Where are the ModSecurity default rules?

Silent Ninja

• January 07, 2015 07:39

I remember an option on WHM for ModSecurity where you can set the Default Configuration and view/edit the global rules. I haven't found that feature and now I see Configuration and Tools options but none of them show the rules and the logs show nothing is being blocked. Could you explain how I can modify the rules? I'm interested in testing the Atomic ModSec Ruleset ([url=http://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Special_notes_for_CPANEL_users_not_using_ASL]Atomic ModSecurity Rules - Atomicorp Wiki), but at least the default rules should be available by default as they used to.

• 

  cPanelMichael

  • January 08, 2015 12:50

  Hello :) We no longer ship Mod_Security with a custom rule set. However, there are plans to provide the OWASP ModSecurity Core Rule Set with cPanel version 11.48. Please review the following feature requests for more information: [url=http://features.cpanel.net/responses/mod-security-logs-in-cpanel]Mod security logs in cPanel | cPanel Feature Requests [url=http://features.cpanel.net/responses/mod-sec-rules]mod_sec rules | cPanel Feature Requests Also, some additional information is available in the following thread: Mod_Security Changes Thank you.

  0
• 

  Silent Ninja

  • January 08, 2015 13:41

  Ok, it's nice to know that you no longer provide the Default Configuration but... there's no place left to put mine in, there used to be a textarea I could use to fill with some custom rules, or at least see them if they were manually installed thru some other service.

  0
• 

  cPanelMichael

  • January 08, 2015 18:17

  You can add custom rules via: "WHM Home " Security Center " ModSecurity" Tools " Edit Custom Rules" Thank you.

  0
• 

  Gene Steinberg

  • June 08, 2016 17:56

  Quick note. The OWASP ruleset slows down my sites by about a second each. This confirmed via your support people in a service ticket. COMODO ruleset is much better. No noticeable speed heat, but it does flag an error on some of my sites (mostly WordPress and XenForo). If someone can suggest another ruleset that is as simple as COMODO to integrate, and works well, please let me know. Peace, Gene

  0
• 

  quizknows

  • June 08, 2016 23:17

  I'd recommend keeping COMODO and just whitelisting the few rule IDs that are causing you issues. Literally any modsec rule set is going to have some false positives you'll have to work through / customize.

  0
• 

  Gene Steinberg

  • June 08, 2016 23:18

  I had to contact support to do that. It's not at all clear how a specific rule applies to a specific problem. Peace, Gene

  0
• 

  quizknows

  • June 09, 2016 01:05

  Usually the error_log is enough info, otherwise the audit log has tons of info but can be hard to read. If you know the IP that you're browsing behind, it's easy to check that in the error_log for any ModSecurity hits. Regardless, if you're not comfortable troubleshooting it, any good support rep should be able to get you taken care of :)

  0
• 

  Gene Steinberg

  • June 09, 2016 01:06

  The tech suggested I add something to a conf file that appears to have stopped extraneous messages or other behavior. Peace, Gene

  0

Please sign in to leave a comment.