[mod-security-users] Mod Security Comercial Rules Configuration

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello, nice to meet everyone.

I'm writing to you because. Recently I have purchased Mod Security
commercial set rules.

I'm still having doubts about how to properly configure these commercial
rules.

The only way I have found to configure this rules on my server is creating
a Virtual Host and adding the "SecRemoteRules" statement as is shown in the
following module:

<IfModule mod_security2.c>

    # Default recommended configuration
    SecRuleEngine Off
    SecRemoteRules fe586c346452c1240c6786518c1e8d5f2d726e2a
https://dashboard.modsecurity.org/rules/download/plain
    SecRequestBodyAccess Off
    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
        "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:reque
stBodyProcessor=XML"
    SecRequestBodyLimit 20107200
    SecRequestBodyNoFilesLimit 9048576
    SecRequestBodyInMemoryLimit 9048576
    SecRequestBodyLimitAction Reject

    #SecPcreMatchLimit 5000
    #SecPcreMatchLimitRecursion 5000

    SecRule TX:/^MSC_/ "!@streq 0" \
            "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal
error flagged: %{MATCHED_VAR_NAME}'"

    SecResponseBodyAccess Off
    SecDebugLog /var/log/httpd/modsec_debug.log
    SecDebugLogLevel 0
    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
    SecAuditLogParts ABIJDEFHZ
    SecAuditLogType Serial
    SecAuditLog /var/log/httpd/att_modsec_audit.log
    SecArgumentSeparator &
    SecCookieFormat 0
    SecTmpDir /var/lib/mod_security
    #SecDataDir /var/lib/mod_security
</IfModule>

However, if I try to add this configuration to a file called
mod_security.conf, and call it from the apache configuration in
/etc/httpd/conf/httpd.conf

<IfModule security2_module>
       Include owasp-modsecurity-crs/crs-setup.conf
       Include owasp-modsecurity-crs/rules/*.conf
       Include /etc/httpd/modsecurity.d/mod_security.conf
</IfModule>

My site will not load, ports are open but, apache starts but page will not
load.

Moreover, If I Try to configure SecRemoteRules Statement in each Virtual
Host, Apache will not load due to the following error:

[root@mxinsl09 conf.d]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor
preset: disabled)
   Active: failed (Result: exit-code) since vie 2018-05-04 13:12:02 CDT; 6s
ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 716937 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited,
status=1/FAILURE)
  Process: 57115 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
(code=exited, status=0/SUCCESS)
  Process: 716886 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
(code=exited, status=1/FAILURE)
 Main PID: 716886 (code=exited, status=1/FAILURE)

may 04 13:12:02 mxinsl09 httpd[716886]: [Fri May 04 13:12:02.762480 2018]
[proxy:warn] [pid 716886:tid 122869981182080] AH01146...sharing
may 04 13:12:02 mxinsl09 httpd[716886]: [Fri May 04 13:12:02.762482 2018]
[proxy:warn] [pid 716886:tid 122869981182080] AH01146...sharing
may 04 13:12:02 mxinsl09 httpd[716886]: AH00526: Syntax error on line 168
of /etc/httpd/conf.d/femsa_reverse_proxy.conf:
may 04 13:12:02 mxinsl09 httpd[716886]: ModSecurity: SecRemoteRules cannot
be used more than once.
may 04 13:12:02 mxinsl09 systemd[1]: httpd.service: main process exited,
code=exited, status=1/FAILURE
may 04 13:12:02 mxinsl09 kill[716937]: kill: cannot find process ""
may 04 13:12:02 mxinsl09 systemd[1]: httpd.service: control process exited,
code=exited status=1
may 04 13:12:02 mxinsl09 systemd[1]: Failed to start The Apache HTTP Server.
may 04 13:12:02 mxinsl09 systemd[1]: Unit httpd.service entered failed
state.
may 04 13:12:02 mxinsl09 systemd[1]: httpd.service failed.
Hint: Some lines were ellipsized, use -l to show in full.

It Seems  "SecRemoteRules" cannot be used more than once.

I wonder if leaving the first configuration, (SecRemoteRules directive on
just one Virtual Host), will protect my entire server no matter the number
of virtual hosts on that server.

Sorry if this mailing list is for advanced or more detailed questions, but
I have not answer from the support Email:  sec...@mo... and M
odS...@tr...

I'm willing to hearing from you.

Irvin.

--