Results 1 to 9 of 9

Thread: mod_security

  1. #1
    Join Date
    Jan 2005
    Posts
    2,175

    mod_security

    My host just reinstalled mod_security for Apache 1.3.37. I see there are Rules in 2 different files: /usr/local/apache/conf/modsec.conf and /usr/local/apache/conf/httpd.conf

    in httpd.conf, there is a this line: Include "/usr/local/apache/conf/modsec.conf"

    My question is why are there rules in 2 separate locations, which file do I need to edit if I want to add/remove rules?

  2. #2
    Join Date
    Apr 2004
    Location
    India
    Posts
    211
    All the mod security rules are in /usr/local/apache/conf/modsec.conf files, you need to edit this file to add remove rules that you are facing problems with.

    The entry in httpd.conf is for apache to know from which file apache need to use mod security rules from.

  3. #3
    Join Date
    Jan 2005
    Posts
    2,175
    I forgot to mention that snort is installed on the server, could those rules in httpd.conf be from there? Also, it's the first time seeing the Include "/usr/local/apache/conf/modsec.conf" line in httpd.conf. Am I correct in saying that I could add mod_security rules in httpd.conf file if I omit that Include ........line?

    I just want to make sure that the previous tech have installed mod_security correctly because I've never seen that line there before after telling them to install it over 1 year go. Since there were problems, they had to reinstall mod_security today. They do tend to mess up sometimes. Thanks for the help.

  4. #4
    Join Date
    Apr 2004
    Location
    India
    Posts
    211
    I guess you can remove the include line from apache conf, but if you add the mod security rules in apache conf it might mess up your conf file.

    I would suggest you to leave the Include line in httpd.conf and edit your mod security conf files when you face any issues.

    This not only is easy to track, it is also makes it very easy to disable mod security from the server by commenting the Include line from httpd.conf then editing and removing the rules from httpd.conf file.

  5. #5
    Join Date
    Jan 2005
    Posts
    2,175
    Yes, now I think the previous tech didn't install mod_security correctly One last question, I plan to use the ruleset from eth00.us will it be ok if there are duplicate rules in addition to the default ruleset?

  6. #6
    Join Date
    Apr 2004
    Location
    India
    Posts
    211
    Yes you can add your own rules for mod security with out any problems; I have seen a lot of customized rules being used with mod security and they work like a charm.

    BTW it is eth0.us and not eth00.us

  7. #7
    Join Date
    Jan 2005
    Posts
    2,175
    Ok, so it wouldn't matter if there are duplicate rules in the modsec.conf file ? Sorry for the repeated questions

    how do you fix this? I got this on my cron.hourly emails:


    /etc/cron.hourly/modsecparse.pl:

    cp: cannot stat `/usr/local/apache/logs/audit_log': No such file or directory

  8. #8
    Join Date
    Apr 2004
    Location
    India
    Posts
    211

  9. #9
    Join Date
    Jan 2005
    Posts
    2,175
    I found a fix at the cpanel forums in case it might help others:

    type
    touch /usr/local/apache/logs/audit_log

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •