Skip to main content

could anyone explain mod security please

Comments

23 comments

  • cPanelMichael
    Hello :) The following documents should help explain it's purpose: Apache Module - Mod _Security What Exactly Is Mod_Security Thank you.
    0
  • quizknows
    Web app firewalls (like modsec) are exactly that; firewalls. Just instead of blocking IP addresses or ports, they block request based on a rule set. The rule set generally has rules to catch certain exploit attempts so they don't hit the web site for processing.
    0
  • keat63
    From what I can gather after running Easy Apache, mod security is actually installed. However, when i look at ModSecurity Configuration, it's about as useful as a chocolate fireguard. It makes no sense.
    0
  • keat63
    so could anyone suggest a decent set of rules and simplified instructions on how to install them. For instance I looked at OWASP and all the instructions I read assume that you know what your'e doing.
    0
  • Infopro
    The new cPanel setup for ModSec is your best bet, as far as easy goes. If you're not sure what you're doing, it doesn't get any easier than this. There are some issues with the rules, but I would think cPanel and OWASP are working on making them better. ...simplified instructions on how to install them.
    Do you have the OWASP rules installed? Home " Security Center " Manage Vendors If not, make sure cPanel is up to date (and CSF as well, as of this post) and then click Install > Install and Restart Apache, there. Make sure, Enabled, and Updates On are both, On. --- Here: Home " Security Center " Configure Global Directives Defaults should be set already, IIRC. - Only log noteworthy transactions. - Process the rules. - Process the rules. - Enabled - Default - 1500 - 1500 ---- Here: Home " Security Center " Hits List You can view rule hits. CSF/LFD sends out useful emails about blocking with ModSec. You should monitor these hits, and those emails to keep an eye on legit users or scripts being blocked. If you see one, you'll need the ID from the rule to take proper action, for example: 960009 From the "Hits List" page, click the "Rules List" button top right corner. Using that example rule above, search for it there on the Rules List. When you find it, click the Disable option. Reporting tools are to be added here as I understand it, and with that, the rules will be made better over time by us reporting the issues/rules and as they are updated nightly when possible. There is no other easier way to go. There are better rules though, for now. HTH!
    0
  • keat63
    I don't appear have links to: Home " Security Center " Manage Vendors Home " Security Center " Configure Global Directives Home " Security Center " Hits List But i do have links for ModSecurity Configuration and ModSecurity Tools, so I assume ModSecurity is installed.
    0
  • Infopro
    What is your cPanel version? Vendors area wasn't added earlier on as I recall.
    0
  • PCZero
    I recently added and enabled the OWASP ModSecurity Core Rule Set. Since that time my lfd warnings from csf have increased ten fold or more. The two biggest message types I am getting are these. ONE:
    [Wed Feb 11 08:00:38 2015] [error] [client 118.4.175.207] ModSecurity: Access denied with redirection to http://MyDomain1.com/ using status 302 (phase 2). Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"> [line "405"> [id "960010"> [rev "2"> [msg "Request content type is not allowed by policy"> [data "application/octet-stream"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "9"> [accuracy "9"> [tag "Host: MyDomain1.com"> [tag "OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"> [tag "WASCTC/WASC-20"> [tag "OWASP_TOP_10/A1"> [tag "OWASP_AppSensor/EE2"> [tag "PCI/12.1"> [hostname "MyDomain1.com"> [uri "/"> [unique_id "VNtSdrisyIMAAAVkFN4AAAAK">
    TWO:
    [Wed Feb 11 08:01:10 2015] [error] [client 69.112.227.22] ModSecurity: Access denied with redirection to http://www.MyDomain2.com/ using status 302 (phase 2). Match of "pm AppleWebKit Android" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"> [line "299"> [id "960015"> [rev "3"> [msg "Request Missing an Accept Header"> [severity "NOTICE"> [ver "OWASP_CRS/3.0.0"> [maturity "9"> [accuracy "8"> [tag "Host: www.MyDomain2.com"> [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"> [tag "WASCTC/WASC-21"> [tag "OWASP_TOP_10/A7"> [tag "PCI/6.5.10"> [hostname "www.MyDomain2.com"> [uri "/favicon.ico"> [unique_id "VNtSlrisyIMAAATM6@oAAAAB">
    Can someone please give me a brief explanation as to what these messages are telling me and how I might decide if I would want to consider adjusting one or more rules based on these results?
    0
  • Infopro
    While not specifically an answer for you, there is an old post here worth a peek I think: /http://stackoverflow.com/questions/8236736/mod-security-false-positives Specifically, the 'best answer' posted by: Ryan Barnett ModSecurity Project Lead OWASP ModSecurity CRS Project Lead I came across it searching for this from your post: [tag "WASCTC/WASC-21"> The blog posts he links to are dated, but must still be of value, they're still being linked to on the email list: /http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2015-January/001700.html By, Chaim Sanders Security Researcher, SpiderLabs The links: [url=http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html]Advanced Topic of the Week: Traditional vs. Anomaly Scoring Detection Modes [url=http://blog.spiderlabs.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--%28Updated%29-Exception-Handling/]ModSecurity Advanced Topic of the Week: (Updated) Exception Handling Interestingly enough, their email lists seem kinda of quiet, for now. [url=http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/]The Owasp-modsecurity-core-rule-set Archives
    0
  • keat63
    My Cpanel is 11.46 i'm just hold off 11.48 until the few bugs i keep seeing have been ironed out.
    0
  • keat63
    this is what i have regarding mod security in Secirity Center ".vB" However, when i go into either of them, there's little in there in the way of help. Configuration has a number of radio buttons, process this, process that, and areas to specify paths to files i guess. The tools section appears to be where you can add custom rules, but again, not much in the way of help. When i originally ran EasyApache, i installed MOD_RUID2, does this have anything to do with ModSecurity ? It's all a little confusing.
    0
  • Infopro
    My Cpanel is 11.46
    From your Update Preferences page: STABLE 11.46.2.4 The last tier to receive changes
    0
  • keat63
    i'm currently 11.46.1.4 If i update to 11.46.2.4, will there be any impact on web and email services while the update is running. Or am i better off doing this out of busy operating hours.
    0
  • Infopro
    There should be no issues to force an update I wouldn't think. There should also be no reason for you to jump tiers if you don't want to.
    0
  • keat63
    So I took a risk and did the update to 11.46.2.4, but it still doesn't help in my understanding for ModSecurity. Regards post #5, i found these parameters in ModSecurity Configuration. And a link to "Hit Lists" in ModSecurity Tools. But i'm none the wiser on how to install a rule set.
    0
  • Infopro
    ]So I took a risk and did the update to 11.46.2.4, but it still doesn't help in my understanding for ModSecurity.

    Was that expected? I've had it installed for years across many servers and I still don't fully understand modsecurity.
    ] Regards post #5, i found these parameters in ModSecurity Configuration. And a link to "Hit Lists" in ModSecurity Tools. But i'm none the wiser on how to install a rule set.

    Post #6: Do you have the OWASP rules installed? Home " Security Center " Manage Vendors If not, make sure cPanel is up to date (and CSF as well, as of this post) and then click Install > Install and Restart Apache, there. Make sure, Enabled, and Updates On are both, On.
    Does that help at all in getting the Vendor Rules installed? Keep us posted.
    0
  • Infopro
    ]So I took a risk and did the update to 11.46.2.4 ...

    Oh wait. You weren't on the latest version of STABLE and updated to that. We might assume here the Vendor Rules are not in Stable yet. Please accept my apologies here, I haven't run or monitored STABLE releases in a long time. I only run CURRENT and EDGE releases.
    0
  • keat63
    I still see no reference anywhere to Manage Vendors, or vendor rules.
    0
  • Infopro
    Vendor Rules are not included in your Tier, yet. For reference:
    0
  • keat63
    I fond a reference to Vendors in "Install CPAddons Site Software" ?
    0
  • Infopro
    Thats for site software. Wordpress for example. If you'd like to have access to the new Vendor Rules, you'll need to either wait a bit longer, or, update to the RELEASE tier.
    0
  • keat63
    What's the usual timescale for "Release" to become "Stable"- approximately speaking, days, weeks, months ? I'm worried that upgrading might break something that i don't know how to fix.
    0
  • keat63
    I took the plunge and updated to 11.48 last night. I have a mod security error this morning, but i'll post a new thread for this.
    0

Please sign in to leave a comment.