Modsecurity and cpanel questions

KevenWJ

• August 19, 2023 15:47

Hi there, I have a few questions about modsecurity and cpanel. 1) Currently, I can visit domain.com/.env and that will be logged in modsecurity as critical:

• 

  cPRex Jurassic Moderator

  • August 21, 2023 18:00

  Hey there!

  1) Currently, I can visit domain.com/.env and that will be logged in modsecurity as critical:

  2) Is there an advantage (IE saving resources) to IP banning offending IPs for 24 or 48 hours as opposed to serving them a 403? We've read reports stating that at least half of traffic is from bots. Can we further maximize our server resources by blocking them as opposed to just denying them?

  
  Probably. I don't really have any data on this, but it would make sense that blocking the IP would be less resource intensive than serving a page.

  3) A few times, we've seen users banned through CSF and had to whitelilst their IP in CSF. What actions can lead to an IP ban? Is this done through modsecurity / CSF? I don't see mod_evasive installed. We've definitely seen some of our users get IP banned, but I'm not sure exactly why.

  
  cPanel doesn't make CSF, but the most likely answer is

  5) How is the SecAuditLogParts directive being set in cpanel? I noticed the modsec_audit log has different settings than I've seen before when installing modsecurity without cpanel. I'm trying to stick to the available cpanel options but am comfortable modifying config files if necessary.

  
  The actual modsec configuration is located in /etc/apache2/conf.d/modsec.conf. I *think* this is the relevant section you're looking for: SecAuditLog logs/modsec_audit.log SecDebugLog logs/modsec_debug.log SecDebugLogLevel 0 SecDefaultAction "phase:2,deny,log,status:406" SecRequestBodyLimitAction ProcessPartial # Switch to concurrent logging when Apache is running under a multi-uid # environment. This ensures that each user can successfully log to # their own log file. SecAuditLogStorageDir logs/modsec_audit SecAuditLogType Concurrent SecAuditLogStorageDir logs/modsec_audit SecAuditLogType Concurrent # user.conf must come before cpanel.conf to allow administrators # to selectively disable vendor rules Include /etc/apache2/conf.d/modsec/modsec2.user.conf Include /etc/apache2/conf.d/modsec/modsec2.cpanel.conf
  

  0
• 

  KevenWJ

  • August 22, 2023 18:04

  Under modsecurity configuration, there is a spot to add an api key for project honey pot:

  0
• 

  cPRex Jurassic Moderator

  • August 22, 2023 18:11

  Good catch! Yes, it looks like the rule needs to be manually added per the details here:

  0

Please sign in to leave a comment.