Skip to main content

Enabling ModSecurity Connections Engine?

Comments

7 comments

  • cPRex Jurassic Moderator

    Hey there!  If you don't have SecConnEngine enabled, nothing else really matters as the rules won't be processed.  The other two options you mentioned are not present in the WHM interface, and don't need to be manually configured in order for things to start working.  We wouldn't make users manually configure something over SSH in order to use a WHM feature.

    0
  • kgs

    So SecConnEngine does work out of the box? Just tell it to "Process the rules" in WHM (assuming OWASP rules are enabled)?

    If so, what are the default connection limits?

    Thanks!

    0
  • cPRex Jurassic Moderator

    Yes, that's all you need to do to get it working.

    I'm not aware of any specific connection limits as we don't set those values.  What specifically are you looking for?

    0
  • kgs

    Maybe I just don't understand the Connections Engine, but I thought it is supposed to detect too many connections coming in from a single IP, and then limit those connections. So that means there must be some value that triggers the Connections Engine to apply the rules. In my research I saw stuff about SecConnReadStateLimit and SecConnWriteStateLimit.

    0
  • cPRex Jurassic Moderator

    I did some additional reading on this and found the following two sections in the ModSecurity documentation:

    https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecConnWriteStateLimit

    https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecConnReadStateLimit

    It's important to note that the default rules that we include with OWASP do not use these values, so it would seem there is no much point to having that enabled.  However, if you have custom rules you may want to adjust those values manually as you mentioned.  This is why we don't offer any UI tools to adjust those as they won't function with our defaults.

    SecRuleEngine is the one I was thinking of that needs to be on or else nothing will happen, so I had those backwards.

    Does that help to clear things up?

    I also found this older discussion and found all the details there to still be valid:

    https://support.cpanel.net/hc/en-us/community/posts/19666544748311-SecConnEngine-why-is-default-off

    0
  • kgs

    Thank you so much. So, yes, this confirmed what I had previously found. That older discussion was very helpful as well.

    I guess this is such an advanced security feature that the Internet is keeping it a secret as to how to implement it. :) I suppose it's time to move on.

    Thanks again for all your help!

    0
  • cPRex Jurassic Moderator

    Yes, you were exactly right the whole time!

    0

Please sign in to leave a comment.