SecConnEngine - why is default off?

jndawson

• July 10, 2017 14:53

We come back to this question every once in awhile and never find an answer. The WHM default for the mod_sec setting SecConnEngine is 'Do not process the rules'. There is practically nothing available anywhere that actually describes what the setting is for other than 'determines the actions of the connection engine', which is self evident. So, why is the default setting off and what happens when we turn it on?

• 

  quizknows

  • July 10, 2017 20:04

  Turning on SecConnEngine simply enables the option to use SecConn[Read|Write]StateLimit settings. These can be used as slowloris mitigation so one IP cannot eat up all your available apache threads. The example below would limit any IPs other than localhost to 50 connections per IP. Example Usage: SecConnReadStateLimit 50 "!@ipMatch 127.0.0.1" So basically if you had the above rule, but SecConnEngine was off, the above rule would not be processed. Same if you set a rule for SecConnWriteStateLimit

  0
• 

  jndawson

  • July 11, 2017 00:15

  Turning on SecConnEngine simply enables the option to use SecConn[Read|Write]StateLimit settings. These can be used as slowloris mitigation so one IP cannot eat up all your available apache threads. The example below would limit any IPs other than localhost to 50 connections per IP. Example Usage: SecConnReadStateLimit 50 "!@ipMatch 127.0.0.1" So basically if you had the above rule, but SecConnEngine was off, the above rule would not be processed. Same if you set a rule for SecConnWriteStateLimit

  
  Yes, and that's not answering the question of why the default is off.

  0
• 

  quizknows

  • July 11, 2017 18:14

  I would guess the default is off because most rule sets don't include read/write state limits by default. Generally you only turn those on if you're under attack.

  0
• 

  cPanelMichael

  • July 11, 2017 18:20

  Hello @jndawson, Internal case CPANEL-4767 is open to improve the SecConnEngine description in "WHM >> ModSecurity Configuration". I don't have a specific time frame to offer for the publication of any changes to the description, but I'll monitor the case and update this thread with more information as it becomes available. Additionally, here's a quote from the case about the purpose of this option: The SecConnRead/WriteStateLimit values basically just act as throttles for the amount of simultaneous, ongoing read or write requests occurring for any one IP address on the server at any given time. The SecConnEngine value only enables or disables the processing of these values (or processes them in what amounts to a "read-only" way).
  Thank you.

  0
• 

  jndawson

  • July 11, 2017 19:45

  Hello @jndawson, Internal case CPANEL-4767 is open to improve the SecConnEngine description in "WHM >> ModSecurity Configuration". I don't have a specific time frame to offer for the publication of any changes to the description, but I'll monitor the case and update this thread with more information as it becomes available. Additionally, here's a quote from the case about the purpose of this option: Thank you.

  
  That's great - thanks. Why is the default set to off?

  0
• 

  cPanelMichael

  • July 12, 2017 18:49

  Why is the default set to off?

  
  There are no SecConnRead or WriteStateLimit values configured by default so the SecConnEngine option isn't needed. Thank you.

  0
• 

  jndawson

  • July 17, 2017 21:55

  There are no SecConnRead or WriteStateLimit values configured by default so the SecConnEngine option isn't needed. Thank you.

  
  Thanks!

  0
• 

  Ricardo Buchalla Auada

  • June 03, 2018 16:38

  There are no SecConnRead or WriteStateLimit values configured by default so the SecConnEngine option isn't needed. Thank you.

  
  Is there a manual on how to create these rules ?

  0
• 

  cPanelMichael

  • June 04, 2018 13:57

  Is there a manual on how to create these rules ?

  
  ModSecurity provides examples at: SpiderLabs/ModSecurity SpiderLabs/ModSecurity Thank you.

  0
• 

  jeffschips

  • July 28, 2018 21:08

  Turning on SecConnEngine simply enables the option to use SecConn[Read|Write]StateLimit settings. These can be used as slowloris mitigation so one IP cannot eat up all your available apache threads. The example below would limit any IPs other than localhost to 50 connections per IP. Example Usage: SecConnReadStateLimit 50 "!@ipMatch 127.0.0.1" So basically if you had the above rule, but SecConnEngine was off, the above rule would not be processed. Same if you set a rule for SecConnWriteStateLimit

  
  Can someone dumb-down the reply a bit? Stating "Turning on SecConnEngine simply enables the option to use SecConn[Read|Write]StateLimit settings. These can be used as slowloris mitigation so one IP cannot eat up all your available apache threads. . . ." What does "sloworis" mean? Basically, what is the difference between having the secconnegine on vs. off and same for rulesengine? Going to the provided link in the app doesn't provide a clue. Thanks.

  0
• 

  Infopro

  • July 31, 2018 10:45

  What does "sloworis" mean?

  
  This article on the Cloudflare blog may be of some use for this question: Slowloris DDoS Attack | Cloudflare

  0
• 

  jeffschips

  • August 01, 2018 01:27

  Thank you *soooo* much for providing that. It clears up a lot for me.

  0
• 

  ottdev

  • August 08, 2018 22:30

  There are no SecConnRead or WriteStateLimit values configured by default so the SecConnEngine option isn't needed.

  
  By this do you mean default in the module ? Or did you mean the module as well as the default OWASP ruleset cPanel provides (at least currently)? One of our servers was optimized by the datacenter. In what folder would I "grep -r" to see if any such rules have been added after the fact ?"

  0
• 

  cPanelMichael

  • August 09, 2018 15:00

  By this do you mean default in the module ? Or did you mean the module as well as the default OWASP ruleset cPanel provides (at least currently)? One of our servers was optimized by the datacenter. In what folder would I "grep -r" to see if any such rules have been added after the fact ?"

  
  Hello @ottdev, The SecConnEngine option isn't enabled by default because the default rules (including ones enabled as part of the OWASP ruleset) do not utilize SecConnRead or WriteStateLimit values. You are welcome to enable the SecConnEngine option via WHM Security Center " ModSecurity" Configuration " Configure Global Directives if it's needed for your own custom rules. You can review a list of all enabled rules in WHM Home " Security Center " ModSecurity" Tools " Rules List. Thank you.

  0
• 

  ottdev

  • August 09, 2018 21:52

  les in WHM Home " Security Center " ModSecurity" Tools " Rules List

  
  The rules list is too cumbersome to search thru several pages. What folders are they all living in as grep -r will be much easier? NEVERMIND : ultimately all appear to be within /etc/apache2/conf.d/

  0
• 

  cPanelMichael

  • August 13, 2018 15:42

  Hello @ottdev, There's a search field in WHM >> ModSecurity" Tools " Rules List that you can use to search the existing rules. Additionally, the following WHM API 1 function is available: WHM API 1 Functions - modsec_get_rules - Developer Documentation - cPanel Documentation

  NEVERMIND : ultimately all appear to be within /etc/apache2/conf.d/

  
  This is also a valid method of searching through the rules. Thank you.

  0

Please sign in to leave a comment.