Thread: ModSecurity how to setup on WHM/cPanel server?

Mod_Security can be installed using EasyApache from WHM..


Installing Mod Security on server with WHM control panel

Do command "httpd -M | grep security" to list apache modules and see if security2_module is not already installed.

If module not yet installed, go to WHM/Software/EasyApache, follow steps to select "Mod Security" apache module in EasyApache. Build (can take even 20 minutes)

WHM should have "Security Center" and inside ModSecurity Tools section. There i can find a button to edit Custom ModSecurity Rules. And this is what one can use (i found no issues):

# debuntu.org/how-to-prevent-spam-with-apaches-mod-security

# Disables ModSecurity for certain IPss
#SecRule REMOTE_ADDR "^155.94.1.2$" "phase:1,t:none,nolog,allow,id:945919,ctl:ruleEngi ne=Off,ctl:auditEngine=Off"

# Disables ModSecurity for certain file names
SecRule REQUEST_URI "(ajax.php|editpost.php|newthread.php|newpost.php| otherfilename.php)" "id:945998,nolog,allow,ctl:ruleEngine=Off,ctl:audi tEngine=Off"

SecAction "id:400000,phase:1,initcol:IP=%{REMOTE_ADDR},pass, nolog"

SecRule IP:spam "@gt 0" "id:400001,phase:1,chain,drop,nolog,msg:'Spam host %{REMOTE_ADDR} already blacklisted'"
SecRule REQUEST_METHOD "POST" chain
SecRule REQUEST_URI "\/wp-comments-post\.php"

SecRule REQUEST_METHOD "POST" "id:'400010',chain,drop,nolog,msg:'Spam host detected by zen.spamhaus.org'"
SecRule REQUEST_URI "\/wp-comments-post\.php" chain
SecRule REMOTE_ADDR "@rbl zen.spamhaus.org" "setvar:IP.spam=1,expirevar:IP.spam=604800"

SecRule REQUEST_METHOD "POST" "id:'400011',chain,drop,nolog,msg:'Spam host detected by netblockbl.spamgrouper.com'"
SecRule REQUEST_URI "\/wp-comments-post\.php" chain
SecRule REMOTE_ADDR "@rbl netblockbl.spamgrouper.com" "setvar:IP.spam=1,expirevar:IP.spam=604800"

SecHttpBlKey ecvwbrgnkrwb
SecRule REQUEST_METHOD "POST" "id:'400012',chain,drop,nolog,msg:'Spam host detected by dnsbl.httpbl.org'"
SecRule REQUEST_URI "\/wp-comments-post\.php" chain
SecRule REMOTE_ADDR "@rbl dnsbl.httpbl.org" "setvar:IP.spam=1,expirevar:IP.spam=604800"

# Maldet scan uploaded files

SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/modsec.sh" "log,auditlog,deny,severity:2,phase:2,t:none,id:99 587,msg:'Malware found by LinuxMalwareDetect.'"

# projecthoneypot.org, block bad search engines, suspicious, harvesters, comment spammers, or a combination thereof

SecHttpBlKey ecvwbrgnkrwb
SecRule TX:REAL_IP|REMOTE_ADDR "@rbl dnsbl.httpbl.org" "id:'99010',chain,phase:1,t:none,capture,block,nol og,msg:'HTTPBL Match of Client IP.',logdata:'%{tx.httpbl_msg}',setvar:tx.httpbl_m sg=%{tx.0}"
SecRule TX:0 "threat score (\d+)" "chain,capture"
SecRule TX:1 "@gt 20"

# WEB-ATTACKS wget command attempt
SecRule &ARGS "wget http" "chain,deny,status:403,id:300012,log,rev:1,severit y:2,msg:'wget command attempt'"
SecRule REQUEST_URI "!\/(editpost|newthread|newreply)"

# WEB-CLIENT Javascript URL host spoofing attempt
SecRule REQUEST_URI "javascript\://" "deny,status:403,id:300014,log,rev:1,severity:2,ms g:'Javascript URL host spoofing attempt'"

# WEB-MISC cd..
SecRule REQUEST_METHOD "POST" "deny,status:403,id:500015,log,chain,msg:'usin g cd .. command'"
SecRule &ARGS "cd \.\." "chain"
SecRule REQUEST_URI "!\/(AllowedPathString1|AllowedPathString2)"

# WEB-PHP PHP-Wiki cross site scripting attempt
SecRule REQUEST_URI "<script" "deny,status:403,id:300017,log,rev:1,severity:2,ms g:'PHP-Wiki cross site scripting attempt'"

SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000130,nolog,chain,msg:'w p-login request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule REQUEST_URI "wp-login.php"

SecRule HTTP_User-Agent "MJ12bot" "deny,status:406,id:3857264,nolog"

SecRule HTTP_User-Agent "AhrefsBot" "deny,status:406,id:3857265,nolog"

# Block XMLRPC.php entirely
SecRule REQBODY_ERROR "!@eq 0" \
"id:219241,chain,msg:'COMODO WAF: XMLRPC protection||%{tx.domain}|%{tx.mode}|2',phase:2,den y,status:403,log,rev:2,severity:2,tag:'CWAF',tag:' Protocol'"
SecRule REQUEST_HEADERS:Content-Type "^text/xml$" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" \
"t:none,t:lowercase"

# Block Joomla logins with no referring URL
SecRule REQUEST_URI "/administrator/index.php" "deny,status:411,id:5000224,log,chain,msg:'Joo mla login request blocked, no referer'"
SecRule REQUEST_METHOD "POST" "chain"
SecRule &HTTP_REFERER "@eq 0"

# Block Joomla scans that are looking for sites to target; frequently they lack both UA and Referer fields
SecRule REQUEST_URI "/administrator/index.php" "deny,status:411,id:5000223,log,chain,msg:'Joo mla admin access blocked due to No UA and No referer'"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule &HTTP_User-Agent "@eq 0"

<Location /administrator>
SecDefaultAction phase:2,deny,status:403,log,auditlog
SecRule IP:bf_counter "@eq 5" "id:1000002,phase:2,log,block,expirevar:IP.bf_coun ter=3600,msg:'IP address blocked because of a suspected brute force attack on the Joomla website'"

SecRule ARGS:option "@streq com_login" "id:1000000,phase:2,chain,t:none,log,pass,msg:'Mul tiple Joomla authentication failures from IP address', setvar:IP.bf_counter=+1"
</Location>

# Wordpress anti bruteforce login
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:50 00134

<Locationmatch "/wp-login.php">
SecRule ip:bf_block "@gt 0" "deny,status:401,nolog,id:5000135,msg:'IP address blocked for 30 minutes, more than 15 login attempts in 4 minutes.'"

SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0, id:5000136"

SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_coun ter=+1,deprecatevar:ip.bf_counter=1/240,id:5000137"
SecRule ip:bf_counter "@gt 15" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block =1800,setvar:ip.bf_counter=0"

</locationmatch>
# Prevent PHP source code from being disclosed
SecRule RESPONSE_BODY "<?" "id:735,log,deny,msg:'PHP source code disclosure blocked'"

# Deny some commands execution
SecRule ARGS "^(rm|ls|kill|(send)?mail|cat|echo|/bin/|/etc/|/tmp/)[[:space:]]" "id:4289,log,deny,msg:'Execution of an Linux command denied'"

# Activates mod_security

SecRuleEngine On

SecRuleEngine On

SecAuditEngine RelevantOnly
#SecAuditLogType Serial
#SecAuditLog logs/mod_security.log

SecAuditLog /usr/local/apache/logs/modsec_audit.log
# a folder where mod_security will store data variables
#SecDataDir logs/mod_security-data

# 403 is some static page or message

ErrorDocument 403 "I am sorry, You were browsing too fast or in a suspicious way :( Please try again later."
# detect attempts to write data into files using INTO OUTFILE mysql command
SecRule ARGS "intos+outfile" "t:lowercase,deny,status:403,id:290002,log,rev:1,s everity:2,msg:'SQL Injection'"

# Generic PHP exploit signatures
SecRule REQUEST_URI "<\?php (chr|fwrite|fopen|echr|passthru|popen|shell_exec|e xec|proc_nice|proc_terminate|proc_g et_status|proc_close|pfsockopen|leak|apache_child_ terminate|posix_kill|posix_mkfifo|posix_setpgid|po si x_setsid|posix_setuid|phpinfo)\(.*\)\;" "deny,status:403,id:290005,log,rev:1,severity:2,ms g:'Generic PHP exploit pattern denied'"

# Block various methods of downloading files to a server
SecRule REQUEST_URI "cd /tmp " "deny,status:403,id:29010,log,rev:1,severity:2,msg :'Generic PHP exploit pattern denied'"

SecRule REQUEST_URI "cd /var/tmp " "deny,status:403,id:290015,log,rev:1,severity:2,ms g:'Generic PHP exploit pattern denied'"

# Disables ModSecurity for certain paths
SecRule REQUEST_URI "internetlifeforum" "id:945999,phase:1,t:none,nolog,allow,ctl:ruleEngi ne=Off,ctl:auditEngine=Off"

Include /usr/local/apache/conf/modsec2.whitelist.conf

My mod security config. file was /usr/local/apache/conf/modsec2.user.conf (in case anyone needs manual editting, but there one have to probably somehow apply changes into apache, in WHM/SecurityCenter/Mod Sec. Tools /Rules is the checkbox to deploy changes.)

Next thing i did was to apply Comodo ModSecurity rules, here is how: https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/comodo-as-a-modsecurity-vendor-in-cpanel-t110147.0.html


Here are again some rules already mentioned above, now just posted separate

1. Rule to block wp-login.php Wordpress login page submissions that comes with no referred (usually bots):

[/B]

Code:

SecRule REQUEST_METHOD "POST"  "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule REQUEST_URI "wp-login.php"

2. Rules to deny MJ12bot & AfrefsBot

Code:

SecRule HTTP_User-Agent "MJ12bot" "deny,status:406,id:3857264,nolog"
SecRule HTTP_User-Agent "AhrefsBot" "deny,status:406,id:3857265,nolog"

",nolog" part is optional, it just do not flood mod security log by many entries

3. Rules to deny xmlrpc.php wordpress script visitors

Code:

#Block XMLRPC no referring URL
SecRule REQUEST_METHOD "POST"  "deny,status:401,id:4784627,nolog,chain,msg:'xmlrpc request blocked, no referer'"
SecRule &;HTTP_REFERER "@eq 0" "chain"
SecRule REQUEST_URI "xmlrpc.php"

4. Rules to block Joomla admin login without referrer (not fully tested)

Code:

# Block Joomla logins with no referring URL
SecRule REQUEST_URI "/administrator/index.php" "deny,status:411,id:5000224,chain,msg:'Joomla login request blocked, no referer'"
SecRule REQUEST_METHOD "POST" "chain"
SecRule &;HTTP_REFERER "@eq 0"

Code:

# Block Joomla scans that are looking for sites to target; frequently they lack both UA and Referer fields
SecRule REQUEST_URI "/administrator/index.php" "deny,status:411,id:5000223,chain,msg:'Joomla admin access blocked due to No UA and No referer'"
SecRule &;HTTP_REFERER "@eq 0" "chain"
SecRule &;HTTP_User-Agent "@eq 0"

5. Block IPs with too many Wordpress login attempts

Code:

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'IP address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>

After applying rules, Go to WHM / Security Center / Mod Security Tools / Hits List and monitor it from time to time to verify no innocent visitors are blocked.


...Rest of this post is outdated information...


Option B) ASL OWASP Mod Security rules

i found 2 options..

1) Option 1: check this topic for ASL Rule list

2) Option 2, read below:

Rule sets can be downloaded example fromhttps://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
- (search "Download" at that page)
- download by wget and extract ("tar xzf master" for example).
- Then cd into extracted directory (cd SpiderLabs-owasp-modsecurity-crs*).
- make directory in apache conf folder: mkdir /usr/local/apache/conf/modseclists
- copy all rules from the extracted folder (SpiderLabs-owasp-modsecurity-crs*) by: cp -R *_rules /usr/local/apache/conf/modseclists
- then include rule sets into mod security config file (in my case /usr/local/apache/conf/modsec2.user.conf ):

# Base rules
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_20_protocol_violations.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_21_protocol_anomalies.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_23_request_limits.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_30_http_policy.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_35_bad_robots.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_40_generic_attacks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_41_xss_attacks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_42_tight_security.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_45_trojans.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_47_common_exceptions.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_49_inbound_blocking.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_50_outbound.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_59_outbound_blocking.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_60_correlation.conf


# Experimental_rules
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_11_brute_force.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_11_dos_protection.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_11_proxy_abuse.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_11_slow_dos_protection.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_16_scanner_integration.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_25_cc_track_pan.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_40_appsensor_detection_point_2.0_s etup.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_40_appsensor_detection_point_2.1_r equest_exception.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_40_appsensor_detection_point_2.9_h oneytrap.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_40_appsensor_detection_point_3.0_e nd.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_40_http_parameter_pollution.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_42_csp_enforcement.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_46_scanner_integration.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_48_bayes_analysis.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_55_response_profiling.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_56_pvi_checks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_61_ip_forensics.conf


# Optional_rules
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_10_ignore_static.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_11_avs_traffic.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_13_xml_enabler.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_16_authentication_tracking.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_16_session_hijacking.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_16_username_tracking.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_25_cc_known.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_42_comment_spam.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_43_csrf_protection.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_46_av_scanning.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_47_skip_outbound_checks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_49_header_tagging.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_55_application_defects.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_55_marketing.conf


# slr_rules
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_46_slr_et_joomla_attacks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_46_slr_et_lfi_attacks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_46_slr_et_phpbb_attacks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_46_slr_et_rfi_attacks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_46_slr_et_sqli_attacks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_46_slr_et_wordpress_attacks.conf
Include /usr/local/apache/conf/modseclists/base_rules/modsecurity_crs_46_slr_et_xss_attacks.conf

(use only lists you want to use, not all or you will trigger too many false positive)


Option C) Bad (default) Mod Security configuration rules - stay away from applying these, there just for evidence

... There i clicked "Default configuration", it added some rules, i then click save and restart Apache(httpd). But after this server load increased by 100% or more.. And one website do not managed to be loaded completelly still working, hanging. So i removed rules and restarted apache. Now everything back OK.

After high load issue I found following Deny log entry related to that mentioned hanged website:

Pattern match "\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "20"] [id "1234123440"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"]

Also next log entry:

internetlifeforum.com 207.46.13.97 1234123440 [12/Oct/2014:16:40:19 --0400]
Pattern match "\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "20"] [id "1234123440"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"][12/Oct/2014:16:40:19 --0400] VDrnMGu2hR0AAF7N1ZAAAAAj 207.46.13.97 21106 107.182.133.29 80
--7008cb52-B--
GET /other-services/2508-25%25-off-theme-whmcs%7C-compatibility-firefox-ie8-chrome-opera-safari-post3780/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
Accept-Encoding: gzip, deflate
From: bingbot(at)microsoft.com
Host: internetlifeforum.com
User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)

(the log entry found in WHM "Mod Security" section and in "ConfigServer ModSecurity Control" section)
Above log entry means that Default rules blocked BingBot with IP 207.46.13.97 (which is not acceptable). So quite serious false positives that makes me to not use these "Default rules".