Mod Security questions....again

Nalco

New Member
I have a couple more Mod Security questions

1: How can I check what version of Mod Security I currently have installed? I know I have v2.something.

2: I was wondering if anyone if anyone was willing to share their Apache 2/Mod Security v2 rulesets. I looked at the gotroot.com rules, but they are a year old and bloated from what I can tell.


Thanks!
 
Hello Nalco,

First, I'm assuming you're on Cpanel as that is the forum you posted in previously.

1) I have version 2.1.3 installed after compiling with Easyapache 3 just yesterday. The only way I was able to determine this was looking in the compilation log which you can find at /var/local/cpanel/log/easy/apache. Look in the newest file which should be dated when you installed.

2) I'm using the core ruleset from modsecurity.org. Gotroot.com's ruleset caused far too many false positives and too much overhead for me.

Hope that helps
 
Thank you.

I am indeed running cpanel. I was able to find out my version of Mod Security (2.13), though my path was a bit different. /var/local/ was empty for me, but I found the correct file to look into at /usr/local/cpanel/logs/easy/apache.

I am grabbing the Mod Security core rules as I write this. Thank you very much for your help!
 
Hmm, I have a problem, that if I try to use the

Include "/usr/local/apache/conf/modsecurity/*.conf"

my server wont restart. I created a folder "modsecurity", and uploaded all the rulesets into it.

Any idea what I'm doing wrong?
 
Howdy Nalco,

Sorry about the path error, you found it in the right place ;)

Where are you putting the include? It should be in modsec2.user.conf and it should look like
Code:
Include conf/modsecurity/*.conf
Be sure you've gone through them (especially modsecurity_crs_10_config.conf) as there are some things you will want to change.

Hope that helps
 
Hmm, that is where I am trying to add it in, but Apache fails to start.

I tried adding this:

Include conf/modsecurity/*.conf

and this

Include /usr/local/apache/conf/modsecurity/*.conf

I have tried it both with and without quotes. I get no Joy either way. I also tried adding it into modsec2.conf with the same results.

I am wondering if I can just strip the rules out of each individual file, and paste them right into modsec2.user.conf. Though I'm not sure I could include the config file.

I am trying not to mess around too much, as I have already transfered my domains over.
 
If you're on cPanel, run
Code:
service httpd configtest
to see what specifically Apache has a problem with.

If you're not on cPanel then
Code:
sudo apachectl configtest
usually works.
 
OK, I ran

service httpd configtest

and I came up with a common thread with the rules that the server is choking on. Any rule regarding XML is throwing errors.

Syntax error on line 64 of /usr/local/apache/conf/modsecurity/modsecurity_crs_20_protocol_violations.conf:
Error creating rule: Unknown variable: XML

Syntax error on line 65 of /usr/local/apache/conf/modsecurity/modsecurity_crs_20_protocol_violations.conf:
Error creating rule: Unknown variable: XML

Syntax error on line 24 of /usr/local/apache/conf/modsecurity/modsecurity_crs_40_generic_attacks.conf:
Error creating rule: Unknown variable: XML

I'm guessing I need some sort of Apache XML package.....right?

Or do I just comment out all the XML rules?
 
Nalco,

I should have asked what the error you got was because I could have addressed that right away, sorry about that.


Edit the two files "modsecurity_crs_20_protocol_violations.conf" and "modsecurity_crs_40_generic_attacks.conf" and remove "|XML" from the end of every SecRule line that it appears in.

Leave the include line in the modsec2.user.conf file as indicated previously. It won't be overwritten in that file.

Hope that helps
 
Once again the both of you have saved me. I made the edits, and the server is up and running with the new rulesets.

I don't know what I, or this board would do without the two of you.

Thank you both very much!
 
You're welcome Nalco :)

Be sure to monitor your log so you can rectify false positives though as there are sure to be some.
 
Top