We currently use Comodo’s rule-set with Config ModSecurity (easily allow us to disable modsec rules on accounts or modsec all together).
We’ve run into a slight problem, we currently user the custom_user.conf to add our own custom rules, however 1 user on the server had ModSec disabled on their account and obviously the rules here were not being processed as ModSecurity is disabled for that specific domain (through Config ModSecurity).
Is there a way to enforce rules across the entire server regardless if the user has enabled/disabled ModSecurity?
eg. Have a ruleset which will ALWAYS work regardless if it has been disabled via CMC?
This would be an interesting feature. Some rules, like brute force protection for example, should be enabled regardless whether the client likes it or not, as brute force attacks can overload and even crash a busy mid-end server.
I actually dislike the entire idea of disabling ModSecurity. The ideal solution would be to provide users access to the ModSecurity logs related to their domains, along with an option to whitelist rules by themselves and report false positives.
This might be quite complicated to develop, but I’d even pay a monthly license if a cPanel plugin like this would exist. It would make all users happy and I could send my staff on vacation since we’d get less tickets.
Any ruleset will work if ModSecurity is on. You can turn ModSecurity on globally in your web-server main config. It should be after your virtual host configuration. In this case ModSecurity will work for all users even if someone turn ModSecurity off. So you can create separate ruleset for all users.
SecAuditLog /usr/local/apache/logs/modsec_audit.log
SecDebugLog /usr/local/apache/logs/modsec_debug.log
SecDebugLogLevel 0
SecRequestBodyAccess On
SecDataDir /tmp
SecTmpDir /tmp
SecPcreMatchLimit 250000
SecPcreMatchLimitRecursion 250000
Include "/var/cpanel/cwaf/etc/cwaf.conf"
Include "/usr/local/apache/conf/modsec2.whitelist.conf"
Include "/usr/local/apache/conf/modsec2.cpanel.conf"
Would you mind re-iterating in a little more detail as to how to accomplish a separate rule-set that is always ON regardless if ModSecurity has been disabled.
