Difference between revisions of "Atomic ModSecurity Rules FAQ"

From Atomicorp Wiki
Jump to: navigation, search
m (How do you exclude a domain from the modsecurity rules?)
m
Line 205: Line 205:
 
Please see the [Atomic ModSecurity Rules] page.
 
Please see the [Atomic ModSecurity Rules] page.
  
 +
=== How can I modify or disable mod_security rules for a domain, rule, or globally? ===
  
 +
See the [mod_security] page for more instructions.
  
 
=== How do you exclude a domain from the modsecurity rules? ===
 
=== How do you exclude a domain from the modsecurity rules? ===
Line 211: Line 213:
 
Solution:
 
Solution:
  
See the [[mod_security]] page for details.
+
See the [mod_security] page for more instructions.
  
This is very dangerous, it is not recommended and is not supported as it leaves the entire domain open to all web based attacks. If you find that you are experiencing any false positives please report them to support@atomicorp.com - we will fix the false positives.
+
Note: This is very dangerous, it is not recommended as it leaves the entire domain open to all web based attacks which could also potentially cause the entire server to become compromised. If you find that you are experiencing any false positives please report them to support@atomicorp.com - we will fix the false positives for you rapidly.  We generally release a fix the same day the issue is reported - its all part of the service and its included for free.  We're here to help, just ask.
  
 
=== '''Why should I change my CPanel mod_Security config file?''' ===
 
=== '''Why should I change my CPanel mod_Security config file?''' ===

Revision as of 21:31, 30 January 2011

Contents

Support Questions

How can I purchase your realtime modsecurity rules?

To purchase a license for the Atomicorp Modsecurity Rules, just visit the Atomicorp's Gotroot Modsecurity Rules page and click the Buy Now icon, or click on this link.

Help! I need help!

See the Atomic ModSecurity Rules Support page for instructions on contacting support, opening a case and other tools you can use to get assistance.

I have a false positive/negative, how do report it?

Solution:

You can also follow the Reporting False Positives procedure. That provides detailed instructions about how to report a false positive if you can not use the GUI, or if you choose to report it from the command line.

FP/FNs are usually resolved and an update is released the same day they are reported, and during normal business hours usually within a few hours.

What is your approximate support response time?

For Email based support, within 4 hours of the request during normal business hours which are Monday-Friday from 9am - 5pm EST except on US Federal Holidays. Requests received after hours will be responded to the next business day.

For extended support customers, the response time is dictated in the support contract and includes after hours support, and may include 24/7 support depending on the support contract.

What are your normal support hours?

Support business hours are 09:00 AM to 05:00 PM, US Eastern Time, Monday through Friday, excluding US holidays when we are closed..

Our Holiday schedule is published here: Atomicorp Holiday Schedule

Support requests received after hours will be addressed during the next business day.

Do you offer support outside of your normal support coverage?

Yes, for customers with extended support contracts. Please contact sales@atomicorp.com for more information.

Do you offer phone support?

Yes, for customers with existing extended support contracts. Please contact sales@atomicorp.com for more information about extended support contracts.

Phone support is not available without an existing extended support contract.

How can I give atomicorp support access to my system?

Answer:

Please run this command as root to give us access to the system (please do not send us passwords, this tool will set us up access using our SSH keys):

wget -q -O - https://www.atomicorp.com/installers/key |sh

To remove access just remove the "atomic" user when you are finished.

If you use ASLs admin user feature, or use sshds AllowUsers feature make sure you add the "atomic" user to the allowed users.

If you need to open firewall access, we will be logging in from these addresses:

atlas.progllc.com

hero.progllc.com

And finally, remember to send us the IP address(es) of the system(s) you want us to log into, and if you run SSH on a non-standard port please include that information as well.


What should I do if I believe a system has been compromised?

Answer:

First, stop and ask yourself what you want to do. Do you want to prosecute or do you want to just find the problem and fix it? This is a critical question you have to ask yourself because if you want to prosecute you must preserve evidence, and the actions you take to fix the intrusion may destroy or make that evidence inadmissable. If you want to prosecute, contact us to discuss your situation as you may need professional help to build a case. Also, if you choose to prosecute, you should know that in some jurisdictions the personnel working on your case may need special licenses to do this, otherwise they may be committing a felony (Michigan for example requires a Private Investigator license to perform computer forensics that will be used in court, failure to have this license is a felony.)

If you want to find out what happened and just clean up, please continue with this checklist.


First, start with the simple case - the compromise may have occurred by the attacker simply stealing a users password and logging into the system. We have put together a wiki article that provides guidance here for those cases:

Compromised System: FTP

If you know that an attacker did not simply log into the system with stolen credentials please read this Wiki article:

Compromised System

In most cases we have seen, attackers are stealing users passwords and keys via keyloggers and trojans and just logging in. In those cases, there is no technical vulnerability in your system, the issue lies with your users and their computers. So, check you logs first to see if someone simply logged into your account or your users accounts. You'd be surprised at how often we see that happen.

If you find yourself in this situation we recommend you explore two factor authentication options such as SecureID, OTP generators on your cell phone (not on your computer, if the computer has been compromised so has the OTP!) and other hardware tokens.

You can also use an operating system that is more secure for your desktop such as Linux, Solaris, BSD or MacOS.


General Questions about the rules

What do the Atomic ModSecurity Rules protect against?

Lots of things, this is just some of the things our WAF rules are designed to protect against:

  • SQL Injection
  • Cross-Site Request Forgery (CSRF)
  • Cross Site Scripting (XSS)
  • Injection (RFI and raw code)
  • Encoding Abuse
  • Protocol Abuse
  • Unicode and UTF-8 attacks
  • HTTP Smuggling
  • Response Splitting
  • Proxy Abuse
  • Session Fixation
  • Invalid and Null Character
  • Path Recursion
  • Unauthorized Code, such as shells, spamtools and mailers (PHP, ASP, Perl and other shells)
  • Attack Tools and unauthorized scanners
  • Web Spam (Blog, Forum, Guestbook, and others)
  • Backup and protected file and directory protection
  • Command injection
  • Malicious scripting (javascript, vbscript, etc.)
  • Hidden content spamming
  • Hidden and malicious iframes
  • Bogus content
  • XML attacks
  • Data, Sensitive Information and Configuration Leakage
  • Malicious and spammer useragent blocking


The rules also include:

  • Just In Time Patches for web application vulnerabilities
  • Malicious "Google Hacks" Recon Blocking
  • Real Time Blacklists
  • Realtime malicious domain blocking
  • Realtime redactor for removing malicious content from websites on the fly

And more! We put out updates to our rules daily with new protections and enhancements.

Are these the gotroot.com rules?

Yes they are, the one and same (and that website is being merged into this website). We are the oldest and most experienced mod_security rule authors out there. We were putting out rules long before mod_security was acquired and then acquired again. More sites use our rules and have been using then longer than everyone else combined. If you use our rules, you're in good company.

What is included with an Atomic ModSecurity Rules subscription?

  • Access to the real time mod_security and clamav rules we publish. If you require additional features, please consider upgrading to our premier Linux security product Atomic Secured Linux.
  • Email and Web Based support during normal support hours.
  • Support fixing false positives
  • Development of new rules based on request.

Does a real time subscription include both the modsecurity and clamav rules?

Yes, realtime subscribers get instant access to the latest modsecurity and clamav signatures. We release updates daily based on new attacks we detect from our honeypots, new methods our labs develop, as well as fixes and improvements.

I have unpatched web applications, will your modsecurity rules protect me?

In nearly every case the answer is yes. Thats exactly why we created the rules, and why we include Just In Time Patches in our rules to patch old applications such as Joomla. Unpatched vulnerabilities and zero day attacks are what we specialize in.


Do I need to install mod_security to use your rules?

You must install mod_security to use our rules.

What about MODevasive and Suhosin, do i need also those for full protection?

No, our rules do not require these modules to protect you. We do include mod_evasive in ASL, to provide DOS protection for web applications. mod_security is not the right tool for DOS protection. If you are concerned about DOS attacks then you should upgrade to ASL.

Suhosin is also not necessary to use our rules, nor do we depend on it to protect against web attacks. With that said, suhosin is a great module, but does require tuning. We do recommend you install it, but understand that it needs to be tuned for your system. Most of our customers do not use it nor is it necessary to be protected against web attacks, its just another line of protection.

What is asl-lite?

ASL Lite is a free lightweight rule updater project designed specifically as an atomicorp.com mod_security rule downloader for custom apache environments, control panel software like cpanel and directadmin, or non-apache/mixed web server implementations. ASL Lite uses a guided dialog similar to the standard ASL configuration, that allows for the definition of custom commands for restarting web services, location of configuration files, and use via cron.

asl-lite is free for anyone to use. You can read more about it including how to install it (if your system supports asl-lite):

asl-lite

Compatibility

Operating Systems

We support Linux, Microsoft Windows, MacOS, BSD, Solaris and AIX.

Please note that when an operating system or distribution is no longer supported by the vendor we also no longer support that operating system.

Control Panels

Our modsecurity rules work with any control panel. The rules are independent of the control panel, which means that work with cPanel, Plesk, Directadmin, Hsphere, Virtualmin, any panel right out of the box, without modification.

Web Servers

Apache

Modsecurity, the WAF the rules were written for and the one we use in our [ASL] product, was written for Apache.


LiteSpeed

LiteSpeed has a proprietary implementation of mod_security, the WAF module we use in Apache. It is not a drop in replacement and supports a very old version of the ruleset (1.9). This ruleset was deprecated many years ago, and is no longer supported or used. Unfortunately, this means that LiteSpeed does not support modern modsecurity rules, and it is therefore not currently compatible with any modern mod_security rules.

To support LiteSpeed will require LiteSpeed to update their proprietary WAF implementation to support modern modsecurity rules. Rules written for the current LiteSpeed implementation would need to be significantly weakened, and would be much slower with LiteSpeed as it does not support the new rule language in mod_security that allows us to design in performance enhancements as well as to protect against modern web application attack methods.

If you want to use LiteSpeed, you will either have to forgo web application protection, or you will need to install an apache proxy in front of LiteSpeed to use our WAF. We recommend you contact LiteSpeed and encourage them to support the modern 2.5 version of the modsecurity rule language.

Please see the Litespeed wiki article for the latest information on LiteSpeed support.

Configuration and Installation Questions

How do I install modsecurity?

Please see the [Atomic ModSecurity Rules] page.

How do I configure your modsecurity rules?

Please see the [Atomic ModSecurity Rules] page.

How can I modify or disable mod_security rules for a domain, rule, or globally?

See the [mod_security] page for more instructions.

How do you exclude a domain from the modsecurity rules?

Solution:

See the [mod_security] page for more instructions.

Note: This is very dangerous, it is not recommended as it leaves the entire domain open to all web based attacks which could also potentially cause the entire server to become compromised. If you find that you are experiencing any false positives please report them to support@atomicorp.com - we will fix the false positives for you rapidly. We generally release a fix the same day the issue is reported - its all part of the service and its included for free. We're here to help, just ask.

Why should I change my CPanel mod_Security config file?

Its incomplete and will not scan all types of attacks. We are security experts, all we do is think about ways of stopping the bad guys.

Can I setup a cronjob to automatically update the rules?

Absolutely. We recommend you do that as we put out updates to the rules daily that include new protections and fixes.


Troubleshooting

I used to use your Free rules, with the new rules the dates on some of my rule files appear to have changed

That is expected. ASL-Lite is a rule updater, and we release updates daily. Sometimes even multiple times a day depending on attack trends.

asl-lite -u says "package asl is not installed".

asl-lite is a subset of ASL, so it has the same update code used in ASL. This is expected, in future releases the plan is to have it check for asl-lite updates.

I'm getting this error "Rule execution error - PCRE limits exceeded (-8): (null)."

This is a limitation of your implementation of mod_security, atomic mod_security builds do not produce this either. You can either download our builds from here:

Atomicorp RPM repository

Or you will need to build it like we do with our RPM (http://www4.atomicorp.com/channels/source/mod_security/mod_security.spec see the %build section).

Or check the atomic forums to see what luck other users have had if you choose to use a third parties mod_security build.

Your best choice is to use our builds.

/usr/bin/modsec-clamscan.pl is not installed on the server.

Malware scanning is not included in the rules only subscription. ASL comes with malware upload scanning for HTTP, SSH, FTP and other protocols, including real time malware protection and much more. If you want malware upload protection, upgrade to ASL.

We also don't include that file or use the methods demonstrated in it because it doesn't scale very well.

Rule: 30104 fired (level 12) -> Apache segmentation fault

Solution:

This means that apache is experiencing a recoverable memory error. We have found that mod_memcache seems to cause this on some systems, bad PHP scripts can do it, as can mod_rewrite rules that cause loops. try disabling mod_memcache first. Turning it off has worked for many users. If you still get segfaults, you will need to investigate what application is causing this error.

Also, see this wiki article for more information on apache debugging:

http://www.atomicorp.com/wiki/index.php/Apache

Personal tools