WHM OWASP Rules for ModSecurity

Discussion in 'Linux VPS/Dedicated - cPanel' started by Chuck Topinka, Feb 16, 2015.

  1. Chuck Topinka

    Chuck Topinka New Member

    So logging in to WHM today we are getting a notice of this new recommended feature. After searching the forums here I came across this post that sounds like it is likely more trouble than it is worth: https://forums.knownhost.com/posts/17797/

    Since our only options now are to either accept the rules or see the message every time we log in, I'm wondering if anyone has any thoughts on these settings: https://documentation.cpanel.net/display/CKB/OWASP+ModSecurity+CRS

    We have a small number of clients and typically apply the patches to Joomla and Wordpress for them. Prior to moving to KH we had sites getting hacked all the time, but <knock on wood> I don't think we've had much of an issue on KH. Do we just accept what cPanel is giving us and move on to other things, or is this opening a can of worms with false positives and other issues?

    Thanks!
     
  2. KH-DavidL

    KH-DavidL Abuse & Documentation Specialist Staff Member

    @Chuck Topinka

    This isn't quite the case. Even if you accept (proceed) with the message. The OWASP "vendor" ruleset is not installed by default. As you can see by this screen shot:

    aimg.knownhost.com_file_2015_2_16_808cb7eebfba127b6d54bae2fd457bee.png

    Further, you can configure directives to not process rules at all, check this out:
    aimg.knownhost.com_file_2015_2_16_38c56c609f4e5b1e559c795c2ea82d08.png

    Beside that, personally, I would at least try having them enabled and if you run into any issues, simply turn them back off. =) 2c
     
    Chuck Topinka likes this.
  3. Chuck Topinka

    Chuck Topinka New Member

    Thanks, David. I'll give it a shot.
     
  4. MiCarl

    MiCarl Member

    I got my IP blocked almost as soon as I turned it on. I suggest you select "Process the rules in verbose mode, but do not execute disruptive actions." and watch the log for awhile.

    I had a couple rules I had to disable.
     
  5. Dan

    Dan Moderator

    I ran into this last week too and can confirm that it doesn't actually install rules when you click ok. However it did re-enable the cPanel mod_security monitoring and writing the errors to it's DB. I like the errors being cut to a log file not a DB that never gets cleaned out unless you go in and do it manually. Disabling as @KH-DavidL shows will stop from writing to the DB as well.
     
  6. awehost

    awehost New Member

    I'm getting way too many false positives with this, although I see the advantage.
    Annoying that I'll need to selectively turn of various Rules until these stop. It's also difficult to tell from the log history if it was a false positive and which even that was and which rule.
     
  7. JimSVL

    JimSVL New Member

    Since we also have ConfigServer Firewall (a freebie feature of the KH cPanel/WHM, which has its own setup for ModSecurity) and we are currently using a subset of OWASP rules today with CSF, do they work together, or ?

    In other words, if we accept the OWASP ModSecurity feature of cPanel/WHM:
    a) would it conflict with or override the CSF ModSecurity rules, leaving the CSF rules in place but no longer effective?
    b) would the OWASP set we choose to maintain with the new feature replace the CSF rule set but still work within CSF, allowing us to maintain the rules via the new control panel, but still have visibility and logging and exceptions managed to a degree by CSF?
    c) should we turn off the CSF ModSecurity (if we can) and only use the new ModSecurity feature of cPanel/WHM?
    d) Would the new feature also obsolete the ModSecurity manager plugin we currently have that does work with CSF.

    Does KH have security scan support? Assuming we make a change, would KH run a before change/after change vulnerability scan, or should we run NESSUS or some such on our own before and after?
     
  8. RMedure

    RMedure New Member

    I'd like to know the answer to this as well ...
     
  9. jwillberg

    jwillberg New Member

Share This Page