Web Application Firewall -Free Modsecurity rules

Hello guys,

After searching for free good rules, i fell on these, which seems to be pretty good.

I used the cpanel installation script (no problems during the installation with cpanel choice) and faced the same error when trying to open the module in WHM → “Can’t locate Comodo/CWAF/Cpanel.pm in [at]INC”

The solution provided by George wasn’t effective, i had to modify it a little to get the module & update working.

In all 3 following files i’ve added this just after #!/usr/bin/perl :

BEGIN { unshift [at]INC, '/var/cpanel/cwaf/modules/CPAN/lib/'; }

/usr/local/cpanel/whostmgr/docroot/cgi/addon_cwaf.cgi
/usr/local/cpanel/whostmgr/docroot/cgi/cwaf_main.cgi
/var/cpanel/cwaf/scripts/updater.pl

As of now I have been able to open the module in WHM and update the rules, i didn’t test exclusions yet but i can see a file which is read in the tab with the following content, so it may work :

# Created by CWAF management application # Note! This file may be modified and any manual changes may be lost! # Date: 16/02/14 17:57:07 UTC

Regarding the rules they seems to be working as shown in the log for example :

Message: [file "/var/cpanel/cwaf/rules/cwaf_02.conf"] [line "878"] [id "212222"] [msg "COMODO WAF: Blocking python-requests User-Agent. Disable rule if you need it."] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "python-requests/" at REQUEST_HEADERS:User-Agent.

My environment is as follow :

  • Centos 6 with 3.2.54-61.art.x86_64 kernel
  • Cpanel 11.40.1.11

A note for all trying to make this work too, the [at] in “[at]INC” has to be replaced with the real at-sign or it won’t work and you’ll get a syntax error.

Hope this will help.