ConfigServer ModSecurity Control - log file is empty, does it work?
Hello,
i installed Mod_security
and on its tab in WHM i seen like its empty.
i rather then installed as an addon so called "ConfigServer ModSecurity Control" and after isntall and i set it to "On" and "Select".
But the log file is empty. ("View the last entries in the ModSecurity log file")
How can i veriffy mod security rules are applied and works?
-
The log will only generate entries when a rule is hit. So you'd need to trigger one of the modsec rules. 0 -
Hello, Also you can check the mod_sec rules on your server through command line using following command grep mod_security /usr/local/apache/conf/httpd.conf0 -
Also, note that if you install mod_ruid2 and mod_security, the mod_security log location is: /usr/local/apache/logs/modsec_audit/[user]/YYYYMMDD/YYYYMMDD-HHmm/YYYYMMDD-HHmmSS-[unique_id]
Thank you.0 -
[quote="24x7server, post: 1632141">Hello, Also you can check the mod_sec rules on your server through command line using following command grep mod_security /usr/local/apache/conf/httpd.conf
This will only return ifmodule lines, which theoretically could be present without the module (unlikely as that is) Best way to make sure ModSecurity is compiled is:httpd -M |grep security
This will return "security2_module (shared)" if ModSecurity was compiled properly. Then check to make sure that /usr/local/apache/conf/httpd.conf includes /usr/local/apache/conf/modsec2.conf, and make sure that /usr/local/apache/conf/modsec2.user.conf has rules in it. By default, modsec2.user.conf is blank and you have to install your own rule set, be it from Trustwave, ASL, or the CRS rules.0 -
[quote="quizknows, post: 1632931">make sure that /usr/local/apache/conf/modsec2.user.conf has rules in it. By default, modsec2.user.conf is blank and you have to install your own rule set, be it from Trustwave, ASL, or the CRS rules.
My modsec2.user.conf has only one line: [QUOTE]Include /usr/local/apache/conf/modsec2.whitelist.conf
That whitelist file contains this: [QUOTE]# ConfigServer ModSecurity whitelist file
Please can you advice any good rule sets, search phrasse to put to google? I searched "Trustwave, ASL, or the CRS rules." but cant find any rule set? Edit, there is Quick download section at [line "31"> [id "960032"> [rev "2"> [msg "Method is not allowed by policy"> [data "GET"> [severity "CRITICAL"> [ver "OWASP_CRS/2.2.9"> [maturity "9"> [accuracy "9"> [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"> [tag "WASCTC/WASC-15"> [tag "OWASP_TOP_10/A6"> [tag "OWASP_AppSensor/RE1"> [tag "PCI/12.1">0 -
You're on the right track, I usually only recommend the CRS base rules for more advanced users as they're pretty generic and prone to false positives. If you do want to use the CRS rules, I recommend commenting out any rules which cause you too many problems. In your case it was rule ID 960032, and your error states it was on line 31 of /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_30_http_policy.conf. Some rules are multiple lines, so if you comment out the rule, make sure to get all lines for that rule ID (multi-line rules will have "chain" in the rule actions). Personally for hosting companies I recommend the Trustwave corporate ruleset. The trustwave rules are a paid product but very well worth it. I believe a single license is $500/year, but this includes nightly updates to the rules which protect most common CMS software. They also do bulk licensing for hosting companies if you contact them. If you cannot afford a license for the trustwave rules, or the paid ASL rules, I may have a copy of the old free ASL rules which will be much better than nothing. PM me if you need these. 0
Please sign in to leave a comment.
Comments
6 comments