Mod rules

Hi just need a bit of info please.

I have mod security installed and then i installed the comodo ones and now have a plugin in WHM and i also clicked update.

But on the site it says i have to download rules and upload them is this still correct or is it all done from WHM now.

Also do i have to change anything else for them to work.

PS i see some things are off like Bruteforce’Bruteforce protection’ do i need to turn everything on or leave it default.

I’m not a CIS expert by any means, I’m just a regular user like yourself. I do know though that having two security products installed is a BIG no-no. I would suggest you uninstall CIS and whatever Mod Security is, then reboot. You should then only install CIS.

Hello.

You don’t need to download rules and update them manually. It is done by plugin. You can schedule automatic rules update in Plugins - Comodo WAF - Configuration.
Also you need to add to ModSecurity confiiguration file the next string:

Include “/var/cpanel/cwaf/etc/cwaf.conf”

if you use Cpanel or

Include “/<path_to_cwaf>/cwaf/etc/cwaf.conf”
if you use other WHMS.

Some our rules are excluded because of false-positives. You can turn them on if you need. Please, check you modsec_audit.log to avoid false-positives.

Hi thanks but not sure what you mean be this below i do use cpanel also why was this topic locked they told me i did something wrong.

Also you need to add to ModSecurity confiiguration file the next string:

Include “/var/cpanel/cwaf/etc/cwaf.conf”

if you use Cpanel or

Include “/<path_to_cwaf>/cwaf/etc/cwaf.conf”
if you use other WHMS.

Hi if you meant add Include “/var/cpanel/cwaf/etc/cwaf.conf” to /usr/local/apache/conf/modsec2.conf when i checked it was already in there ?

SecRuleEngine On
SecAuditEngine RelevantOnly
SecAuditLog /usr/local/apache/logs/modsec_audit.log
SecDebugLog /usr/local/apache/logs/modsec_debug.log
SecDebugLogLevel 0
SecRequestBodyAccess On
SecDataDir /tmp
SecTmpDir /tmp
SecPcreMatchLimit 250000
SecPcreMatchLimitRecursion 250000
Include “/var/cpanel/cwaf/etc/cwaf.conf”

If the string

Include “/var/cpanel/cwaf/etc/cwaf.conf”

is in /usr/local/apache/conf/modsec2.conf and this file is your ModSecurity configuration, there is no need to add anything.

But i never added it in that file does your plugin add it

That’s OK. So, everything should work.
Please, check your modsec_audit.log to be convinced ModSecurity works.

Thanks and i know this sounds daft but what do i look for to tell its working

Hi

Take look into /usr/local/apache/logs/modsec_audit.log
If it contain records it mean mod_security is up and running.

Hi there is nothing in modsec_audit.log but i am sure there was an hour ago but i have just built apache would that remove them ?

Hi!
If your rebuilt apache, please, check your configuration files again. Paths to log files may be changed.
But if you use EasyApache configuration files should be saved.

I now have some some stuff in modsec_audit.log but others are still blank

modsec_debug.log is empty, because default debug log-level is 0 (no debug).
You can increase it up to 9 (full debug). But in this case modsec_debug.log will be too large, so it should be rotated by size.

debug log-level is set to 1 default on mine ? and modsec_audit.log still empty but i only have one site on the server at the moment and no traffic

sorry yes it is 0

You can check ModSecurity workability by link http://your.web-server/?a=b AND 1=1
You should get an error “403 Forbidden” or similar. Also you’ll see some records in modsec_audit.log

Hi i tried what you said but nothing happened

I’ve read documentation at Apache Module: ModSecurity - EasyApache - cPanel Documentation and found that ModSecurity is off only for default domain.
Also I’ve checked another your domain http://another.domain/?a=b%20AND%201=1 and got the “error 403”.
So, I think ModSecurity works.

Hey @needsomehelp. Looks like nobody addressed your original problem: no rules.

If you haven’t solved it, this is what you need to do:

Go into CPanel Comodo WAF and select the Configuration tab. In the “CWAF updater configuration” area, enter your Comodo WAF username and password (the same one you use to login to waf.comodo.com) and select any schedule next to “Schedule Rules Update.”

That will force a download of the rules. You can verify that you have them by looking for a rules version on the Main tab, next to " Current rules version" or going to the Catalog tab.