Totally new to mod_security so apologies if the question is a bit basic.
I am using the mod_security rules on an AWS apache server.
I followed the instructions, but do not see a cwaf.conf file as referred to in the installation notes. What I do see is 6 files called cwaf_0x.conf where x is 1-6.
Which one of these should I use?
Also, in the downloader, only Apache V1 is available. Is V2 not supported?
Finally, I used cwaf_06 in the include statement in mod_security.conf
Is there an easy way to see if it is working?
Many Thanks
Paul
Hello!
The best way to use our rules is to download our client agent from https://waf.comodo.com/cpanel/cwaf_client_install.sh, for example:
wget --no-check-certificate https://waf.comodo.com/cpanel/cwaf_client_install.sh
Then run the next command:
bash cwaf_client_install.sh
After install you’ll get all necessary configuration files to mod_security work with our rules.
In directory /<path_to_cwaf>/cwaf/scrips there will be some files:
- uninstall_cwaf.sh to uninstall rules and client agent
- update-client.pl to update client agent
- updater.pl to update rules.
Files cwaf_01-06.conf are our mod_security rules. 1.x versions concert to our rules versions, not to Apache.
The easiest way to see if mod_security works is type in browser URL http:///?a=b AND 1=1
If mod_security works, you’ll get:
Forbidden
You don’t have permission to access </direcory/> on this server.
Thanks for the reply.
Completed the steps you said, but seemed to get lots of warnings from the installer:
x 26-08-2014 13:08:24 Starting the installation x
x 26-08-2014 13:08:26 ----------------Checking Apache----------------------- x
x 26-08-2014 13:08:26 Found APACHE version 2.2.27 x
x 26-08-2014 13:08:26 Found MODSECURITY version 2.7.3 x
x 26-08-2014 13:08:28 ---------------Checking LiteSpeed--------------------- x
x 26-08-2014 13:08:28 LiteSpeed binary /usr/local/lsws/bin/lshttpd not found! x
x 26-08-2014 13:08:36 -----------------Checking Nginx----------------------- x
x 26-08-2014 13:08:36 Nginx binary /usr/local/nginx/sbin/nginx not found! x
x 26-08-2014 13:08:38 ------------------------------------------------------ x
x 26-08-2014 13:08:38 No suitable LiteSpeed/Nginx web servers found. x
x 26-08-2014 13:08:38 Assigning WEB Platform: Apache x
x 26-08-2014 13:08:38 Using PERL /usr/bin/perl x
x 26-08-2014 13:08:38 Using CPAN x
x 26-08-2014 13:08:38 PERL module JSON is NOT founlqqqqqqqqqqqqqqq| ******** ERROR ******** |qqqqqqqqqqqqqqqqqqk x
x 26-08-2014 13:08:38 PERL module Crypt::SSLeay isx CPAN is not configured! x x
x 26-08-2014 13:08:38 PERL module YAML::Syck is NOx Please run x x
x x x x
x x and configure it manually, then rerun this installation. x x
x tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu x
x x < OK >
Any ideas what I’m doing wrong?
Many Thanks
Paul
Apache and modsecurity are found. Litespeed and Nginx are not installed, but it is not an error. You just need install some Perl modules: JSON, Crypt::SSL and YAML::Syck. To do it, please, use CPAN, for example:
/usr/bin/cpan with necessary parameters.
Thanks for that.
WRT to the cwaf files, which of the 6 should I choose?
Many Thanks
Paul
All files contain different rules, you can use all of them. In the file /<path_to_cwaf>/cwaf/etc/cwaf.conf there is a row
Include /var/cpanel/cwaf/rules/*.conf
It allows to use them.
/<path_to_cwaf>/cwaf/etc/httpd//modsec2.conf is an example of modsecurity configuration. You should include it or similar file in your web-server configuration.
You can exclude any rule you need in /<path_to_cwaf>/cwaf/etc/httpd/global/ at all or in /<path_to_cwaf>/cwaf/etc/httpd/domains/ for each domain, hosted on your server.
Thank for your help with this.
Issue was I didn’t have CPAN installed, so sorted that out first, and seem to have got it all installed now.
I’ve added the relevant Include to my mod_security.conf file, and have restarted apache.
All seems good except if I run the url you suggested:
http:///?a=b AND 1=2
it serves up my index file, and doesn’t block the request.
Any idea how I can validate the install.
The include is definitely working, as if I put a typo in the conf.cwaf file name, I get an error when I restart apache, so the files are definitely being referenced and loaded.
Many Thanks
Paul
Are there any records in modsec_audit.log?
You can change SecDebugLogLevel from 0 (no debug) up to 9 (full debug) and see records in modsec.audit.log.
Also if you send us your conf-files (part of httpd.conf, modsecurity conf-files) and log-files content it would be easier to help you with this issue.
where is the modsec_audit.log file?
where do I set SecDebugLogLevel?
Mod_security from directory /etc/httpd/conf.d
LoadModule security2_module modules/mod_security2.so
<IfModule !mod_unique_id.c>
LoadModule unique_id_module modules/mod_unique_id.so
# ModSecurity Core Rules Set configuration
Include modsecurity.d/.conf
Include modsecurity.d/activated_rules/.conf
# Default recommended configuration
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess Off
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/httpd/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security
Include /opt/comodo/waf/cwaf/etc/cwaf.conf
Sorry: found modsec_audit.log
I ran:
http://domain/?a=b%20AND%201=xxyyzz
I searched for xxyyzz in modsec_audit.log but could not find any reference.
Is there some kind of reference I need to put in the httpd.conf file?
Many Thanks
Paul
In httpd.conf should be included the next string:
Include /etc/httpd/conf.d/*.conf
We recommend in /etc/httpd/conf.d/modsecurity.conf:
SecPcreMatchLimit 250000
SecPcreMatchLimitRecursion 250000
to avoid “pcre-limit excceded” error.
Please, check /var/log/httpd/error_log or similar file. Is there a record such as:
[Tue Aug 26 08:48:52.000115 2014] [:notice] [pid 1452:tid 140311824725824] ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/) configured.
Our rules work with ModSecurity 2.7.5 and higher.
Maybe mod_security is not starting?
Here is my log from the last restart
[Fri Aug 29 12:27:00 2014] [notice] SIGHUP received. Attempting to restart
[Fri Aug 29 12:27:00 2014] [notice] Digest: generating secret for digest authentication …
[Fri Aug 29 12:27:00 2014] [notice] Digest: done
[Fri Aug 29 12:27:01 2014] [notice] Apache/2.2.27 (Unix) DAV/2 mod_owa 2.10.0 mod_ssl/2.2.27 OpenSSL/1.0.1h-fips mod_wsgi/3.2 Python/2.6.9 mod_perl/2.0.7 Perl/v5.16.3 configured – resuming normal operations
I have this in httpd.conf:
Load config files from the config directory “/etc/httpd/conf.d”.
#Include conf.d/.conf
Include /etc/httpd/conf.d/.conf
So it looks like mod_security is not starting?
so i reinstalled using:
sudo yum install mod_security mod_security_crs
restarted apache
got this in the logs:
[Fri Aug 29 12:43:43 2014] [notice] SIGHUP received. Attempting to restart
[Fri Aug 29 12:43:43 2014] [notice] Digest: generating secret for digest authentication …
[Fri Aug 29 12:43:43 2014] [notice] Digest: done
[Fri Aug 29 12:43:44 2014] [notice] Apache/2.2.27 (Unix) DAV/2 mod_owa 2.10.0 mod_ssl/2.2.27 OpenSSL/1.0.1h-fips mod_wsgi/3.2 Python/2.6.9 mod_perl/2.0.7 Perl/v5.16.3 configured – resuming normal operations
[Fri Aug 29 12:43:47 2014] [error] [client 174.36.197.195] ModSecurity: Access denied with code 403 (phase 2). Pattern match “([\\~\\!\\@\\#\\$\\%\\^\\&\\\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\\\\\<\\\\>].*?){4,}" at ARGS:message-timestamp. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "170"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: : found within ARGS:message-timestamp: 2014-08-28 13:08:25"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] [hostname "callback-ha.spabiz.net"] [uri "/call/nexmo_callback"] [unique_id "VAB1g6wfK9oAADlQC5IAAAAA"] [Fri Aug 29 12:43:47 2014] [error] [client 174.36.197.195] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\\\<\\>].?){4,}” at ARGS:message-timestamp. [file “/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf”] [line “170”] [id “981173”] [rev “2”] [msg “Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded”] [data “Matched Data: : found within ARGS:message-timestamp: 2014-08-29 12:19:33”] [ver “OWASP_CRS/2.2.6”] [maturity “9”] [accuracy “8”] [hostname “callback-ha.spabiz.net”] [uri “/call/nexmo_callback”] [unique_id “VAB1g6wfK9oAADlREZ8AAAAB”]
As you’ve installed mod_security_crs
you have our config-files and rules and OWASP (Spider labs) config-files and rules. According to error.log:
[Fri Aug 29 12:43:47 2014] [error] [client 174.36.197.195] ModSecurity: Access denied with code 403 (phase 2). Pattern match “([\\~\\!\\[at]\\#\\$\\%\\^\\&\\\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].?){4,}” at ARGS:message-timestamp. [file “/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf”] [line “170”] [id “981173”] [rev “2”] [msg “Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded”] [data “Matched Data: : found within ARGS:message-timestamp: 2014-08-29 12:19:33”] [ver “OWASP_CRS/2.2.6”] [maturity “9”] [accuracy “8”] [hostname “callback-ha.spabiz.net”] [uri “/call/nexmo_callback”] [unique_id “VAB1g6wfK9oAADlREZ8AAAAB”]
modsecurity works.
Our default config is:
LoadFile /opt/xml2/lib/libxml2.so
LoadFile /opt/lua/lib/liblua.so
LoadModule security2_module modules/mod_security2.so
SecRuleEngine On
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 0
SecRequestBodyAccess On
SecDataDir /tmp
SecTmpDir /tmp
SecPcreMatchLimit 250000
SecPcreMatchLimitRecursion 250000
Include “/var/cpanel/cwaf/etc/cwaf.conf”
Also to modsecurity work it is necessary to load mod_unique_id.so. It may be loaded in apache configuration. You can backup your old modsecurity configuration (with CRS) and create new file with content above. Using both rulesets (our and CRS) may cause errors in attack or vulnerability detections.
still going with this.
I swapped out the content of mod_security.conf with the sample file you put in. I get this error:
httpd: Syntax error on line 292 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.d/mod_security.conf: Cannot load /opt/x2/lib/libxml2.so into server: /opt/xml2/lib/libxml2.so: cannot open shared object file: No such file or directory
So I did a search for the file in question, and cannot find it. I do find these 3 files:
/usr/lib64/libxml2.so.2.9.1
/usr/lib64/libxml2.so.2
/usr/share/doc/libxml2-2.9.1
Can I use one of these?
Many Thanks
Paul
Please, try to make symlink from /usr/lib64/libxml2.so.2 to /usr/lib64/libxml2.so and rewrite conf-file.