2.cpanel.conf
    modsec2.exploit.conf
    modsec2.user.conf
    modsec2.whitelist.conf
    modsec_rules/00_asl_z_antievasion.conf
    modsec_rules/00_asl_zz_strict.conf
    modsec_rules/01_asl_content.conf
    modsec_rules/01_asl_rules_special.conf
    modsec_rules/03_asl_dos.conf
    modsec_rules/09_asl_rules.conf
    modsec_rules/10_asl_antimalware.conf
    modsec_rules/10_asl_rules.conf
    modsec_rules/11_asl_adv_rules.conf
    modsec_rules/11_asl_data_loss.conf
    modsec_rules/12_asl_brute.conf
    modsec_rules/15_asl_paranoid_rules.conf
    modsec_rules/20_asl_useragents.conf
    modsec_rules/30_asl_antispam.conf
    modsec_rules/31_asl_urispam.conf
    modsec_rules/50_asl_rootkits.conf
    modsec_rules/51_asl_rootkits.conf
    modsec_rules/60_asl_recons.conf
    modsec_rules/61_asl_recons_dlp.conf
    modsec_rules/99_asl_jitp.conf
    modsec_rules/domain-blacklist-local.txt
    modsec_rules/domain-blacklist.txt
    modsec_rules/domain-spam-whitelist.conf
    modsec_rules/malware-blacklist.txt
    modsec_rules/malware_names.txt
    modsec_rules/spam.data
    modsec_rules/sql.txt
    
    So, what may be going wrong here? Is the new UI not seeing the full picture? or is it scanning just one location?
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    56
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You don't always include all rules files available. Basically you have (for example) modsec_rules/61_asl_recons_dlp.conf available, but it's not called as in includes in your main conf file. The rules in your first code section are the ones actually in use.

    For the record, at this time, cPanel does not provide rules so these may have come from your hosting provider if you did not install them. As of 11.48 cPanel may be offering rule sets to be enabled to make things easier.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Honestly kent, a quick search of the forums, for posts in the last year, for the term: ModSecurity would have been more useful than your silly image you attached to your post, now removed.

    This thread should be of some use to you:
    New ModSecurity - cPanel Forums

    The new ModSecurity interface rolled out a while back in upper tiers and questions about it have been asked multiple times and all of them to date, have been answered by Staff, his name is Brian. Please review that thread, and if you need more, try the search tool, top of the forums.

    I hope that shines some light on your query.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Also quizknows is right, cPanel is rolling out new rules that you'll make use of, or not, manually in the near future.

    cPanel just did an hour long Webinar on this, yesterday, that you must have missed. No worries though, a video of that Webinar, not specifically concerning ModSecurity so much as all the new things in 11.46 that will be available as soon as today, I believe.

    I just looked for it and cannot locate it. But it should be available soon, it was recorded, AFAIK.

    HTH!
     
  6. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    @quizknows: so,... you will be keeping this feature inactive until 11.48?

    @InfoPro: sorry for the silly image, but it just brought your attention to the thread and some good links and answers were received in exchange :) And I deeply thank you for that. I'll follow up the thread you mentioned. And regarding the Release version and the webinars, I bet I'm in the category of the zillions of cPanel licensees who just cannot 1) have an available box to test Release/Edge versions to submit feedback and 2) nor even enough available time to accomodate for a webinar. Hopefully it's recorded and I can watch to it later this weekend.

    I have a whole bunch of questions regarding this feature and will ask them in the abovementioned thread.

    Thanks both of you for the comments.
    Best regards
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    The image didn't bring me to this thread, I read as many threads each day here as I can. This was one of them. ;)

    Please read thru all the current threads concerning ModSecurity as many questions have already been asked and answered. Don't just simply pop over to that thread and lay out some new quest... oh, you already did. :rolleyes:

    The video is now live. Please review it at your earliest convenience:

    https://www.youtube.com/watch?v=5fO3mjCLd5Q
     
    Kent Brockman likes this.
  8. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
Loading...

Share This Page