Manual Apache Configuration

Bad, very bad. My typo! I have not checked my text again. OK. Its getting better.

I need a guide howto the conf files for CWAF have to be written. What options do I have, etc. The offical Admin Guide deals almost exclusively with the plugin versions.

The Perl scripts do not generate files into the httpd directory, etc. How can I describe CWAF, which domains are need to be protected. And so on.

Hi Mike

I answered to you here:

Please ask any questions you have.

Regards, Oleg

Thanks Oleg,
but nothing really changed. CWAF doesn’t work.
After ./cwaf-cli.pl -xl
comes a list of excluded rules for domain : global
214300 to 230040.

I manage my server with ISPConfig. What must I do, to protect my specific domains. Not gloabally. And how are so many rules excluded globally?
Mike

Hi Mike

First of all we have to check if CWAF included in mod_security config on your server.
Please check if “Include …” string is inserted in mod_security config.

I’m using simple method to check if rules included. I’m edit CWAF rules file adding error-producing string to it. For example edit <CWAF_INSTALL_PATH>/rules/00_Init_Initialization.conf
replacing “SecComponentSignature” with “1SecComponentSignature”
Then after running
# apachectl -t
I get following error “Invalid command ‘1SecComponentSignature’, perhaps misspelled or defined by a module not included”
This means rules is plugged in correctly so I can change back “1SecComponentSignature” with “SecComponentSignature”

Also to test rules one can run:
# wget http://localhost/?a=b%20AND%201=1

If rules is included, entries will be added to modsec_audit log

Best regards, Oleg

That was a very helpful hint. The simple tricks are always the best.

I have scoured the configuration files. I changed the files until I get the desired response.

I got the desired result since I edit the file /etc/apache2/mods-enabled/security2.conf with the entry

“Include Optional /etc/modsecurity/*.conf”

and disabled all conf files except cwaf.conf.

The rules are working on all my domains. Thats cool.

One problem:
If I changed an option in the joomla Administrator backend, such the on or off state of the website, I got the error 403 with

[id “200004”] [msg “ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED”].

OK. I must disable the ID, but is this the only solution? Or is this not riskfull in sight of csrf or xssshield vulnerabilities?

Thanks in advance,
Mike

Hi Mike

Rule ID 200004 is not CWAF rule. After some research I found it in mod_security.conf sample file shipped with core rules.
So seems CWAF is not enabled on your server.
To plug it in please replace /etc/apache2/mods-enabled/security2.conf with sample file provided with CWAF install, either
<CWAF_INSTALL_PATH>/etc/modsec2-example.conf or
<CWAF_INSTALL_PATH>/etc/modsec2_cpanel-example.conf

(I mean delete or rename /etc/apache2/mods-enabled/security2.conf and copy CWAF file to /etc/apache2/mods-enabled/ directory so old directives will not interfere with directives in CWAF file)

Also it wold be handy to run:
<CWAF_INSTALL_PATH>/scripts/cwaf-cli.pl -xa 230040 (or any other rule ID listed in ./cwaf-cli.pl -xl output)

This will create exclude list for CWAF rules turned off by default.

Best regards, Oleg

Hi Oleg,

so I want to exclude rule ID 200004 with:

./cwaf-cli.pl -xa 200004

I got the message:

turning off rules: 200004
domain: global
ERROR: empty update data

after the frist try, I started the updater.pl, but nothing changed better.

Mike

Hi Oleg,
Thanks a lot. I didn’t read your nightly message. I must even to wake up properly.

I fixed all things and it seems to run properly.

Thanx, Mike