Difference between revisions of "Atomic ModSecurity Rules"
m (→Serial logging) |
(→Testing to see if the rules are loaded) |
||
Line 410: | Line 410: | ||
http://YOUR_HOST/foo.php?foo=http://www.example.com | http://YOUR_HOST/foo.php?foo=http://www.example.com | ||
+ | |||
+ | Remember to replace YOUR_HOST with the actual HOSTNAME or IP of the server. | ||
If the rules are properly loaded, you should get a 403 error, if you do not get a 403 error, the rules are not loaded correctly and you need to check your configuration to ensure that you have followed the instructions above correctly. | If the rules are properly loaded, you should get a 403 error, if you do not get a 403 error, the rules are not loaded correctly and you need to check your configuration to ensure that you have followed the instructions above correctly. |
Revision as of 13:05, 28 May 2014
Atomic Secured Linux includes modsecurity, and the Real Time GotRoot.com/Atomicorp Modsecurity Rules. These docs are for users that do not have ASL.
ASL will install and configure modsecurity, and provides a powerful and easy use to GUI to manage all of this for you. If you don't have ASL, upgrade to ASL today!
About the rules
The gotroot.com rules are written by us - we are the gotroot guys. Same great rules, same team, ten years of writing modsecurity rules and still going strong! GotRoot is our Information Assurance lab and Atomicorp is the product arm of Prometheus Global (the parent company for both). So when you get the gotroot.com rules from atomicorp.com or gotroot.com - you're getting the same rules from the same people that created, write and maintain them. In the future we will be merging the gotroot.com, atomicrocketturtle and atomicorp websites into the atomicorp.com website.
We publish two versions of the rules:
RealTime Rules: The latest and greatest version of the rules, with all the performance enhancements, new security features and bug fixes released by us on a daily basis. These rules are fully supported and are recommended for production use.
Free/Delayed Rules: A subset of the realtime rules, which were based on older version. This project was discontinued in October 2013.
Installation of the rules assumes a certain level of comfort with configuring apache. If you are not comfortable with configuring apache, you should contact someone that is, or use our Atomic Secured Linux product which does this automatically for you, and does not require you to configure apache.
Atomic ModSecurity Rules Frequently Asked Questions
Please see the Atomic ModSecurity Rules FAQ wiki page.
Real Time Rule Support
If you have a subscription to the real time rules, you can request email support by sending an email to:
support@atomicorp.com
The Customer Support Forums are located here (you can post here, but these forums are for the labs and free rules, if you post the customer forums the support team monitors those forums regularly):
And the Custom Support Portal is located here (you can submit bug reports and open cases through the portal):
Licenses
The Real Time Atomic ModSecurity Rules are licensed by the server. You can order licenses from the online store at the link below:
If you require additional licenses please log into the AtomiCorp License Manager. You can add additional systems there, you can control your payment methods and you can also sign up to become an affiliate.
Free Trial Licenses
Free 30 day, no obligation trial licenses are also available. Please click on the URL below to sign up for a trial license:
License Terms and Conditions
Purchase of an Atomicorp ModSecurity rule license entitles the purchaser to access and download from the Atomicorp Repository to a single IP address within the time period of the license. A separate license is required for each dedicated server/host or VPS that the rule set is installed upon.
Atomicorp ModSecurity rules installed upon a Reverse Proxy WAF appliance/server requires a separate license. Please contact Atomicorp support for details.
The rule set cannot be copied, mirrored, or reproduced under protection of US and International copyright laws.
Use of the rule set is limited to the time period of the license. If the license period of a rule set expires, it must must removed from its installed server and no longer used. Atomicorp reserves the right to track and enforce license compliance of the Atomicorp Modsecurity rule sets.
Agreement to these terms and conditions and the Atomicorp End User License Agreement is required to download and use the Atomicorp ModSecurity rules.
Important Information about the Rules
Minimum Version of Modsecurity Required to use the rules
The Atomicorp modsecurity rules are written for the latest stable version of modsecurity. Currently that is 2.7.7.
Users of the rules should ensure that they are always using the latest stable version of modsecurity, as these updates contain important security bug fixes. The latest stable version also includes new capabilities that are required for new attacks, and these capabilities may not be available in older versions of modsecurity. In some cases, the rules may not load in older version of modsecurity, in others these fixes may be critical to prevent evasion attacks on modsecurity itself.
If you need a solution to keep the rules and modsecurity up to date automatically, please use ASL which will do this for you automatically.
What does each rule family do?
Please see the WAF rule families documents.
Installation
Easy One Step Installation
Full Management Suite
Install ASL. This installs everything: modsecurity, all the rules, the GUI, rule manager and all ASL components, plus it includes the subscription to the real time rules.
ASL will automatically download and keep your rules up to date, and will ensure that modsecurity stays up to date so your system can support the latest rules. ASL also provides you with a full security management suite, which will allow you to manage, edit and configure your rules through a web console. It will also protect you from uploaded malware, brute force attacks, DOS attacks, rootkits and many other threats that a WAF can not protect you from.
A full list of ASLs features is available at the URL below:
https://www.atomicorp.com/products/asl.html
Just a downloader
We also provide an automated rule downloader and modsecurity installation tool, called "aum". You can install it by running this command as root:
wget -q -O - https://www.atomicorp.com/installers/aum |sh
You can read more about aum on the aum documentation page.
Note: This capability is included in ASL. ASL users do not need to install aum, its already included.
(Optional) Do It Yourself Installation
Note: A manual installation is not necessary if you have ASL installed. ASL will configure and install modsecurity, and the rules, automatically. This is also not necessary if you are using our new AUM software to handle rule download and installation.
Step 1: Download ModSecurity
RPMs:
Install modsecurity from the Atomicorp RPM repository
Note: We do not provide support for source installs of modsecurity or third party builds of modsecurity..
Step 2: Set up and configure directories
If you are you are using a standard apache installation you can skip this step. If you are not using a standard apache installation, such as cpanel and source builds of apache you will need to follow this step.
Create the following directories as root:
mkdir /etc/httpd/modsecurity.d mkdir /var/asl mkdir /var/asl/tmp mkdir /var/asl/data mkdir /var/asl/data/msa mkdir /var/asl/data/audit mkdir /var/asl/data/suspicious
Step 3: Set permissions for directories
Set the following permissions on the directories you just created. In this example these directories are set to be owned by "apache" and the group "apache", which is standard on a normal Centos or RHEL system. However some control panels configure apache to run as a different user, such as nobody, or http.
To determine what use this is, check your system to see what user your webserver uses. You can use this command to find the user:
ps auxwww | grep httpd
The output will look similar to this:
(RHEL/Centos example with or without Plesk)
root 26755 0.0 4.3 430752 86432 ? Ss 04:30 0:01 /usr/sbin/httpd apache 26908 0.0 3.7 300564 75076 ? S 04:30 0:00 /usr/sbin/httpd apache 26909 0.1 5.5 495812 112084 ? S 04:30 0:37 /usr/sbin/httpd apache 26910 0.0 5.3 495424 106672 ? S 04:30 0:23 /usr/sbin/httpd apache 26911 0.1 5.7 495892 114368 ? S 04:30 0:57 /usr/sbin/httpd apache 26912 0.1 5.7 496056 114440 ? S 04:30 0:52 /usr/sbin/httpd apache 26913 0.1 5.5 496604 110692 ? S 04:30 0:57 /usr/sbin/httpd apache 26914 0.0 5.7 499324 116236 ? S 04:30 0:16 /usr/sbin/httpd apache 26915 0.2 5.5 493600 112192 ? S 04:30 1:09 /usr/sbin/httpd apache 26916 0.1 6.4 513760 129992 ? S 04:30 0:30 /usr/sbin/httpd
In this example the user in bold is "apache" (this may be different for your system). This is the user you will want to set the directory permissions to (as in the example below):
chown apache.apache /var/asl/data/msa chown apache.apache /var/asl/data/audit chown apache.apache /var/asl/data/suspicious chmod o-rx -R /var/asl/data/* chmod ug+rwx -R /var/asl/data/*
(RHEL/Centos example with Cpanel)
root 20594 86.8 3.1 255148 181232 ? Ss 11:39 0:04 /usr/local/apache/bin/httpd -k restart root 20611 0.0 3.1 255060 179596 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20612 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20613 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20614 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20615 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20616 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart
In this example from a Centos system running Cpanel the user is "nobody", so you would want to use these commands:
chown nobody.nobody /var/asl/data/msa chown nobody.nobody /var/asl/data/audit chown nobody.nobody /var/asl/data/suspicious chmod o-rx -R /var/asl/data/* chmod ug+rwx -R /var/asl/data/*
Step 4: (Optional) Create rule updater directories
These directories must as be created if you use optional rules updater. Create these directories as root and they only need to be accessed by root:
mkdir /var/asl/updates mkdir /var/asl/rules/ mkdir /var/asl/rules/clamav
Step 5: Create the whitelist file
Create this file:
touch /etc/asl/whitelist
This file contains a list of IPs you want to exclude from ALL rules. That means those IPs can do anything to your system - so be very very careful about what IPs you add to this list. This is a dangerous thing to do. The format of the file is a single IP, per line.
Cpanel users should skip to the notes at the bottom of this page for special additional actions for cpanel systems. All other users should continue with these instructions.
Step 6: Configure your webserver
nginx
Step 6a: configure nginx to load modsecurity
Add the following directives to your nginx.conf file.
location / { ModSecurityEnabled on; ModSecurityConfig modsecurity.conf; ModSecurityPass @backend; } location @backend { proxy_pass http://localhost:8011; proxy_read_timeout 180s; }
Apache
Step 6a: configure apache to load modsecurity
You then need to tell apache to load modsecurity. Depending on your apache configuration, apache should be configured to include configuration files. If you have a setting like this in your apache config:
Include conf.d/*.conf
Then you are setup to load external configuration files. If you do not have this setup, its highly recommend you add this. This installation guide is written for this type of configuration. Loading mod_security occurs by including a modsecurity configuration file in that directory. We recommend you name the name 00_modsecurity.conf to ensure it runs first. Its vitally important that modsecurity load before other modules, otherwise attacks can occur before modsecurity scans them and some attacks can be missed.
An example 00_modsecurity.conf file that works with our files is included here:
LoadModule security2_module modules/mod_security2.so LoadModule unique_id_module modules/mod_unique_id.so <IfModule mod_security2.c> Include modsecurity.d/tortix_waf.conf </IfModule>
Install this file in your conf.d directory. On a standard RHEL or Centos system that directory is located here:
/etc/httpd/conf.d/
Step 7: Configure modsecurity
You then need to configure modsecurity. This is done via the an apache configuration file. In this example, we will create the file "tortix_waf.conf". Here is an example file that works with our rules:
SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 2621440 SecServerSignature Apache SecComponentSignature 200911012341 SecUploadDir /var/asl/data/suspicious SecUploadKeepFiles Off SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecAuditLogType Concurrent SecAuditLog logs/audit_log SecAuditLogParts ABIFHZ SecArgumentSeparator "&" SecCookieFormat 0 SecRequestBodyInMemoryLimit 131072 SecDataDir /var/asl/data/msa SecTmpDir /tmp SecAuditLogStorageDir /var/asl/data/audit SecResponseBodyLimitAction ProcessPartial SecAuditLogDirMode 0770 SecPcreMatchLimit 250000 SecPcreMatchLimitRecursion 250000
You will want to install this file in your modsecurity.d directory, which is located here if you follow the instructions above:
/etc/httpd/modsecurity.d
tortix_waf.conf
You can also download an example version of the modsecurity configuration file from here:
https://www.atomicorp.com/installer/tortix_waf.conf
ASL will automatically generate this file depending on your needs. If you are not using ASL, you will need to modify this configuration file to suit your system and modsecurity requirements.
Step 8: Download the ModSecurity Rules
See the Downloading Rules page.
Step 9: Install the rules
Remove any previous installations of rules
If you have installed our delayed rules, you will need to make sure you have deleted them. You will not want to have any older versions of the rules installed.
Also, if you have installed any third party modsecurity rules, you will want to make sure they are using rule id's that are assigned to them. The modsecurity project assigns ranges to the rule id's modsecurity uses. Modsecurity requires a unique id for each rule, otherwise you will get an error like this:
ModSecurity: Found another rule with the same id
This means either that someone else is using the same rule id's assigned to our ruleset by the modsecurity project (our official range is 300000-399999), or you have loaded our rules twice.
Installation
Download the rules to a temporary directory using your favorite download tool. Extract the rules:
tar zxvf /var/asl/updates/modsec-200911012341.tar.gz
Then copy the ASL rules into /etc/httpd/modsecurity.d:
cp modsec/* /etc/httpd/modsecurity.d/
If you are using cpanel, please see the notes at the bottom of this page, cpanel does not use the standard locations for apache configuration files.
Finally, load the rules. Make sure you specify only those rule files that are appropriate for your system. For example:
Include /full/path/to/your/rules/modsecurity.d/10_asl_rules.conf Include /full/path/to/your/rules/modsecurity.d/99_asl_jitp.conf
Warning: You should NOT include all the rules. There are rulesets, documented above, that replace other rulesets and are incompatible with each other.
Recommend minimum rulesets
The recommended minimum ruleset to load is:
Include /full/path/to/your/rules/modsecurity.d/00_asl_0_global.conf Include /full/path/to/your/rules/modsecurity.d/10_asl_antimalware.conf Include /full/path/to/your/rules/modsecurity.d/10_asl_rules.conf Include /full/path/to/your/rules/modsecurity.d/11_asl_adv_rules.conf Include /full/path/to/your/rules/modsecurity.d/20_asl_useragents.conf Include /full/path/to/your/rules/modsecurity.d/30_asl_antispam.conf Include /full/path/to/your/rules/modsecurity.d/50_asl_rootkits.conf Include /full/path/to/your/rules/modsecurity.d/60_asl_recons.conf Include /full/path/to/your/rules/modsecurity.d/61_asl_recons_dlp.conf Include /full/path/to/your/rules/modsecurity.d/99_asl_jitp.conf
If you have modsecurity 2.7.7 and up installed, you should also load additional rule files and should use this ruleset:
Include /full/path/to/your/rules/modsecurity.d/00_asl_0_global.conf Include /full/path/to/your/rules/modsecurity.d/00_asl_z_antievasion.conf Include /full/path/to/your/rules/modsecurity.d/00_asl_zz_strict.conf Include /full/path/to/your/rules/modsecurity.d/09_asl_rules.conf Include /full/path/to/your/rules/modsecurity.d/10_asl_antimalware.conf Include /full/path/to/your/rules/modsecurity.d/10_asl_rules.conf Include /full/path/to/your/rules/modsecurity.d/11_asl_adv_rules.conf Include /full/path/to/your/rules/modsecurity.d/11_asl_data_loss.conf Include /full/path/to/your/rules/modsecurity.d/20_asl_useragents.conf Include /full/path/to/your/rules/modsecurity.d/30_asl_antispam.conf Include /full/path/to/your/rules/modsecurity.d/50_asl_rootkits.conf Include /full/path/to/your/rules/modsecurity.d/51_asl_rootkits.conf Include /full/path/to/your/rules/modsecurity.d/60_asl_recons.conf Include /full/path/to/your/rules/modsecurity.d/61_asl_recons_dlp.conf Include /full/path/to/your/rules/modsecurity.d/99_asl_jitp.conf
Note: Some of these rulesets are designed to work with advanced security management systems such as ASL and may not work completely without an advanced management system.
Notes on Scanner ruleset
NOTE: If you use this file:
05_asl_scanner.conf
Or this file:
99_asl_scanner.conf
ASL includes malware upload scanning, rules subscriptions do not.
If you wish to use this ruleset, and you are not using ASL, then you will need to create a script to pass the files to clamd and read the result. Make sure you have clamd installed and configured correctly to list on a TCP port, or if you use a socket, make sure apache can read/write to this socket or as a last resort, run clamd as root. Using this file will force all web uploads on your system to go thru clamav to look for malware, viruses, etc. If you dont need that, then you can leave this config file out.
Real time malware upload protection is included in ASL and uses a faster method than the older style modsecurity scripting method above. So if you need realtime malware upload protection (for web, FTP, or even realtime), then upgrade to ASL which includes highspeed malware upload protection, full support, automatic and hassle free installation. ASL also protects against any form of upload of malware, including HTTP, HTTPS, SSH and FTP uploads and includes our real-time malware detection and prevention system which will detect and block any malicious software running on the system in realtime. This is just one of the many many features of ASL.
Step 10: Test your web server
Test nginx
nginx -t -c <NGINX_CONFIG_FILE>
Where NGINX_CONFIG_FILE is your nginx.conf file.
Test Apache
Before restarting apache we recommend you test your configuration by running apache with the "configtest" command. On a standard system you can do this by calling your apache init file like this:
/etc/init.d/httpd configtest
If you get errors, check to see that you don't have some extraneous configuration files installed.
Testing to see if the rules are loaded
Step 1) (for non ASL systems) Make sure you have the rules installed exactly as described on this page. This test may not work if you have not followed these instructions. (If you used ASL to setup your WAF, and you have not installed any third party tools that configure, install or manage modsecurity then your rules are installed correctly and you do not need to review the instructions on this page. If you have manually altered your modsecurity configuration then you will need to review this entire article. Manual modifications of ASL modsecurity configurations are not supported.)
Step 2) Make sure all rules are enabled
Ensure that you do not have any of our rules disabled. This test assumes you do not have any rules disabled, that you are not whitelisting the source of this test and that your have the Atomicorp rules loaded.
Step 3) Make sure you do not have the system you are performing this from is whitelisted
For example, cpanels default modsecurity configuration will configure modsecurity to ignore everything from 127.0.0.1, or from the system itself. So if you perform the test above from the server itself, and you have not removed this cpanel whitelist, then this test will not work.
Step 4) Run the test
On the system where the rules are installed run this command (this assumes you have wget installed):
wget http://localhost/foo.php?foo=http://www.example.com
If the test worked, should get a 403 error if the rules are loaded, which will look similar to this:
--2010-05-27 20:12:25-- http://localhost/foo.php?foo=http://www.example.com Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 403 Forbidden 2010-05-27 20:12:25 ERROR 403: Forbidden.
If you do not get a 403 error, the test did not work. You can also use your browser to test the rules by going to a URL similar to this:
http://YOUR_HOST/foo.php?foo=http://www.example.com
Remember to replace YOUR_HOST with the actual HOSTNAME or IP of the server.
If the rules are properly loaded, you should get a 403 error, if you do not get a 403 error, the rules are not loaded correctly and you need to check your configuration to ensure that you have followed the instructions above correctly.
Note: If you do not have wget installed, then you will need to install it or a similar tool to run this test from a Linux or UNIX based system. If you are using Windows, you can use a similar tool or your browser.
What to do if you do not get a 403 error
If you get a different error, such as a 404 error or a 5xx series error check your configuration. The following are common causes of this:
1) You have rules disabled
Make sure you do not have any rules disabled.
2) Your IP is whitelisted
There is a rule whitelisting the system you are conducting this test from. Whitelisting tells the WAF to ignore everything from that source.
For example, cpanels default modsecurity configuration will configure modsecurity to ignore everything from 127.0.0.1, or from the system itself. So if you perform the test above from the server itself, and you have not removed this cpanel whitelist, then you will not get a 403 error. More than likely you will get a 404 error. The solution is to remove any whitelists from your system.
Note: Whitelisting the server itself can open a hole in your security. You should not whitelist localhost or the servers own IP address. This is both unnecessary, and doing so will allow any users on the system to carry out attacks on other domains on the system unimpeded. Make sure you do not have any rules like that, this opens a very large hole in your system.
3) Local error message is different
You or someone else may have configured your system to use a different error message. Check your configuration, and make sure it exactly matches the ones on this wiki. IF you are using kind of plugin that does not return a 403 when a connection is rejected, and you must use this, then you will need to manually check your mod_security logs to see if your test is being rejected by modsecurity. If it is, then your rules are working correctly and you can ignore the error code.
4) Third party addons
You have third party rules or addons installed with your modsecurity configuration that are changing the responses. Remove all third party addons, and make sure your configuration exactly matches the instructions on this page
5) Insecurely configured apache
Some control panels are known to disable modsecurity on localhost, and on the systems IP addresses. These highly insecure control panels essentially disable modsecurity if an attacker connects to the systems IP address. This of course leaves your system wide open to attack, and if you are unlucky enough to be using one of these control panels we recommend you report this to your control panel vendor as a serious vulnerability. If they are unwilling to fix it, then we recommend you find a more security concious control panel vendor.
Example:
We have seen some control panels that configure modsecurity to be disabled in the /etc/httpd/conf/httpd.conf file for all the local IPs on the system.
<VirtualHost <LOCAL IP ADDRESS>:80 127.0.0.1:80 *> <IfModule mod_security2.c> SecRuleEngine Off </IfModule>
If your control panel has this vulnerability, you can remove this, but its very possible the control panel will simply open this hole in your system again. We highly recommend you report this vulnerability to your control panel vendor, and if they are unwilling to fix this vulnerability that you find a more security concious control panel vendor.
6) You arent loading the rules
This is common with custom configurations. Check to make sure your webserver is configured to load the rules. Keep mind that modsecurity will still generate generic messages even though the rules are not loaded. For example, if all you see are events like this:
--70c19f31-A-- [01/Jan/2013:11:19:13 --0300] roiKIi6Ni3EKFZSKpSUs2iEb 1.2.3.4 34978 5.6.7.8 80 --70c19f31-B-- HEAD / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) Accept: */* --70c19f31-F-- HTTP/1.1 403 Forbidden X-Powered-By: PHP/5.4.20 Expires: Thu, 19 Jan 2001 02:12:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html --70c19f31-H-- Stopwatch: 1383338363503919 358184 (- - -) Stopwatch2: 1383338363503919 358184; combined=2144, p1=37, p2=2053, p3=0, p4=0, p5=53, sr=0, sw=1, l=0, gc=0 Producer: ModSecurity for Apache/2.7.5 ( http://www.modsecurity.org/). Server: Apache Engine-Mode: "ENABLED" --70c19f31-Z--
In this example, no rule is being triggered, but modsecurity is logging a basic 403 error. It will do this if the modsecurity configuration is loaded, but not the rules. So if you see this happening on your system, and you have ruled out all other issues in this list, it means your custom configuration isnt loading the rules.
ASL will automatically configure modsecurity correctly. So if you are having problems configuring modsecurity yourself, then we recommend you use ASL to setup modsecurity for you.
Automated rules updates
Please see the ASL page for installation instructions.
Tuning the Rules/Disabling Rules
Disabling Rules
See the mod_security page for details.
Tuning the Rules
See the mod_security page for details.
Troubleshoot the Rules
See the Atomicorp WAF Rules Troubleshooting page for details.
Reporting False Positives
See the Reporting False Positives page for details.
Notes
Special notes for CPANEL users not using ASL
The Atomicorp Modsecurity rules work great with Cpanel, right out of the box. To use them with Cpanel either install ASL, or manually install modsecurity and make a few changes to the mod_security configuration that comes with cpanel and then you are all set!
Installing modsecurity in cpanel
Option 1) Simplest and most powerful solution
Install ASL. This will install modsecurity, configure it and will install the rule and event management GUI available in ASL
Option 2) Install just the rules
Manually Configuring modsecurity with cpanel
These are additional considerations for installing modsecurity with cpanel. Please read this entire page, as well as this section if you are installing modsecurity with cpanel (even if you already have modsecurity install with cpanel).
We recommend if you are using cPanel that you follow this advice, as cpanel includes a very minimal configuration for modsecurity that does not include all of the required and optimal settings documented here. Our settings will make your server faster, and more importantly more secure. If you use mod_security with Cpanel you must add these additional settings to experience the full feature set of mod_security.
Step 1
Make sure you have read this entire document and have setup all the require directories details above.
Step 2: Configure directory permissions
Cpanel also does not run apache as a standard user (such as apache) but as the older non-privileged user "nobody". You will need to ensure then that the work directories that mod_security uses are owned by the user that Cpanel runs apache as. To find this out you can run this command as root:
ps auxwww | grep httpd
root 20594 86.8 3.1 255148 181232 ? Ss 11:39 0:04 /usr/local/apache/bin/httpd -k restart root 20611 0.0 3.1 255060 179596 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20612 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20613 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20614 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20615 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20616 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart
In this example from a Centos system running Cpanel the user is "nobody", so you would want to use these commands to configure the modsecurity work directories for a system where apache is running as "nobody":
mkdir /var/asl mkdir /var/asl/data/ mkdir /var/asl/data/msa mkdir /var/asl/data/audit mkdir /var/asl/data/suspicious chown nobody.nobody /var/asl/data/msa chown nobody.nobody /var/asl/data/audit chown nobody.nobody /var/asl/data/suspicious chmod o-rx -R /var/asl/data/* chmod ug+rwx -R /var/asl/data/*
Step 3: Install modsecurity
Please see the current minimum version required at the link below:
Step 4: Configure cpanel
Make a small change to the cpanel modsecurity configuration. A typical cpanel modsec2.conf configuration file looks like this:
LoadFile /opt/xml2/lib/libxml2.so LoadFile /opt/lua/lib/liblua.so LoadModule security2_module modules/mod_security2.so <IfModule mod_security2.c> SecRuleEngine On # See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf # "Add the rules that will do exactly the same as the directives" # SecFilterCheckURLEncoding On # SecFilterForceByteRange 0 255 SecAuditEngine RelevantOnly SecAuditLog logs/modsec_audit.log SecDebugLog logs/modsec_debug_log SecDebugLogLevel 0 SecDefaultAction "phase:2,deny,log,status:403" Include "/usr/local/apache/conf/modsec2.user.conf" </IfModule>
Because cpanel will overwrite this configuration, you need to modify your user configuration file. You will want to setup your user configuration file (/usr/local/apache/conf/modsec2.user.conf) as in the example below. This is the recommended configuration and the minimum recommended rule sets that are designed to work with cpanel without ASL installed. Please be sure to read this entire page for information about additional rules that you may also want to use with cpanel.
SecRequestBodyAccess On SecAuditLogType Concurrent SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 2621440 SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecServerSignature Apache SecUploadDir /var/asl/data/suspicious SecUploadKeepFiles Off SecAuditLogParts ABIFHZ SecArgumentSeparator "&" SecCookieFormat 0 SecRequestBodyInMemoryLimit 131072 SecDataDir /var/asl/data/msa SecTmpDir /tmp SecAuditLogStorageDir /var/asl/data/audit SecResponseBodyLimitAction ProcessPartial Include /full/path/to/your/rules/modsecurity.d/00_asl_z_antievasion.conf Include /full/path/to/your/rules/modsecurity.d/00_asl_zz_strict.conf Include /full/path/to/your/rules/modsecurity.d/09_asl_rules.conf Include /full/path/to/your/rules/modsecurity.d/10_asl_antimalware.conf Include /full/path/to/your/rules/modsecurity.d/10_asl_rules.conf Include /full/path/to/your/rules/modsecurity.d/11_asl_adv_rules.conf Include /full/path/to/your/rules/modsecurity.d/20_asl_useragents.conf Include /full/path/to/your/rules/modsecurity.d/30_asl_antispam.conf Include /full/path/to/your/rules/modsecurity.d/50_asl_rootkits.conf Include /full/path/to/your/rules/modsecurity.d/60_asl_recons.conf Include /full/path/to/your/rules/modsecurity.d/61_asl_recons_dlp.conf Include /full/path/to/your/rules/modsecurity.d/99_asl_jitp.conf
If you want to load just some of the rules, make sure you specify only those rule files. The default list above is the recommended and supported rulesets with cpanel. Do not use the other asl rulesets with cpanel, those other rules either use other apache modules (such as mod_sed) or ASL specific features that require ASL.
Make sure you have all of the settings on this page to use modsecurity with cpanel correctly, failing to do that will make it impossible for us to support you and modsecurity will not as quickly or correctly exposing your system to attack and slowing it down.
Step 5: Install mod_uniqueid
Cpanel users will need to manually verify that the mod_unique_id module is loaded by cpanel's apache. It should be loaded by default, but check your cpanel configuration to be sure.
Step 6: Install the rules
Automatic Rule Updater
Run ASL:
aum -u
Manually install the rules
See the Downloading rules section above.
Step 7: Restart Apache
Restart apache, enjoy your new secure web server!
Optional Steps
Malware Scanner
The malware scanner is included in ASL, it is not included in the rules or rule subscriptions. Therefore, if you use this file:
05_asl_scanner.conf
Or this:
99_asl_scanner.conf
You will need to include your own scanner, and will need to make sure you have clamd installed and configured correctly to listen on a TCP port, or if you use a socket, make sure apache can read/write to this socket or as a last resort, run clamd as root. Using this file forces all web uploads on your system to go thru clamav to look for malware, viruses, etc. If you dont need that, then you can leave this config file out.
Cpanel Error Messages
modsecparse.pl
This is a third party tool not provided by, or supported by Atomicorp. If you use this tool, it apparently does not work with the new fast concurrent logging system in modsecurity. The concurrent logging system is much faster, will speed up apache and is less resource intensive that the older serial method.
However, if you use this tool you must use the slower serial logging method, as it does not support the faster concurrent method. To use this tool, change the SecAuditLogType setting from "Concurrent" to "Serial":
SecAuditLogType Serial
Keep in mind that this logging method is much slower, may slow down apache and is not supported. This performance impact is not caused by the rules. Serial logging is much slower than concurrent logging. Therefore we do not recommend you use this logging method or any tools that require it. There are lots of modsecurity log readers that can use the concurrent logging method, such as ASL and we encourage you to explore using one of those modern tools instead.
Serial logging
The concurrent logging system is much faster, will speed up apache and is less resource intensive that the older serial method.
If you want to use the slower serial logging method change the SecAuditLogType setting from "Concurrent" to "Serial":
SecAuditLogType Serial
Keep in mind that this logging method is much slower, may slow down apache and is not supported. This performance impact is not caused by the rules.
Serial logging is much slower than concurrent logging and will slow down apache. Therefore we do not recommend you use this logging method or any tools that require it. There are lots of modsecurity log readers that can use the concurrent logging method, such as ASL and we encourage you to explore using one of those modern tools instead.
If you change your system to the slower Serial method, you may also want to change the logfile name you are using for your modsecurity logs. You can do that by changing this option in your configuration:
SecAuditLog logs/audit_log