Mod Security questions....again

Discussion in 'Linux VPS/Dedicated - General' started by Nalco, Oct 31, 2007.

  1. Nalco

    Nalco New Member

    I have a couple more Mod Security questions

    1: How can I check what version of Mod Security I currently have installed? I know I have v2.something.

    2: I was wondering if anyone if anyone was willing to share their Apache 2/Mod Security v2 rulesets. I looked at the gotroot.com rules, but they are a year old and bloated from what I can tell.


    Thanks!
     
  2. Dan

    Dan Moderator

    Hello Nalco,

    First, I'm assuming you're on Cpanel as that is the forum you posted in previously.

    1) I have version 2.1.3 installed after compiling with Easyapache 3 just yesterday. The only way I was able to determine this was looking in the compilation log which you can find at /var/local/cpanel/log/easy/apache. Look in the newest file which should be dated when you installed.

    2) I'm using the core ruleset from modsecurity.org. Gotroot.com's ruleset caused far too many false positives and too much overhead for me.

    Hope that helps
     
  3. Nalco

    Nalco New Member

    Thank you.

    I am indeed running cpanel. I was able to find out my version of Mod Security (2.13), though my path was a bit different. /var/local/ was empty for me, but I found the correct file to look into at /usr/local/cpanel/logs/easy/apache.

    I am grabbing the Mod Security core rules as I write this. Thank you very much for your help!
     
  4. Nalco

    Nalco New Member

    Hmm, I have a problem, that if I try to use the

    Include "/usr/local/apache/conf/modsecurity/*.conf"

    my server wont restart. I created a folder "modsecurity", and uploaded all the rulesets into it.

    Any idea what I'm doing wrong?
     
  5. Dan

    Dan Moderator

    Howdy Nalco,

    Sorry about the path error, you found it in the right place ;)

    Where are you putting the include? It should be in modsec2.user.conf and it should look like
    Code:
    Include conf/modsecurity/*.conf
    Be sure you've gone through them (especially modsecurity_crs_10_config.conf) as there are some things you will want to change.

    Hope that helps
     
  6. Nalco

    Nalco New Member

    Hmm, that is where I am trying to add it in, but Apache fails to start.

    I tried adding this:

    Include conf/modsecurity/*.conf

    and this

    Include /usr/local/apache/conf/modsecurity/*.conf

    I have tried it both with and without quotes. I get no Joy either way. I also tried adding it into modsec2.conf with the same results.

    I am wondering if I can just strip the rules out of each individual file, and paste them right into modsec2.user.conf. Though I'm not sure I could include the config file.

    I am trying not to mess around too much, as I have already transfered my domains over.
     
  7. khiltd

    khiltd New Member

    If you're on cPanel, run
    Code:
    service httpd configtest
    to see what specifically Apache has a problem with.

    If you're not on cPanel then
    Code:
    sudo apachectl configtest
    usually works.
     
  8. Nalco

    Nalco New Member

    OK, I ran

    service httpd configtest

    and I came up with a common thread with the rules that the server is choking on. Any rule regarding XML is throwing errors.

    Syntax error on line 64 of /usr/local/apache/conf/modsecurity/modsecurity_crs_20_protocol_violations.conf:
    Error creating rule: Unknown variable: XML

    Syntax error on line 65 of /usr/local/apache/conf/modsecurity/modsecurity_crs_20_protocol_violations.conf:
    Error creating rule: Unknown variable: XML

    Syntax error on line 24 of /usr/local/apache/conf/modsecurity/modsecurity_crs_40_generic_attacks.conf:
    Error creating rule: Unknown variable: XML

    I'm guessing I need some sort of Apache XML package.....right?

    Or do I just comment out all the XML rules?
     
  9. Dan

    Dan Moderator

    Nalco,

    I should have asked what the error you got was because I could have addressed that right away, sorry about that.


    Edit the two files "modsecurity_crs_20_protocol_violations.conf" and "modsecurity_crs_40_generic_attacks.conf" and remove "|XML" from the end of every SecRule line that it appears in.

    Leave the include line in the modsec2.user.conf file as indicated previously. It won't be overwritten in that file.

    Hope that helps
     
  10. Nalco

    Nalco New Member

    Once again the both of you have saved me. I made the edits, and the server is up and running with the new rulesets.

    I don't know what I, or this board would do without the two of you.

    Thank you both very much!
     
  11. Dan

    Dan Moderator

    You're welcome Nalco :)

    Be sure to monitor your log so you can rectify false positives though as there are sure to be some.
     

Share This Page