Enabling ModSecurity Connections Engine?
Howdy! I am having a hard time finding any firm documentation about ModSecurity's connections engine (SecConnEngine).
I understand how to configure it to process rules in WHM, but from what I gather, simply turning it on doesn't actually do anything out of the box because read and write state limits (SecConnReadStateLimit and SecConnWriteStateLimit) need to be set first. Is that right? And apparently this needs to be done in modsec2.user.conf ?
Assuming I'm understanding correctly, any guidance on how to set these connection limits, and suggestions on what those limits should be, would be very appreciated.
I would also welcome thoughts on whether or not you think the connections engine should be enabled at all.
Thanks!
-
Hey there! If you don't have SecConnEngine enabled, nothing else really matters as the rules won't be processed. The other two options you mentioned are not present in the WHM interface, and don't need to be manually configured in order for things to start working. We wouldn't make users manually configure something over SSH in order to use a WHM feature.
0 -
So SecConnEngine does work out of the box? Just tell it to "Process the rules" in WHM (assuming OWASP rules are enabled)?
If so, what are the default connection limits?
Thanks!
0 -
Yes, that's all you need to do to get it working.
I'm not aware of any specific connection limits as we don't set those values. What specifically are you looking for?
0 -
Maybe I just don't understand the Connections Engine, but I thought it is supposed to detect too many connections coming in from a single IP, and then limit those connections. So that means there must be some value that triggers the Connections Engine to apply the rules. In my research I saw stuff about SecConnReadStateLimit and SecConnWriteStateLimit.
0 -
I did some additional reading on this and found the following two sections in the ModSecurity documentation:
It's important to note that the default rules that we include with OWASP do not use these values, so it would seem there is no much point to having that enabled. However, if you have custom rules you may want to adjust those values manually as you mentioned. This is why we don't offer any UI tools to adjust those as they won't function with our defaults.
SecRuleEngine is the one I was thinking of that needs to be on or else nothing will happen, so I had those backwards.
Does that help to clear things up?
I also found this older discussion and found all the details there to still be valid:
https://support.cpanel.net/hc/en-us/community/posts/19666544748311-SecConnEngine-why-is-default-off
0 -
Thank you so much. So, yes, this confirmed what I had previously found. That older discussion was very helpful as well.
I guess this is such an advanced security feature that the Internet is keeping it a secret as to how to implement it. :) I suppose it's time to move on.
Thanks again for all your help!
0 -
Yes, you were exactly right the whole time!
0
Please sign in to leave a comment.
Comments
7 comments