Skip to main content

What ModSecurity rules are in place with the new WHM module?

Kent Brockman
Hi! I've just upgraded and see an interesting new backend UI, showing some default settings and a Hit List. Nice. Really. But I want more control: what rules are in place by default? Where can I find them? If I used the ConfigServer ModSecurity plugin and my host included some Atomicorp rules, are all both still available and in use? Can anybody confirm this? Does this new UI include internal functions replacing/overwriting/invalidating those abovementioned methods? I'm wondering all this because 1) the UI allows to edit "Custom Rules" but doesn't mention if default basic rules are in place and 2) even your Documentation pages doesnt explain anything further that what one could easily infer by scanning the UI :) ... If my currently previously loaded rules are being used, the new UI should allow to edit them. While that's not a possibility, I'll stick to ConfigServer Mod Security plugin since it gives me FULL control on EVERY config for ModSecurity. You may want to review and improve the current completeness of these pages: [LIST]
  • It's just constructive criticism, but all the clarification you could bring to light will be acknowledged :)

    • Comments

    7 comments

    Date Votes
    • Kent Brockman
      BTW, I found the editor, a bit hidden for my taste, at... "scripts2/show_mod_security//editCustomRules" where you can see some settings, but not every one of them. Because there are files not present in the list, and that's worrying me: This is what's shown in the new Custom Rules screen:
      SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 2621440 SecServerSignature Apache SecUploadDir /var/asl/data/suspicious SecUploadKeepFiles Off SecArgumentSeparator "&" SecCookieFormat 0 SecRequestBodyInMemoryLimit 131072 SecDataDir /var/asl/data/msa SecTmpDir /tmp SecResponseBodyLimitAction ProcessPartial Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf Include /usr/local/apache/conf/modsec2.whitelist.conf
      But these are the files I really have in place, visible thru the ConfigServer ModSec UI:
      modsec2.conf modsec2.cpanel.conf modsec2.exploit.conf modsec2.user.conf modsec2.whitelist.conf modsec_rules/00_asl_z_antievasion.conf modsec_rules/00_asl_zz_strict.conf modsec_rules/01_asl_content.conf modsec_rules/01_asl_rules_special.conf modsec_rules/03_asl_dos.conf modsec_rules/09_asl_rules.conf modsec_rules/10_asl_antimalware.conf modsec_rules/10_asl_rules.conf modsec_rules/11_asl_adv_rules.conf modsec_rules/11_asl_data_loss.conf modsec_rules/12_asl_brute.conf modsec_rules/15_asl_paranoid_rules.conf modsec_rules/20_asl_useragents.conf modsec_rules/30_asl_antispam.conf modsec_rules/31_asl_urispam.conf modsec_rules/50_asl_rootkits.conf modsec_rules/51_asl_rootkits.conf modsec_rules/60_asl_recons.conf modsec_rules/61_asl_recons_dlp.conf modsec_rules/99_asl_jitp.conf modsec_rules/domain-blacklist-local.txt modsec_rules/domain-blacklist.txt modsec_rules/domain-spam-whitelist.conf modsec_rules/malware-blacklist.txt modsec_rules/malware_names.txt modsec_rules/spam.data modsec_rules/sql.txt
      So, what may be going wrong here? Is the new UI not seeing the full picture? or is it scanning just one location?
      0
    • quizknows
      You don't always include all rules files available. Basically you have (for example) modsec_rules/61_asl_recons_dlp.conf available, but it's not called as in includes in your main conf file. The rules in your first code section are the ones actually in use. For the record, at this time, cPanel does not provide rules so these may have come from your hosting provider if you did not install them. As of 11.48 cPanel may be offering rule sets to be enabled to make things easier.
      0
    • Infopro
      Honestly kent, a quick search of the forums, for posts in the last year, for the term: ModSecurity would have been more useful than your silly image you attached to your post, now removed. This thread should be of some use to you: New ModSecurity - cPanel Forums The new ModSecurity interface rolled out a while back in upper tiers and questions about it have been asked multiple times and all of them to date, have been answered by Staff, his name is Brian. Please review that thread, and if you need more, try the search tool, top of the forums. I hope that shines some light on your query.
      0
    • Infopro
      Also quizknows is right, cPanel is rolling out new rules that you'll make use of, or not, manually in the near future. cPanel just did an hour long Webinar on this, yesterday, that you must have missed. No worries though, a video of that Webinar, not specifically concerning ModSecurity so much as all the new things in 11.46 that will be available as soon as today, I believe. I just looked for it and cannot locate it. But it should be available soon, it was recorded, AFAIK. HTH!
      0
    • Kent Brockman
      @quizknows: so,... you will be keeping this feature inactive until 11.48? @InfoPro: sorry for the silly image, but it just brought your attention to the thread and some good links and answers were received in exchange :) And I deeply thank you for that. I'll follow up the thread you mentioned. And regarding the Release version and the webinars, I bet I'm in the category of the zillions of cPanel licensees who just cannot 1) have an available box to test Release/Edge versions to submit feedback and 2) nor even enough available time to accomodate for a webinar. Hopefully it's recorded and I can watch to it later this weekend. I have a whole bunch of questions regarding this feature and will ask them in the abovementioned thread. Thanks both of you for the comments. Best regards
      0
    • Infopro
      The image didn't bring me to this thread, I read as many threads each day here as I can. This was one of them. ;) Please read thru all the current threads concerning ModSecurity as many questions have already been asked and answered. Don't just simply pop over to that thread and lay out some new quest... oh, you already did. :rolleyes: The video is now live. Please review it at your earliest convenience:
      0
    • Kent Brockman
      ]The video is now live. Please review it at your earliest convenience:
      0

    Please sign in to leave a comment.

    Didn't find what you were looking for?

    New post