Sorry it’s a noob question. I manage a dedicated Apache server (Centos) with mod_security installed. The “Comodo Free Mod Security Rules - Quick Start Guide” says to:
- download the rules (done)
- extract them to a folder on the server E.g. /opt/comodo/waf
- for CentOs: edit the file /etc/httpd/conf.d/mod_security.conf to include the following configuration key: Include /opt/comodo/waf/etc/cwaf.conf
- restart Apache.
First question: even though I have Centos my mod_sec files are under /usr/local/apache/conf and not /etc/httpd/conf.d/ , this is confusing (different folder?) also because in there I have a modsec2.conf and a modsec2.user.conf and I believe I should edit the latter?
Second question: it says (Point 3) to include /opt/comodo/waf/etc/cwaf.conf but in the unzipped rules folder there is no cwaf.conf but a series of cwaf_01.conf, cwaf_02.conf etc. so the command: include /opt/comodo/waf/etc/cwaf.conf would not find the file and it’s likely Apache won’t reboot.
I also downloaded the .sh installer but I am not comfortable running an unknown script as root.
At the moment in my WHM under Mod Security>EditConfig I only have this command:
Include /usr/local/apache/conf/modsec2.whitelist.conf
I’d like to add a new line with the comodo rules and get the job done.
Any help highly appreciated!
- Yes, you can save your configuration files anywhere you need, i. e. /usr/local/apache/conf, /etc/httpd/conf.d/, /etc/httpd/conf/ etc., using 'Include </path_to_conf/*.conf>
- If you download the rules only (not installation script), you get rules, blacklists and excluded rules list. cwaf.conf contains the next strings:
Include /var/cpanel/cwaf/etc/httpd/domains/.conf (excluded rules for domains)
Include /var/cpanel/cwaf/rules/.conf (cwaf rules)
Include /var/cpanel/cwaf/etc/httpd/global/*.conf (globally excluded rules)
Include /var/cpanel/cwaf/etc/httpd/custom_user.conf (custom config)
You can add to your mod_security configuration file the next string:
Include /path_to_cwaf/cwaf/rules/*.conf
and restart apache.
Hi
This is ok. It happen because you have cPanel on server. Default path for cPanel is /usr/local/apache/conf.
You have to edit modsec2.user.conf adding link to COMODO rules (which is more preferable way). Below I will explain how to do it.
Second question: it says (Point 3) to include /opt/comodo/waf/etc/cwaf.conf but in the unzipped rules folder there is no cwaf.conf but a series of cwaf_01.conf, cwaf_02.conf etc. so the command: include /opt/comodo/waf/etc/cwaf.conf would not find the file and it's likely Apache won't reboot.
This docs is bit outdated. We’re preparing the new ones.
I also downloaded the .sh installer but I am not comfortable running an unknown script as root.
This script installing CWAF plugin for cPanel to organize rules management in more convenient way.
It contain updater to update rules regularly or at demand, catalog to exclude some rules out of play, user-friendly mod_security configuration and more.
But again it just for convenience, rules will work without it.
At the moment in my WHM under Mod Security>EditConfig I only have this command:
Include /usr/local/apache/conf/modsec2.whitelist.conf
I'd like to add a new line with the comodo rules and get the job done.
All you need just add one line to mod_security configuration. In WHM under Mod Security>EditConfig you will see content of modsec2.user.conf. To add COMODO rules edit it in such way:
Include <path_to_extracted_COMODO_rules>/*.conf
Include /usr/local/apache/conf/modsec2.whitelist.conf
So whitelist.conf will go AFTER rules and if you add excludes later, they will work correct.
Now everything seems clear, thank you so much guys I will give it a try later today and report back here if Apache crashes 
(in fact on a second thought, is there a way I can check if the rules work, perhaps using http://wannabrowser.com/ i.e. the user agent spoofing tool??)
To check if the rules work you can:
- create request http://yoursite.com/?a=b AND 1=1
In this case you should get some error, for example ‘error 403’ Forbidden;
- see modsec_audit.log. In your mod-security configuration file should be a string like this:
SecAuditLog /var/log/httpd/modsec_audit.log
Also you can use SecDebugLogLevel. This parameter is changed from 0 (no debug) to 9 (full debug). It is logged by:
SecDebugLog /var/log/httpd/modsec_debug.log. If you use full debug the log file size may be too large, so you need log-rotation by size or debug-level decreasing.
Your log files may be here /usr/local/apache/logs/
So, in your config should be:
SecAuditLog /usr/local/apache/logs/modsec_audit.log
SecDebugLog /usr/local/apache/logs/modsec_debug.log.
Rules successfully installed, I think; a look at the modsec_audit.log file shows a lot of entries like this:
Message: collection_retrieve_ex: Unable to retrieve collection (name “global”, key “global”). Use SecDataDir to define data directory first.
Message: collection_retrieve_ex: Unable to retrieve collection (name “ip”, key “188.125.167.82_”). Use SecDataDir to define data directory first.
Message: collection_store: Unable to store collection (name “ip”, key “188.125.167.82_”). Use SecDataDir to define data directory first.
Stopwatch: 1412694074773741 2089 (- - -)
Stopwatch2: 1412694074773741 2089; combined=809, p1=231, p2=428, p3=0, p4=57, p5=71, sr=62, sw=22, l=0, gc=0
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/); COMODO WAF: rules for Apache 2.4.
Server: Apache/2.4.10 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4
Engine-Mode: “ENABLED”
Is that ‘Unable to retrieve collection’ error message a reason to be worried about??? Thanks again everyone for your great help.
I have added this: SecDataDir /tmp
and hopefully the error will go away.
I have added this: SecDataDir /tmp
and hopefully the error will go away.
Seems default mod_security installation for cPanel don’t assign SecDataDir directive.
All have be OK now. Please let us know about any problems left.
It works well now, I get lots of Access denied in the modsec_audit.log file. ;D
Is there a way I could add my own spam bots (the ones I know are frequently attacking the server) to the rules? I am asking because unfortunately the server got attacked again last night and load averages went out of the roof (again).
In your cwaf.conf should be a string:
Include /path_to_cwaf/cwaf/etc/httpd/custom_user.conf
You can add your rules (configurations) in it.
There is files in rules folder you can use to block bots.
userdata_bl_agents or bl_agents contain User-Agents signatures.
bl_domains contain domain names to block.
I have both, userdata_bl_agents which is empty and bl_agents with many entries already, so I guess it’s best to use userdata_bl_agents since bl_agents will probably contain new entries when the rules get an update.
You are right. bl_agents may be rewritten in updates.
So userdata_* using is more preferable. To update rules you can download only modified files and see what files were changed or added.