WHM OWASP Rules for ModSecurity

Chuck Topinka

Chuck Topinka

New Member
So logging in to WHM today we are getting a notice of this new recommended feature. After searching the forums here I came across this post that sounds like it is likely more trouble than it is worth: https://forums.knownhost.com/posts/17797/

Since our only options now are to either accept the rules or see the message every time we log in, I'm wondering if anyone has any thoughts on these settings: https://documentation.cpanel.net/display/CKB/OWASP+ModSecurity+CRS

We have a small number of clients and typically apply the patches to Joomla and Wordpress for them. Prior to moving to KH we had sites getting hacked all the time, but <knock on wood> I don't think we've had much of an issue on KH. Do we just accept what cPanel is giving us and move on to other things, or is this opening a can of worms with false positives and other issues?

Thanks!
 
@Chuck Topinka

Since our only options now are to either accept the rules or see the message every time we log in
Click to expand...
This isn't quite the case. Even if you accept (proceed) with the message. The OWASP "vendor" ruleset is not installed by default. As you can see by this screen shot:

aimg.knownhost.com_file_2015_2_16_808cb7eebfba127b6d54bae2fd457bee.png


Further, you can configure directives to not process rules at all, check this out:
aimg.knownhost.com_file_2015_2_16_38c56c609f4e5b1e559c795c2ea82d08.png


Beside that, personally, I would at least try having them enabled and if you run into any issues, simply turn them back off. =) 2c
 
I got my IP blocked almost as soon as I turned it on. I suggest you select "Process the rules in verbose mode, but do not execute disruptive actions." and watch the log for awhile.

I had a couple rules I had to disable.
 
I ran into this last week too and can confirm that it doesn't actually install rules when you click ok. However it did re-enable the cPanel mod_security monitoring and writing the errors to it's DB. I like the errors being cut to a log file not a DB that never gets cleaned out unless you go in and do it manually. Disabling as @KH-DavidL shows will stop from writing to the DB as well.
 
I'm getting way too many false positives with this, although I see the advantage.
Annoying that I'll need to selectively turn of various Rules until these stop. It's also difficult to tell from the log history if it was a false positive and which even that was and which rule.
 
Since we also have ConfigServer Firewall (a freebie feature of the KH cPanel/WHM, which has its own setup for ModSecurity) and we are currently using a subset of OWASP rules today with CSF, do they work together, or ?

In other words, if we accept the OWASP ModSecurity feature of cPanel/WHM:
a) would it conflict with or override the CSF ModSecurity rules, leaving the CSF rules in place but no longer effective?
b) would the OWASP set we choose to maintain with the new feature replace the CSF rule set but still work within CSF, allowing us to maintain the rules via the new control panel, but still have visibility and logging and exceptions managed to a degree by CSF?
c) should we turn off the CSF ModSecurity (if we can) and only use the new ModSecurity feature of cPanel/WHM?
d) Would the new feature also obsolete the ModSecurity manager plugin we currently have that does work with CSF.

Does KH have security scan support? Assuming we make a change, would KH run a before change/after change vulnerability scan, or should we run NESSUS or some such on our own before and after?
 
JimSVL said:
Since we also have ConfigServer Firewall (a freebie feature of the KH cPanel/WHM, which has its own setup for ModSecurity) and we are currently using a subset of OWASP rules today with CSF, do they work together, or ?

In other words, if we accept the OWASP ModSecurity feature of cPanel/WHM:
a) would it conflict with or override the CSF ModSecurity rules, leaving the CSF rules in place but no longer effective?
b) would the OWASP set we choose to maintain with the new feature replace the CSF rule set but still work within CSF, allowing us to maintain the rules via the new control panel, but still have visibility and logging and exceptions managed to a degree by CSF?
c) should we turn off the CSF ModSecurity (if we can) and only use the new ModSecurity feature of cPanel/WHM?
d) Would the new feature also obsolete the ModSecurity manager plugin we currently have that does work with CSF.

Does KH have security scan support? Assuming we make a change, would KH run a before change/after change vulnerability scan, or should we run NESSUS or some such on our own before and after?
Click to expand...

I'd like to know the answer to this as well ...
 
You must log in or register to reply here.
Top