Free ASL Delayed ModSecurity Rules are no longer

Dave G

Member
Not sure the best place to post this but here it is quoted from Config Server blog:
http://blog.configserver.com/?p=2080

"In their infinite wisdom, ASL have decided to no longer provide their delayed ModSecurity rules as from today with no warning whatsoever. They were a very useful resource to those that did not wish to pay for the supported live rules, but they are now gone.

The update script that we provided with our services packages will now no longer function. You can either continue using the rules that are installed, but if you require updated rules in the future, you will need to pay ASL for them."

I'm clueless about ModSecurity rules and not sure what to do about this but I am going do some research.
 
@Dave G

I'm not overly familiar with Modsec, but it is a very powerful system for blocking certain types of attacks - though it takes a lot of work to write the rules to do this.

I wouldn't be overly concerned with this, as there are many many providers of "default" rule sets out there, so I'm sure CS will team up with another one of sorts and allow theirs to be defaulted in.
 
I remember trying the free ASL rules before and they were mostly disabled unless you had the paid version anyways. I just use the core rule set and while some things get through (such as the Wordpress brute force attack) the majority gets stopped.
 
Just food for though, but you could start a thread to invite developers to add modsec rules addressing specific exploits to the thread. Basically you could pick and choose what rules you wanted to add from posts. Support cannot provide these rules but there may be KH staff that can post from their personal experience and I am sure that there are some KH customers that are modsec ninjas.
 
@Dan When you say the core rule set, do you mean the OWASP rules? I'm configuring modsec for the first time and since the gotroot/Atomicorp free rules set has been discontinued OWASP's CRS seems like the only free option.
 
Hi jnicol,

Yes I meant the OWASP rules. They changed the name and I am still in the habit of calling them the CRS. Sorry :)
 
Yes I meant the OWASP rules. They changed the name and I am still in the habit of calling them the CRS. Sorry :)

No need to apologise! It's good to know that other people are using the CRS, since most of the advise online revolves around the Atomicorp rules, but since my server is currently for non-commercial sites I don't relish paying $100 a year for a subscription.

I've installed the rule set, so now for the "fun" part - seeing how badly modsec breaks my WP application and creating my rule whitelist!
 
Modsecurity in and of itself is a pretty involved process. I can't even tell you how many hours I've spent going through logs.

You probably know already but there is information online about what to whitelist for WP and other applications so a quick search should help a lot :)
 
Here is a script that I put together that installs modsec on cPanel. This script will recompile easyapache to include ModSecurity and its dependency UniqueId. It also installs the CMC plugin from ConfigServer with the rules from the OWASP project. Once the script is run everything is installed and configured and there should ** not be any further configuration needed for modsec to work.

It is worth noting that the rule sets are arranged a little differently than the directions that come from the OWASP project specify. This is due to the fact that if the rules are installed the way specified by OWASP then they will not appear in the CMC plugin for editing. This reorganization is aimed at making fully administrating your ruleset possible via WHM.

One thing that has been added is a feature to parse the modsec logs for IP addresses that resolve to specific hostnames. This is due to the frequency in which I have seen users complain that modsec was blocking this bot or access to that API. This feature runs from a cron job and is really best left as a last resort for a situation where you have not been able to identify a rule that is blocking legitimate traffic, and you do not know in advance what IP address the host may connect from. It is not a replacement for active upkeep of your rules. To disable or adjust this look for parseHosts.sh in root's crontab. The script is saved to /bin/parseHosts.sh. Use the README to see where to add hosts that you would like whitelisted.

Disclaimer:
*********************
This script comes with absolutely no warranty. It is not provided by directly or developed by KnownHost LLC. This is just something that I threw together and decided to publish here in hopes that someone would find it useful. KnownHost's support department will not provide support for this script, so don't ask. If you are not comfortable with poking at shell code and modifying files via terminal in the case something not working as expected then just ask support to install instead.
**********************

READ THIS FIRST: http://173.245.4.173/packages/modsec_rules/README
The installer is here : http://173.245.4.173/packages/modsec_installer.sh

Here are the needed commands to install:
Code:
curl 173.245.4.173/packages/modsec_rules/README|less

curl 173.245.4.173/packages/modsec_installer.sh|bash
 
Hello KH-Mathew, is there anymore the script to install cmc with the OWASP rules?? I had installed the cmc on my cPanel, but i don´t have any rules configured =\, could you please provide this to me? Thanks a lot
 
Top