PDA

View Full Version : ModSecurity how to setup on WHM/cPanel server?



Fli
05-08-2014, 12:11 AM
Mod_Security can be installed using EasyApache from WHM..


Installing Mod Security on server with WHM control panel

Do command "httpd -M | grep security" to list apache modules and see if security2_module is not already installed.

If module not yet installed, go to WHM/Software/EasyApache, follow steps to select "Mod Security" apache module in EasyApache. Build (can take even 20 minutes)

WHM should have "Security Center" and inside ModSecurity Tools section. There i can find a button to edit Custom ModSecurity Rules. And this is what one can use (i found no issues):


# debuntu.org/how-to-prevent-spam-with-apaches-mod-security

# Disables ModSecurity for certain IPss
#SecRule REMOTE_ADDR "^155.94.1.2$" "phase:1,t:none,nolog,allow,id:945919,ctl:ruleEngin e=Off,ctl:auditEngine=Off"

# Disables ModSecurity for certain file names
SecRule REQUEST_URI "(ajax.php|editpost.php|newthread.php|newpost.php|o therfilename.php)" "id:945998,nolog,allow,ctl:ruleEngine=Off,ctl:audit Engine=Off"

SecAction "id:400000,phase:1,initcol:IP=%{REMOTE_ADDR},pass,n olog"

SecRule IP:spam "@gt 0" "id:400001,phase:1,chain,drop,nolog,msg:'Spam host %{REMOTE_ADDR} already blacklisted'"
SecRule REQUEST_METHOD "POST" chain
SecRule REQUEST_URI "\/wp-comments-post\.php"

SecRule REQUEST_METHOD "POST" "id:'400010',chain,drop,nolog,msg:'Spam host detected by zen.spamhaus.org'"
SecRule REQUEST_URI "\/wp-comments-post\.php" chain
SecRule REMOTE_ADDR "@rbl zen.spamhaus.org" "setvar:IP.spam=1,expirevar:IP.spam=604800"

SecRule REQUEST_METHOD "POST" "id:'400011',chain,drop,nolog,msg:'Spam host detected by netblockbl.spamgrouper.com'"
SecRule REQUEST_URI "\/wp-comments-post\.php" chain
SecRule REMOTE_ADDR "@rbl netblockbl.spamgrouper.com" "setvar:IP.spam=1,expirevar:IP.spam=604800"

SecHttpBlKey ecvwbrgnkrwb
SecRule REQUEST_METHOD "POST" "id:'400012',chain,drop,nolog,msg:'Spam host detected by dnsbl.httpbl.org'"
SecRule REQUEST_URI "\/wp-comments-post\.php" chain
SecRule REMOTE_ADDR "@rbl dnsbl.httpbl.org" "setvar:IP.spam=1,expirevar:IP.spam=604800"

# Maldet scan uploaded files

SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/modsec.sh" "log,auditlog,deny,severity:2,phase:2,t:none,id:995 87,msg:'Malware found by LinuxMalwareDetect.'"

# projecthoneypot.org, block bad search engines, suspicious, harvesters, comment spammers, or a combination thereof

SecHttpBlKey ecvwbrgnkrwb
SecRule TX:REAL_IP|REMOTE_ADDR "@rbl dnsbl.httpbl.org" "id:'99010',chain,phase:1,t:none,capture,block,nolo g,msg:'HTTPBL Match of Client IP.',logdata:'%{tx.httpbl_msg}',setvar:tx.httpbl_m sg=%{tx.0}"
SecRule TX:0 "threat score (\d+)" "chain,capture"
SecRule TX:1 "@gt 20"

# WEB-ATTACKS wget command attempt
SecRule &ARGS "wget http" "chain,deny,status:403,id:300012,log,rev:1,severity :2,msg:'wget command attempt'"
SecRule REQUEST_URI "!\/(editpost|newthread|newreply)"

# WEB-CLIENT Javascript URL host spoofing attempt
SecRule REQUEST_URI "javascript\://" "deny,status:403,id:300014,log,rev:1,severity:2,msg :'Javascript URL host spoofing attempt'"

# WEB-MISC cd..
SecRule REQUEST_METHOD "POST" "deny,status:403,id:500015,log,chain,msg:'using cd .. command'"
SecRule &ARGS "cd \.\." "chain"
SecRule REQUEST_URI "!\/(AllowedPathString1|AllowedPathString2)"

# WEB-PHP PHP-Wiki cross site scripting attempt
SecRule REQUEST_URI "<script" "deny,status:403,id:300017,log,rev:1,severity:2,msg :'PHP-Wiki cross site scripting attempt'"

SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000130,nolog,chain,msg:'wp-login request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule REQUEST_URI "wp-login.php"

SecRule HTTP_User-Agent "MJ12bot" "deny,status:406,id:3857264,nolog"

SecRule HTTP_User-Agent "AhrefsBot" "deny,status:406,id:3857265,nolog"

# Block XMLRPC.php entirely
SecRule REQBODY_ERROR "!@eq 0" \
"id:219241,chain,msg:'COMODO WAF: XMLRPC protection||%{tx.domain}|%{tx.mode}|2',phase:2,den y,status:403,log,rev:2,severity:2,tag:'CWAF',tag:' Protocol'"
SecRule REQUEST_HEADERS:Content-Type "^text/xml$" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" \
"t:none,t:lowercase"

# Block Joomla logins with no referring URL
SecRule REQUEST_URI "/administrator/index.php" "deny,status:411,id:5000224,log,chain,msg:'Joomla login request blocked, no referer'"
SecRule REQUEST_METHOD "POST" "chain"
SecRule &HTTP_REFERER "@eq 0"

# Block Joomla scans that are looking for sites to target; frequently they lack both UA and Referer fields
SecRule REQUEST_URI "/administrator/index.php" "deny,status:411,id:5000223,log,chain,msg:'Joomla admin access blocked due to No UA and No referer'"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule &HTTP_User-Agent "@eq 0"

<Location /administrator>
SecDefaultAction phase:2,deny,status:403,log,auditlog
SecRule IP:bf_counter "@eq 5" "id:1000002,phase:2,log,block,expirevar:IP.bf_count er=3600,msg:'IP address blocked because of a suspected brute force attack on the Joomla website'"

SecRule ARGS:option "@streq com_login" "id:1000000,phase:2,chain,t:none,log,pass,msg:'Mult iple Joomla authentication failures from IP address', setvar:IP.bf_counter=+1"
</Location>

# Wordpress anti bruteforce login
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:50 00134

<Locationmatch "/wp-login.php">
SecRule ip:bf_block "@gt 0" "deny,status:401,nolog,id:5000135,msg:'IP address blocked for 30 minutes, more than 15 login attempts in 4 minutes.'"

SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,i d:5000136"

SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_count er=+1,deprecatevar:ip.bf_counter=1/240,id:5000137"
SecRule ip:bf_counter "@gt 15" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block= 1800,setvar:ip.bf_counter=0"

</locationmatch>
# Prevent PHP source code from being disclosed
SecRule RESPONSE_BODY "<?" "id:735,log,deny,msg:'PHP source code disclosure blocked'"

# Deny some commands execution
SecRule ARGS "^(rm|ls|kill|(send)?mail|cat|echo|/bin/|/etc/|/tmp/)[[:space:]]" "id:4289,log,deny,msg:'Execution of an Linux command denied'"

# Activates mod_security

SecRuleEngine On

SecRuleEngine On

SecAuditEngine RelevantOnly
#SecAuditLogType Serial
#SecAuditLog logs/mod_security.log

SecAuditLog /usr/local/apache/logs/modsec_audit.log
# a folder where mod_security will store data variables
#SecDataDir logs/mod_security-data

# 403 is some static page or message

ErrorDocument 403 "I am sorry, You were browsing too fast or in a suspicious way :( Please try again later."
# detect attempts to write data into files using INTO OUTFILE mysql command
SecRule ARGS "intos+outfile" "t:lowercase,deny,status:403,id:290002,log,rev:1,se verity:2,msg:'SQL Injection'"

# Generic PHP exploit signatures
SecRule REQUEST_URI "<\?php (chr|fwrite|fopen|echr|passthru|popen|shell_exec|e xec|proc_nice|proc_terminate|proc_g et_status|proc_close|pfsockopen|leak|apache_child_ terminate|posix_kill|posix_mkfifo|posix_setpgid|po si x_setsid|posix_setuid|phpinfo)\(.*\)\;" "deny,status:403,id:290005,log,rev:1,severity:2,msg :'Generic PHP exploit pattern denied'"

# Block various methods of downloading files to a server
SecRule REQUEST_URI "cd /tmp " "deny,status:403,id:29010,log,rev:1,severity:2,msg: 'Generic PHP exploit pattern denied'"

SecRule REQUEST_URI "cd /var/tmp " "deny,status:403,id:290015,log,rev:1,severity:2,msg :'Generic PHP exploit pattern denied'"

# Disables ModSecurity for certain paths
SecRule REQUEST_URI "internetlifeforum" "id:945999,phase:1,t:none,nolog,allow,ctl:ruleEngin e=Off,ctl:auditEngine=Off"

Include /usr/local/apache/conf/modsec2.whitelist.conf



My mod security config. file was /usr/local/apache/conf/modsec2.user.conf (in case anyone needs manual editting, but there one have to probably somehow apply changes into apache, in WHM/SecurityCenter/Mod Sec. Tools /Rules is the checkbox to deploy changes.)

Next thing i did was to apply Comodo ModSecurity rules, here is how: https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/comodo-as-a-modsecurity-vendor-in-cpanel-t110147.0.html


Here are again some rules already mentioned above, now just posted separate

1. Rule to block wp-login.php Wordpress login page submissions that comes with no referred (usually bots):

[/B]
SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule REQUEST_URI "wp-login.php"

2. Rules to deny MJ12bot & AfrefsBot
SecRule HTTP_User-Agent "MJ12bot" "deny,status:406,id:3857264,nolog"
SecRule HTTP_User-Agent "AhrefsBot" "deny,status:406,id:3857265,nolog"",nolog" part is optional, it just do not flood mod security log by many entries

3. Rules to deny xmlrpc.php wordpress script visitors

#Block XMLRPC no referring URL
SecRule REQUEST_METHOD "POST" "deny,status:401,id:4784627,nolog,chain,msg:'xmlrpc request blocked, no referer'"
SecRule &;HTTP_REFERER "@eq 0" "chain"
SecRule REQUEST_URI "xmlrpc.php"

4. Rules to block Joomla admin login without referrer (not fully tested)

# Block Joomla logins with no referring URL
SecRule REQUEST_URI "/administrator/index.php" "deny,status:411,id:5000224,chain,msg:'Joomla login request blocked, no referer'"
SecRule REQUEST_METHOD "POST" "chain"
SecRule &;HTTP_REFERER "@eq 0"


# Block Joomla scans that are looking for sites to target; frequently they lack both UA and Referer fields
SecRule REQUEST_URI "/administrator/index.php" "deny,status:411,id:5000223,chain,msg:'Joomla admin access blocked due to No UA and No referer'"
SecRule &;HTTP_REFERER "@eq 0" "chain"
SecRule &;HTTP_User-Agent "@eq 0"

5. Block IPs with too many Wordpress login attempts

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:50 00134
<Locationmatch "/wp-login.php">
SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'IP address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,i d:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_count er=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block= 300,setvar:ip.bf_counter=0"
</locationmatch>



After applying rules, Go to WHM / Security Center / Mod Security Tools / Hits List and monitor it from time to time to verify no innocent visitors are blocked.


...Rest of this post is outdated information...


Option B) ASL OWASP Mod Security rules

i found 2 options..

1) Option 1: check this topic for ASL Rule list (http://internetlifeforum.com/mysql-apache-php/1984-mod-security-modsecurity-asl-rule-set/#post2935)

2) Option 2, read below:

Rule sets can be downloaded example fromhttps://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
- (search "Download" at that page)
- download by wget and extract ("tar xzf master" for example).
- Then cd into extracted directory (cd SpiderLabs-owasp-modsecurity-crs*).
- make directory in apache conf folder: mkdir /usr/local/apache/conf/modseclists
- copy all rules from the extracted folder (SpiderLabs-owasp-modsecurity-crs*) by: cp -R *_rules /usr/local/apache/conf/modseclists
- then include rule sets into mod security config file (in my case /usr/local/apache/conf/modsec2.user.conf ):


# Base rules
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_20_protocol_violations.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_21_protocol_anomalies.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_23_request_limits.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_30_http_policy.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_35_bad_robots.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_40_generic_attacks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_41_xss_attacks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_42_tight_security.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_45_trojans.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_47_common_exceptions.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_49_inbound_blocking.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_50_outbound.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_59_outbound_blocking.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_60_correlation.conf


# Experimental_rules
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_11_brute_force.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_11_dos_protection.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_11_proxy_abuse.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_11_slow_dos_protection.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_16_scanner_integration.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_25_cc_track_pan.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_40_appsensor_detection_point_2.0_s etup.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_40_appsensor_detection_point_2.1_r equest_exception.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_40_appsensor_detection_point_2.9_h oneytrap.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_40_appsensor_detection_point_3.0_e nd.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_40_http_parameter_pollution.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_42_csp_enforcement.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_46_scanner_integration.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_48_bayes_analysis.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_55_response_profiling.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_56_pvi_checks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_61_ip_forensics.conf


# Optional_rules
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_10_ignore_static.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_11_avs_traffic.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_13_xml_enabler.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_16_authentication_tracking.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_16_session_hijacking.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_16_username_tracking.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_25_cc_known.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_42_comment_spam.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_43_csrf_protection.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_46_av_scanning.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_47_skip_outbound_checks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_49_header_tagging.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_55_application_defects.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_55_marketing.conf


# slr_rules
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_46_slr_et_joomla_attacks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_46_slr_et_lfi_attacks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_46_slr_et_phpbb_attacks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_46_slr_et_rfi_attacks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_46_slr_et_sqli_attacks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_46_slr_et_wordpress_attacks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_46_slr_et_xss_attacks.conf

(use only lists you want to use, not all or you will trigger too many false positive)


Option C) Bad (default) Mod Security configuration rules - stay away from applying these, there just for evidence

... There i clicked "Default configuration", it added some rules, i then click save and restart Apache(httpd). But after this server load increased by 100% or more.. And one website do not managed to be loaded completelly still working, hanging. So i removed rules and restarted apache. Now everything back OK.

After high load issue I found following Deny log entry related to that mentioned hanged website:


Pattern match "\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "20"] [id "1234123440"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"]

Also next log entry:


internetlifeforum.com 207.46.13.97 1234123440 [12/Oct/2014:16:40:19 --0400]
Pattern match "\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "20"] [id "1234123440"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"][12/Oct/2014:16:40:19 --0400] VDrnMGu2hR0AAF7N1ZAAAAAj 207.46.13.97 21106 107.182.133.29 80
--7008cb52-B--
GET /other-services/2508-25%25-off-theme-whmcs%7C-compatibility-firefox-ie8-chrome-opera-safari-post3780/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
Accept-Encoding: gzip, deflate
From: bingbot(at)microsoft.com
Host: internetlifeforum.com
User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)

(the log entry found in WHM "Mod Security" section and in "ConfigServer ModSecurity Control (https://107.182.133.29:2087/cpsess9769713981/cgi/configserver/cmc.cgi)" section)
Above log entry means that Default rules blocked BingBot with IP 207.46.13.97 (which is not acceptable). So quite serious false positives that makes me to not use these "Default rules".