Results 1 to 13 of 13
  1. #1
    Join Date
    Feb 2006
    Location
    Kepler 62f
    Posts
    16,703

    Mod_security - too many conflicting install instructions?

    Trying to learn mod_security is a gigantic pain in the ass.

    This doesn't work: http://library.linode.com/web-server..._ubuntu-debian
    Appears to be outdated; something changed since Nov 2011.

    This is useless: http://www.atomicorp.com/wiki/index....ad_modsecurity
    Too much crammed into a single page for multiple products. Hard to follow WTF is going on.
    (And framed content, to add insult to injury. It's 2012.)
    Atomic is more interested in selling services than supporting what it does open-source.

    I think I've installed mod_sec on Ubuntu, but have no idea how to enable it, or enable rules.

    Would anybody care to complete the instructions on what comes next?

    Mod_sec is one of the most piss-poor documented server apps I've ever come across.
    What does exist is obviously IT nerd brain dumps more than coherent end-user documentation.
    || Need a good host?
    || See my Suggested Hosts List || Editorial: EIG/Site5/Arvixe/Hostgator Alternatives
    ||

  2. #2
    Join Date
    Nov 2011
    Posts
    87
    You need to configure it, then start it from SecRuleEngine.
    |||Matthew Camp
    |||FlameBase - Open Source Billing Coming Soon!

  3. #3
    After installation, your next step will be to configure rules of Mod_Security.

    For complete instructions kindly refer following URL:

    http://www.modsecurity.org/documenta...reference.html


    - The default folder for ModSecurity rules is /etc/modsecurity
    - You might want to edit the SecRequestBodyLimit option in the modsecurity.conf file.

    Note: SecRequestBodyLimit limits the page request size and limits file uploads to 128 KB by default. Change this to the size of files you would accept uploaded to the server.

    This settings is very important since it limits the size of all files that can be uploaded to the server. For CMS sites using Drupal or Wordpress

    Open SSH, login via root and enter :

    sudo vi /etc/modsecurity/modsecurity.conf

    First activate the rules by editing the SecRuleEngine option and set to On.

    SecRuleEngine On

    Edit the following to option to increase the request limit and save the file :

    SecRequestBodyLimit 16384000
    SecRequestBodyInMemoryLimit 16384000

  4. #4
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,588
    Do you have cPanel or are you using straight Apache?

  5. #5
    Join Date
    Oct 2011
    Location
    West Palm Beach, FL
    Posts
    52
    Quote Originally Posted by kpmedia View Post
    Trying to learn mod_security is a gigantic pain in the ass.

    This doesn't work: http://library.linode.com/web-server..._ubuntu-debian
    Appears to be outdated; something changed since Nov 2011.

    This is useless: http://www.atomicorp.com/wiki/index....ad_modsecurity
    Too much crammed into a single page for multiple products. Hard to follow WTF is going on.
    (And framed content, to add insult to injury. It's 2012.)
    Atomic is more interested in selling services than supporting what it does open-source.

    I think I've installed mod_sec on Ubuntu, but have no idea how to enable it, or enable rules.

    Would anybody care to complete the instructions on what comes next?

    Mod_sec is one of the most piss-poor documented server apps I've ever come across.
    What does exist is obviously IT nerd brain dumps more than coherent end-user documentation.

    I know, tell me about it. This does not stop with mod_security though, so many tutorials on server security related matters are either seriously lacking or badly outdated. It seems that the linux security experts who actually know wtf they are doing rarely ever want to share quality info with the rest of the world. It's ridiculous to see the same info being reposted over and over on websites out there.

    I've read a ton of blog posts and damn near every noteworthy post on this forum and cPanel's forum, and yet I still have questions I can't find answers to.

    Good luck

  6. #6
    Join Date
    Apr 2005
    Posts
    1,767
    Paulie,

    You may want to check out Atomicorp's mod_security ruleset here:

    http://atomicorp.com/products/modsecurity.html

    They offer a delayed release ruleset as well, you should be able to include a mod_security config file with all of the rules activated using the Include directive in your Apache configuration.

  7. #7
    Join Date
    Feb 2006
    Location
    Kepler 62f
    Posts
    16,703
    Quote Originally Posted by MatthewC View Post
    You need to configure it, then start it from SecRuleEngine.
    That doesn't help.

    Quote Originally Posted by BestServerSupport View Post
    After installation, your next step will be to configure rules of Mod_Security.
    Yeah, and that's where I'm stuck...

    For complete instructions kindly refer following URL:
    http://www.modsecurity.org/documenta...reference.html
    ... and the official documentation is best described as a "bloated goat" (fatted calf?) with far, far, far, far too much crap in a single document.

    Quote Originally Posted by BestServerSupport View Post
    - The default folder for ModSecurity rules is /etc/modsecurity
    - You might want to edit the SecRequestBodyLimit option in the modsecurity.conf file.
    Note: SecRequestBodyLimit limits the page request size and limits file uploads to 128 KB by default. Change this to the size of files you would accept uploaded to the server.
    This settings is very important since it limits the size of all files that can be uploaded to the server. For CMS sites using Drupal or Wordpress
    ..
    First activate the rules by editing the SecRuleEngine option and set to On.
    SecRuleEngine On
    Edit the following to option to increase the request limit and save the file :
    SecRequestBodyLimit 16384000
    SecRequestBodyInMemoryLimit 16384000
    This might help. Thank you. I'll look at this over the weekend again.

    Quote Originally Posted by Ramprage View Post
    Do you have cPanel or are you using straight Apache?
    Straight Apache, ISPConfig 3.

    Once I get it successfully installed on this server, and can monitor it, I want to add modsec to three other servers: Plesk/nginx, cPanel/Varnish, ISPConfig/nginx. The nginx are reverse proxy to Apache. Because of potential complications, I wanted to start off with a basic Apache only VPS. Then the cPanel, then the others.

    Quote Originally Posted by paulieb81 View Post
    It seems that the linux security experts who actually know wtf they are doing rarely ever want to share quality info with the rest of the world.
    This is what irritates me the most. I share a lot of my knowledge with others. In a lot of fields, that's the norm. But in the hosting industry, most people want to charge you expensive fees instead of helping with a few quick tips. Worse yet, most of them having absolutely no visible qualifications. "Give you access to my server? Sure, I'll get right on that one."

    Quote Originally Posted by zacharooni View Post
    Paulie,
    You may want to check out Atomicorp's mod_security ruleset here:
    ... They offer a delayed release ruleset as well, you should be able to include a mod_security config file with all of the rules activated using the Include directive in your Apache configuration.
    This is my thread, not Paulie's. (Though it'd be great if he could learn from my plight as well.) Unfortunately your reply doesn't help either of us. I already know about where to get stuff. The problem is installing the damned thing. Instructions don't seem to exist, outside of something that reminds me of the 200-page Windows 95 operating manuals that nobody in their right mind spent time reading.

    ##

    I hate to seem rude, but I don't need more useless links and documentation. I found plenty of that crap through Google on my own. What I'd like is help from people that actually know WTF they're doing -- and are willing to give a few tips. BestServerSupport may have done that.

    It's not often that I post on WHT -- in the capacity of needing something -- so it's rather aggravating to me that I'm not getting the thoughtful sort of replies that I try to give others. Outside of BestServerSupport, of course, who again was potentially helpful. (I won't know until I read it and try it.)


    ##

  8. #8
    Join Date
    Apr 2005
    Posts
    1,767
    The setup for this is pretty extensive, and the Atomicorp wiki does document exactly how to install it, but it sounds like you either don't have the time or the inclination to read it all. For cPanel, I can give you these instructions:

    Place the below in /usr/local/apache/conf/modsec2.conf
    LoadFile /opt/xml2/lib/libxml2.so
    LoadFile /opt/lua/lib/liblua.so
    LoadModule security2_module modules/mod_security2.so
    <IfModule mod_security2.c>
    SecRuleEngine On
    # See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf
    # "Add the rules that will do exactly the same as the directives"
    # SecFilterCheckURLEncoding On
    # SecFilterForceByteRange 0 255
    SecAuditEngine RelevantOnly
    SecAuditLog logs/modsec_audit.log
    SecDebugLog logs/modsec_debug_log
    SecDebugLogLevel 0
    SecDefaultAction "phase:2,deny,log,status:403"
    SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
    Include "/usr/local/apache/conf/modsec2.user.conf"
    </IfModule>
    Make sure this exists in /usr/local/apache/conf/httpd.conf
    LoadModule security2_module modules/mod_security2.so
    Include "/usr/local/apache/conf/modsec2.conf"
    Distill the Apache configuration:

    /usr/local/cpanel/bin/apache_conf_distiller --update --main
    Use the below to install the delayed ruleset:

    cd /usr/src
    wget http://updates.atomicorp.com/channels/rules/delayed/modsec-2.5-free-latest.tar.gz
    mkdir /usr/local/apache/conf/modsecrules
    tar -xzvf modsec-2.5-free-latest.tar.gz -C /usr/local/apache/conf/modsecrules/
    cd /usr/local/apache/conf/modsecrules/modsec
    mv * ../
    cd ../
    rmdir modsec
    Place the below into /usr/local/apache/conf/modsec2.user.conf

    SecRequestBodyAccess On
    SecDataDir /tmp
    SecTmpDir /tmp
    SecPcreMatchLimit 150000
    SecPcreMatchLimitRecursion 150000
    Include "/usr/local/apache/conf/modsecrules/00_asl_whitelist.conf"
    Include "/usr/local/apache/conf/modsecrules/05_asl_exclude.conf"
    Include "/usr/local/apache/conf/modsecrules/05_asl_scanner.conf"
    Include "/usr/local/apache/conf/modsecrules/10_asl_antimalware.conf"
    Include "/usr/local/apache/conf/modsecrules/10_asl_rules.conf"
    Include "/usr/local/apache/conf/modsecrules/11_asl_data_loss.conf"
    Include "/usr/local/apache/conf/modsecrules/20_asl_useragents.conf"
    Include "/usr/local/apache/conf/modsecrules/30_asl_antispam.conf"
    Include "/usr/local/apache/conf/modsecrules/30_asl_antispam_referrer.conf"
    Include "/usr/local/apache/conf/modsecrules/40_asl_apache2-rules.conf"
    Include "/usr/local/apache/conf/modsecrules/50_asl_rootkits.conf"
    Include "/usr/local/apache/conf/modsecrules/60_asl_recons.conf"
    Include "/usr/local/apache/conf/modsecrules/99_asl_exclude.conf"
    Include "/usr/local/apache/conf/modsecrules/99_asl_jitp.conf"
    Include "/usr/local/apache/conf/modsecrules/99_asl_redactor.conf"
    Edit /usr/local/apache/conf/modsecrules/05_asl_scanner.conf if you don't intend on using the malware upload scanner, you can substitute the scanner already there with maldet's modsec.sh script if needed, but you must set the public scan mode in conf.maldet to 1

    Run the following commands to ensure that you have a valid whitelist, which will default to being empty:

    mkdir /etc/asl
    touch /etc/asl/whitelist
    Now, restart Apache and tail the logs:

    /etc/init.d/httpd restart
    tail -f /usr/local/apache/logs/error_log

  9. #9
    Join Date
    Feb 2006
    Location
    Kepler 62f
    Posts
    16,703
    The issue at hand covers several topics that vary highly between guides and instructions:

    1. The config file name and location.
    2. The rule locations.
    3. The instructions that refer to symlinking vs folder references.

    My problems:
    - I don't want to symlink rules.
    - I'm not entirely convinced the Atomic rule set is best; I wanted to start with the OWASP rules.

    Most instructions are a clusterf*ck of random information.

    And then you're treated like a total newbie, which dumbs down the instructions so much that they become watered down and confusing for anybody that wants to learn, rather than copy/paste into Putty.

    I started off with the Linode guide, but it's outdated, because several of those files and paths do not exist in September 2012 (now October). So I looked at other documentation at other sites, and those refer to different paths yet again from the Linode guide.

    It's starting to appear that this can be setup however you want.

    Installing the Apache module seems to be the only agreed-upon aspect.
    Code:
    apt-get install libapache-mod-security
    Yes, I'm doing this on Ubuntu -- not on CentOS, cPanel, etc.

    After that, you can apparently do whatever you want.
    - I could name the mod_sec config file "fart_sniffer.conf"
    - I could name the mod_sec rules folders "pixie_dust"
    - I could name the rules whatever anything*.conf in the pixie_dust folder

    The real confusion comes from the guides that all suggest different folder permissions, attaching specific users to folders and files, adding symlinks, etc -- and NONE OF THEM agree in any sort of way.

    That brings up two more issues that concern me:
    1. The guide writers may have no idea what they hell they're doing.
    2. And therefore the mod_sec installed may not function properly, or actually be installed at all.

    Hence my desire to understand the install and config process from the ground up, as opposed to reading monkey-see/monkey-do type instructions (of which almost all of them appear to be copy/paste AND cPanel-centric). While I'd usually read instructions at the script sites, it's not working this time, because the documentation is garbage.

    And all of this results in my public frustration, which is quite rare.

    ##
    Last edited by kpmedia; 10-07-2012 at 11:16 AM.

  10. #10
    Join Date
    Mar 2003
    Location
    South Carolina
    Posts
    369
    I wouldn't feel bad about running Ubuntu. I have always liked it since the first time. I would be running it on my servers instead of CentOS if it were not for the fact almost all the guides are based on CentOS and I think you have issues as I recall if you try to run Ubuntu and cPanel. Seems like they were going to drop support for Ubuntu servers.

    I got the same type of aggravation trying to install FFMPEG.

    You have to watch some instructions on installing mod_security one of the rules I had for some reason blocked some Google crawls.
    Cut Above Host Click Here To Visit
    24/7 Support/99.9% uptime/ Paypal accepted/ » Established in 1999«
    Cloud Servers • Reseller Hosting • Shared Hosting • 3+ Locations Available
    * Softaculous * Site Builder * End User Support

  11. #11
    Join Date
    Nov 2011
    Location
    Nasik, MH,INDIA
    Posts
    862

  12. #12
    Join Date
    Feb 2006
    Location
    Kepler 62f
    Posts
    16,703
    Quote Originally Posted by dareORdie View Post
    You will still need to configure it, however, which is the topic for another day.
    Speaking of useless guides...

    WHT has too many people posting useless replies...
    .. instead of reading posts and trying to actually interact the person who made the thread.

    Quote Originally Posted by cutabovehost View Post
    if you try to run Ubuntu and cPanel.
    Again: I'm NOT running cPanel.

    Outside of shared hosts, in fact, I almost never use cPanel.
    It's a great panel, but I don't want the overhead, nor do I need all of its features on secondary servers.

    I do, however, want to start using mod_security.


    ##
    Last edited by kpmedia; 10-07-2012 at 11:40 AM.

  13. #13

    How did you do it in the end?

    Hello kpmedia

    how did you manage in the end. I had the same issues....

Similar Threads

  1. Are these server re-install instructions easy for customers?
    By sakihost in forum Colocation, Data Centers, IP Space and Networks
    Replies: 11
    Last Post: 07-06-2012, 10:44 AM
  2. Need someone to do a script install and make instructions
    By Bluz in forum Employment / Job Offers
    Replies: 3
    Last Post: 09-20-2011, 12:01 AM
  3. Logwatch Install Instructions
    By strato in forum Hosting Security and Technology
    Replies: 3
    Last Post: 04-16-2007, 12:12 PM
  4. Need instructions to install PHP5 on W2003 server
    By dooku in forum Hosting Security and Technology
    Replies: 2
    Last Post: 02-23-2005, 08:09 AM
  5. Sites With Easy-Install Instructions?
    By eNz in forum Dedicated Server
    Replies: 5
    Last Post: 01-10-2004, 11:21 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •