mod-security-users — General discussion about mod_security

Re: [mod-security-users] Paranoia level

[Blason R <bla...@gm...>]

My bad and apologies for wrong posting.

On Wed, Mar 10, 2021 at 12:32 PM Ervin Hegedüs <ai...@gm...> wrote:

> Hi,
>
>
> plase note, this is a CRS question, not ModSecurity.
>
> There is a dedicated mailing list for the rule set:
>
> https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project
>
> On Wed, Mar 10, 2021 at 11:21:14AM +0530, Blason R wrote:
> > Hi Team,
> >
> > I am really looking at everywhere but unable to find the exact
> information.
> > I am struggling to find how do I increase Paranoia level gradually?
> > I really dont see settings in configuration or might have overlooked? but
> > can someone can help me understanding the procedure?
>
> take a look to your crs-setup.conf:
>
> https://github.com/coreruleset/coreruleset/blob/v3.4/dev/crs-setup.conf.example#L176-L182
>
> The default PL is 1:
>
>
> https://github.com/coreruleset/coreruleset/blob/v3.4/dev/rules/REQUEST-901-INITIALIZATION.conf#L100-L107
>
> this means if user doesn't give any explicit value in the setup,
> then this rule sets up it to 1.
>
> Just uncomment the lines in your setup, and set the necessary
> value in rule 900000. Before that action, you can find a small
> summary about paranoia levels.
>
>
> hth,
>
>
> a.
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

Re: [mod-security-users] Paranoia level

[Christian F. <chr...@ne...>]

Hey Blason,

On Wed, Mar 10, 2021 at 11:21:14AM +0530, Blason R wrote:
> I am really looking at everywhere but unable to find the exact information.
> I am struggling to find how do I increase Paranoia level gradually?
> I really dont see settings in configuration or might have overlooked? but
> can someone can help me understanding the procedure?

You have probably overlooked the explanation it in crs-setup.conf.

There are two values involved:

- tx.paranoia_level
  This is the PL that we are going to block in. We thought about renaming
  this to tx.blocking_paranoia_level, but then we thought it would have
  been too cumbersome on the users.
- tx.executing_paranoia_level
  This is the PL of the rules that we are going to execute. It is greater
  or equal to tx.paranoia_level.

So with these two settings, you can block on PL1, but execute PL2, tune away
the false positives of PL2 and then raise the blocking PL to 2 as well.
And then to the next step.

The advantage of this process is that without the executing PL setting, you
would dive into a higher PL without knowing the new false positives in
advance and you would probably have to raise the anomaly threshold for
a certain transition period, thus lowering your defenses. The introduction
of the execution paranoia level allows you to keep the defenses up.

Cheers,

Christian


-- 
Seek simplicity, and distrust it.
-- Alfred North Whitehead

Re: [mod-security-users] Paranoia level

[Ervin H. <ai...@gm...>]

Hi,


plase note, this is a CRS question, not ModSecurity.

There is a dedicated mailing list for the rule set:

https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project

On Wed, Mar 10, 2021 at 11:21:14AM +0530, Blason R wrote:
> Hi Team,
> 
> I am really looking at everywhere but unable to find the exact information.
> I am struggling to find how do I increase Paranoia level gradually?
> I really dont see settings in configuration or might have overlooked? but
> can someone can help me understanding the procedure?

take a look to your crs-setup.conf:
https://github.com/coreruleset/coreruleset/blob/v3.4/dev/crs-setup.conf.example#L176-L182

The default PL is 1:

https://github.com/coreruleset/coreruleset/blob/v3.4/dev/rules/REQUEST-901-INITIALIZATION.conf#L100-L107

this means if user doesn't give any explicit value in the setup,
then this rule sets up it to 1.

Just uncomment the lines in your setup, and set the necessary
value in rule 900000. Before that action, you can find a small
summary about paranoia levels.


hth,


a.

[mod-security-users] Paranoia level

[Blason R <bla...@gm...>]

Hi Team,

I am really looking at everywhere but unable to find the exact information.
I am struggling to find how do I increase Paranoia level gradually?
I really dont see settings in configuration or might have overlooked? but
can someone can help me understanding the procedure?

TIA
Blason R

Re: [mod-security-users] Handling multiple clients with modsecurity

[Blason R <bla...@gm...>]

Thanks for the reply and heads up.

Any clue to for logs parsing tool apart from elk? I am looking for
multi-tenant facility.

On Mon, 8 Mar 2021, 17:01 Christian Varas via mod-security-users, <
mod...@li...> wrote:

> Hi Blason,
>
> Is better if you separate everything as you mention, in that way you can
> configure by app: exclusions, rules, custom configuration, etc...
>
> If you are in a Debian distribution, you could use Waf2Py, will do what
> you are looking for with a easy web interface
> https://github.com/ITSec-Chile/Waf2Py
>
> Cheers
> Chris
> --
>
> On lunes, mar. 08, 2021 at 3:59 a. m., Blason R <bla...@gm...>
> wrote:
> Hi Folks,
>
> Here is my requirement and seeking any heads up from community -
>
>    - I already have nginx server running for our multiple customers in
>    reverse proxy mode
>    - So Nginx reverse proxy is sending requests to customer web servers
>    - lets say -
>
>
>    - Customer-1 exmaple.com -> web site example.com
>    - Customer-2 www.test.com -. www.test.com
>    - Customer3-  acme.com -> www.acme.com
>
>
>    - Now I am trying to integrate modsecurity with Nginx
>    - So my question is - Do I need to create a separate config file for
>    every customer location?
>    - like /etc/nginx/modsec/example.com/main.conf
>
> /etc/nginx/modsec/example.com/modsecurity.conf
> /etc/nginx/modsec/example.com/coreruleset/rules/*.conf
> /etc/nginx/modsec/example.com/coreruleset/cor-ruleset.conf
> ##################
> /etc/nginx/modsec/test.com/main.conf
> /etc/nginx/modsec/test.com/modsecurity.conf
> /etc/nginx/modsec/test.com/coreruleset/rules/*.conf
> /etc/nginx/modsec/test.com/coreruleset/cor-ruleset.conf
> ##################
> /etc/nginx/modsec/acme.com/main.conf
> /etc/nginx/modsec/acme.com/modsecurity.conf
> /etc/nginx/modsec/acme.com/coreruleset/rules/*.conf
> /etc/nginx/modsec/acme.com/coreruleset/cor-ruleset.conf
>
>    - Is this correct method to manage
>    rules/exceptions/blacklisting/whitelisting for multiple customers? Or is
>    there any other alternative?
>    - Plus logs should be separate for every customer which I am thinking
>    to generate in json file
>
>
>    - Please let me know if this is the correct option considering around
>    15-20 sites protected by nginx and customers.
>
>
>    - SecAuditEngine RelevantOnly
>    - SecAuditLogRelevantStatus "^(?:5|4(?!04))"
>
>
>    - SecAuditLogParts ABIJDEFHZ
>    - SecAuditLogFormat JSON
>    - SecAuditLog /var/log/modsec_audit.log
>
> TIA
> Blason R
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

Re: [mod-security-users] Handling multiple clients with modsecurity

[Christian V. <cv...@it...>]

Hi Blason,

Is better if you separate everything as you mention, in that way you can configure by app: exclusions, rules, custom configuration, etc...

If you are in a Debian distribution, you could use Waf2Py, will do what you are looking for with a easy web interface https://github.com/ITSec-Chile/Waf2Py

Cheers
Chris

--

> On lunes, mar. 08, 2021 at 3:59 a. m., Blason R <bla...@gm... (mailto:bla...@gm...)> wrote:
> Hi Folks,
>
> Here is my requirement and seeking any heads up from community -
> I already have nginx server running for our multiple customers in reverse proxy mode
> So Nginx reverse proxy is sending requests to customer web servers
> lets say -
>
> Customer-1 exmaple.com (http://exmaple.com) -> web site example.com (http://example.com)
> Customer-2 www.test.com (http://www.test.com) -. www.test.com (http://www.test.com)
> Customer3- acme.com (http://acme.com) -> www.acme.com (http://www.acme.com)
>
>
> Now I am trying to integrate modsecurity with Nginx
> So my question is - Do I need to create a separate config file for every customer location?
> like /etc/nginx/modsec/example.com/main.conf (http://example.com/main.conf)
>
> /etc/nginx/modsec/example.com/modsecurity.conf (http://example.com/modsecurity.conf)
> /etc/nginx/modsec/example.com/coreruleset/rules/*.conf (http://example.com/coreruleset/rules/*.conf)
> /etc/nginx/modsec/example.com/coreruleset/cor-ruleset.conf (http://example.com/coreruleset/cor-ruleset.conf)
>
> ##################
> /etc/nginx/modsec/test.com/main.conf (http://test.com/main.conf)
> /etc/nginx/modsec/test.com/modsecurity.conf (http://test.com/modsecurity.conf)
> /etc/nginx/modsec/test.com/coreruleset/rules/*.conf (http://test.com/coreruleset/rules/*.conf)
> /etc/nginx/modsec/test.com/coreruleset/cor-ruleset.conf (http://test.com/coreruleset/cor-ruleset.conf)
> ##################
> /etc/nginx/modsec/acme.com/main.conf (http://acme.com/main.conf)
> /etc/nginx/modsec/acme.com/modsecurity.conf (http://acme.com/modsecurity.conf)
> /etc/nginx/modsec/acme.com/coreruleset/rules/*.conf (http://acme.com/coreruleset/rules/*.conf)
> /etc/nginx/modsec/acme.com/coreruleset/cor-ruleset.conf (http://acme.com/coreruleset/cor-ruleset.conf)
> Is this correct method to manage rules/exceptions/blacklisting/whitelisting for multiple customers? Or is there any other alternative?
> Plus logs should be separate for every customer which I am thinking to generate in json file
>
>
> Please let me know if this is the correct option considering around 15-20 sites protected by nginx and customers.
>
>
> SecAuditEngine RelevantOnly
> SecAuditLogRelevantStatus "^(?:5|4(?!04))"
>
>
> SecAuditLogParts ABIJDEFHZ
> SecAuditLogFormat JSON
> SecAuditLog /var/log/modsec_audit.log
>
> TIA
> Blason R
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

[mod-security-users] Handling multiple clients with modsecurity

[Blason R <bla...@gm...>]

Hi Folks,

Here is my requirement and seeking any heads up from community -

   - I already have nginx server running for our multiple customers in
   reverse proxy mode
   - So Nginx reverse proxy is sending requests to customer web servers
   - lets say -


   - Customer-1 exmaple.com -> web site example.com
   - Customer-2 www.test.com -. www.test.com
   - Customer3-  acme.com -> www.acme.com


   - Now I am trying to integrate modsecurity with Nginx
   - So my question is - Do I need to create a separate config file for
   every customer location?
   - like /etc/nginx/modsec/example.com/main.conf

/etc/nginx/modsec/example.com/modsecurity.conf
/etc/nginx/modsec/example.com/coreruleset/rules/*.conf
/etc/nginx/modsec/example.com/coreruleset/cor-ruleset.conf
##################
/etc/nginx/modsec/test.com/main.conf
/etc/nginx/modsec/test.com/modsecurity.conf
/etc/nginx/modsec/test.com/coreruleset/rules/*.conf
/etc/nginx/modsec/test.com/coreruleset/cor-ruleset.conf
##################
/etc/nginx/modsec/acme.com/main.conf
/etc/nginx/modsec/acme.com/modsecurity.conf
/etc/nginx/modsec/acme.com/coreruleset/rules/*.conf
/etc/nginx/modsec/acme.com/coreruleset/cor-ruleset.conf

   - Is this correct method to manage
   rules/exceptions/blacklisting/whitelisting for multiple customers? Or is
   there any other alternative?
   - Plus logs should be separate for every customer which I am thinking to
   generate in json file


   - Please let me know if this is the correct option considering around
   15-20 sites protected by nginx and customers.


   - SecAuditEngine RelevantOnly
   - SecAuditLogRelevantStatus "^(?:5|4(?!04))"


   - SecAuditLogParts ABIJDEFHZ
   - SecAuditLogFormat JSON
   - SecAuditLog /var/log/modsec_audit.log

TIA
Blason R

[mod-security-users] Announcing a Partnership btw the OWASP ModSecurity CRS project and NGINX

[Christian F. <chr...@ne...>]

Dear all,

The OWASP ModSecurity Core Rule Set (CRS) project is proud to announce its
first Gold Sponsor: NGINX.

There are two blog posts covering this new partnership, one from CRS and one
from NGINX:

* https://coreruleset.org/20210305/announcing-a-partnership-with-nginx/
* https://www.nginx.com/blog/nginx-announces-sponsorship-owasp-modsecurity-crs

And here are the tweets:

CRS: https://twitter.com/CoreRuleSet/status/1367841748060364801
NGINX: https://twitter.com/nginx/status/1367904152995717125

Retweets are really important here, since it gives this new collaboration
more weight. (And it shows potential future sponsors this is a good thing. :)

So your help would be much appreciated.

Best regards,

Christian Folini, for the CRS team


-- 
We used to think that if we knew one, we knew two, because one and one 
are two. We are finding that we must learn a great deal more about 'and'.
-- Sir Arthur Eddington

Re: [mod-security-users] The role of "modsec_audit.log" file.

[Jason L. <hac...@ya...>]

Thanks.
To see attacks, I must examine "wordpress_error.log" file? 






On Friday, March 5, 2021, 12:52:05 PM GMT+3:30, Reindl Harald <h.r...@th...> wrote: 







Am 05.03.21 um 10:15 schrieb Jason Long via mod-security-users:
> Hello,
> In my Virtual Host configuration, I added below line about WordPress website error log:
> 
> ErrorLog /var/log/httpd/wordpress_error.log
> 
> And its content is something like below:
> https://paste.ubuntu.com/p/6FqqnJVp8S/
> 
> Is this file same as "modsec_audit.log" file?


no - why should it?

"ErrorLog"is the ordinary httpd logfile with our without modsec 
installed at all


_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] The role of "modsec_audit.log" file.

[Reindl H. <h.r...@th...>]

Am 05.03.21 um 10:15 schrieb Jason Long via mod-security-users:
> Hello,
> In my Virtual Host configuration, I added below line about WordPress website error log:
> 
> ErrorLog /var/log/httpd/wordpress_error.log
> 
> And its content is something like below:
> https://paste.ubuntu.com/p/6FqqnJVp8S/
> 
> Is this file same as "modsec_audit.log" file?

no - why should it?

"ErrorLog"is the ordinary httpd logfile with our without modsec 
installed at all

[mod-security-users] The role of "modsec_audit.log" file.

[Jason L. <hac...@ya...>]

Hello,
In my Virtual Host configuration, I added below line about WordPress website error log:

ErrorLog /var/log/httpd/wordpress_error.log

And its content is something like below:
https://paste.ubuntu.com/p/6FqqnJVp8S/

Is this file same as "modsec_audit.log" file?

Thank you.

Re: [mod-security-users] Are any Rules available for recent exchange OWA vulnerability?

[Christian F. <chr...@ne...>]

Hey Blason,

I have not seen anything yes, yet there is a bit of discussion in
https://github.com/coreruleset/coreruleset/issues/2025

Looking over different blog posts, I see more and more indicators / exploit
information being shared, so we might be able to arrange something.

I'm a bit reluctant to attempt a partial solution since it will give people a
false sense of security (and prevent them from patching). And given it's a
very complex set of exploits, it's hard to conclude that we know enough to
really prevent this. If ModSecurity can detect it at all.

Also: It would be neat, if Exchange would continue to work in standard use
cases with any rules active. And that probably takes a fair bit of Exchange
knowhow.

Best,

Christian

On Wed, Mar 03, 2021 at 08:40:34AM +0530, Blason R wrote:
> Hi Team,
> 
> Just keen to know if any rules or signatures are available for
> CVE-2021-26855
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855>


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] ModSecurity-related package repository

[Ervin H. <ai...@gm...>]

hi,

On Thu, Mar 04, 2021 at 08:16:57AM +0530, Blason R wrote:
> Thats nice to hear and great effort

thanks :)


a.
 

Re: [mod-security-users] ModSecurity-related package repository

[Blason R <bla...@gm...>]

Thats nice to hear and great effort

On Wed, Mar 3, 2021 at 5:15 PM Ervin Hegedüs <ai...@gm...> wrote:

> Dear ModSecurity users,
>
>
> We are pleased to announce our ModSecurity repository for Linux
> distributions.
>
> Currently we provides the packages for Debian (main target) and Ubuntu
> systems, only for AMD64 architecture, but for last two stable releases (in
> case of Ubuntu tha last two LTS releases).
>
> Any feedbacks are welcome - see the landing page.
>
>
>
> https://modsecurity.digitalwave.hu
>
>
> Regards,
>
>
> a.
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

Re: [mod-security-users] How to configure ModSecurity on CentOS 8?

[Jason L. <hac...@ya...>]

Hello,
I added below line to "/etc/httpd/conf.d/mod_security.conf" file:

IncludeOptional modsecurity.d/owasp-modsecurity-crs/*.conf
IncludeOptional modsecurity.d/owasp-modsecurity-crs/rules/*.conf

An when I restarted my Apache then I got an error:

AH00526: Syntax error on line 829 of /etc/httpd/modsecurity.d/owasp-modsecur...

And line 829 of that file is:

SecAction \
"id:900990,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.crs_setup_version=330"   ==> Line 829

How to solve it?




On Wednesday, March 3, 2021, 12:52:27 AM GMT+3:30, Jason Long via mod-security-users <mod...@li...> wrote: 





Hi Ervin,
Thank you again.
I created a "owasp-modsecurity-crs" directory in the "/etc/httpd/modsecurity.d" directory, then downloaded OWASP ModSecurity Rules from "https://coreruleset.org/installation/" and extracted it in the "owasp-modsecurity-crs" directory. 

I renamed "crs-setup.conf.example" file to "crs-setup.conf". In the "rules" directory, I renamed below files too:
# mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
# mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

I have other questions:

1- I must add below lines to the "/etc/httpd/conf.d/mod_security.conf" file:

IncludeOptional modsecurity.d/owasp-modsecurity-crs/*.conf
IncludeOptional modsecurity.d/owasp-modsecurity-crs/rules/*.conf

?

2- I must not add anything to "httpd.conf" file to enable ModSecurity?




On Tuesday, March 2, 2021, 11:50:25 PM GMT+3:30, Ervin Hegedüs <ai...@gm...> wrote: 





Hi Jason,

On Tue, Mar 02, 2021 at 06:55:51PM +0000, Jason Long wrote:
> I found two files:
> 
> 1- /etc/httpd/conf.modules.d/10-mod_security.conf 
> 2- /etc/httpd/conf.d/mod_security.conf
> 
> The content of the first file is :
> 
> $ cat /etc/httpd/conf.modules.d/10-mod_security.conf 
> LoadModule security2_module modules/mod_security2.so
> 
> <IfModule !mod_unique_id.c>
>     LoadModule unique_id_module modules/mod_unique_id.so
> </IfModule>
> 
> And the content of the second file is :
> https://paste.ubuntu.com/p/Rtz6jRrwzT/
> 
> I don't know the difference between of the two files :(

I assume these directories came from default installation, which
means the Apache had set up that reads the necessary modules from
the directory /etc/httpd/conf.modules.d/, and the configuration
files from /etc/httpd/conf.d/. There must be two directives which
reads these directories, eg:

IncludeOptional /etc/httpd/conf.modules.d/*.conf
IncludeOptional /etc/httpd/conf.d/*.conf

or something similar...


/etc/httpd/conf.modules.d/10-mod_security.conf - this files loads
the mod_security Apache module. By this Apache will be able to
work as a WAF.


/etc/httpd/conf.d/mod_security.conf - this file is a
configuration file, in other words, this file sets up mod_security
module, tells to module how should it works.

The first 49 lines contains the general settings - for more info,
please check this page:

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)

Take a look to these lines:

52.    IncludeOptional modsecurity.d/*.conf
53.    IncludeOptional modsecurity.d/activated_rules/*.conf
54.    IncludeOptional modsecurity.d/local_rules/*.conf

These lines loads the rule set. On the last link I given you can
find so many usefull information about rules. The Apache's
IncludeOptional directive tells to Apache that read the directory
given that name, load the files with name the given pattern
(*.conf) - if there isn't any file with name *.conf, it's no
problem.

I think I think I think the parent modsecurity.d/ directory above
should be under /etc/httpd, or /etc/httpd/conf.d/ - just try it.
If Apache doesn't found the files, you will see in the error.log.

The order of loading of files is very important.

You have to copy the CRS rules/ directory content into the
activated_rules/ directory. I think the crs-setup.conf must be
copied under modsecurity.d/ directly. The local_rules/ can be
empty.

Because the SecRuleEngine is On in your setup
(10-mod_security.conf), and audit.log had configured, you have to
see any attack in that log, and in your error.log.


Hope this helps.



a.




_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

[mod-security-users] ModSecurity-related package repository

[Ervin H. <ai...@gm...>]

Dear ModSecurity users,


We are pleased to announce our ModSecurity repository for Linux distributions.

Currently we provides the packages for Debian (main target) and Ubuntu
systems, only for AMD64 architecture, but for last two stable releases (in
case of Ubuntu tha last two LTS releases).

Any feedbacks are welcome - see the landing page.



https://modsecurity.digitalwave.hu


Regards,


a.

[mod-security-users] Are any Rules available for recent exchange OWA vulnerability?

[Blason R <bla...@gm...>]

Hi Team,

Just keen to know if any rules or signatures are available for
CVE-2021-26855
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855>

Re: [mod-security-users] How to configure ModSecurity on CentOS 8?

[Jason L. <hac...@ya...>]

Hi Ervin,
Thank you again.
I created a "owasp-modsecurity-crs" directory in the "/etc/httpd/modsecurity.d" directory, then downloaded OWASP ModSecurity Rules from "https://coreruleset.org/installation/" and extracted it in the "owasp-modsecurity-crs" directory. 

I renamed "crs-setup.conf.example" file to "crs-setup.conf". In the "rules" directory, I renamed below files too:
# mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
# mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

I have other questions:

1- I must add below lines to the "/etc/httpd/conf.d/mod_security.conf" file:

IncludeOptional modsecurity.d/owasp-modsecurity-crs/*.conf
IncludeOptional modsecurity.d/owasp-modsecurity-crs/rules/*.conf

?

2- I must not add anything to "httpd.conf" file to enable ModSecurity?




On Tuesday, March 2, 2021, 11:50:25 PM GMT+3:30, Ervin Hegedüs <ai...@gm...> wrote: 





Hi Jason,

On Tue, Mar 02, 2021 at 06:55:51PM +0000, Jason Long wrote:
> I found two files:
> 
> 1- /etc/httpd/conf.modules.d/10-mod_security.conf 
> 2- /etc/httpd/conf.d/mod_security.conf
> 
> The content of the first file is :
> 
> $ cat /etc/httpd/conf.modules.d/10-mod_security.conf 
> LoadModule security2_module modules/mod_security2.so
> 
> <IfModule !mod_unique_id.c>
>     LoadModule unique_id_module modules/mod_unique_id.so
> </IfModule>
> 
> And the content of the second file is :
> https://paste.ubuntu.com/p/Rtz6jRrwzT/
> 
> I don't know the difference between of the two files :(

I assume these directories came from default installation, which
means the Apache had set up that reads the necessary modules from
the directory /etc/httpd/conf.modules.d/, and the configuration
files from /etc/httpd/conf.d/. There must be two directives which
reads these directories, eg:

IncludeOptional /etc/httpd/conf.modules.d/*.conf
IncludeOptional /etc/httpd/conf.d/*.conf

or something similar...


/etc/httpd/conf.modules.d/10-mod_security.conf - this files loads
the mod_security Apache module. By this Apache will be able to
work as a WAF.


/etc/httpd/conf.d/mod_security.conf - this file is a
configuration file, in other words, this file sets up mod_security
module, tells to module how should it works.

The first 49 lines contains the general settings - for more info,
please check this page:

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)

Take a look to these lines:

52.    IncludeOptional modsecurity.d/*.conf
53.    IncludeOptional modsecurity.d/activated_rules/*.conf
54.    IncludeOptional modsecurity.d/local_rules/*.conf

These lines loads the rule set. On the last link I given you can
find so many usefull information about rules. The Apache's
IncludeOptional directive tells to Apache that read the directory
given that name, load the files with name the given pattern
(*.conf) - if there isn't any file with name *.conf, it's no
problem.

I think I think I think the parent modsecurity.d/ directory above
should be under /etc/httpd, or /etc/httpd/conf.d/ - just try it.
If Apache doesn't found the files, you will see in the error.log.

The order of loading of files is very important.

You have to copy the CRS rules/ directory content into the
activated_rules/ directory. I think the crs-setup.conf must be
copied under modsecurity.d/ directly. The local_rules/ can be
empty.

Because the SecRuleEngine is On in your setup
(10-mod_security.conf), and audit.log had configured, you have to
see any attack in that log, and in your error.log.


Hope this helps.



a.

Re: [mod-security-users] How to configure ModSecurity on CentOS 8?

[Williams, D. A. <dav...@US...>]

I'm not claiming this is right...  (And I apologize for editing the included email chain, Outlook likes to rebuild links in ways I don't like.)
I installed via yum these two packages: mod_security-2.9.2-1.el7.x86_64 and mod_security_crs-2.2.9-1.el7.noarch.  I recognize that's an older version, but I expect the configuration files may be similar. That gave me /etc/httpd/conf.d/mod_security.conf: the entry point to the configuration; I can't include the full file, but in my case these are some key lines to set up engine.  The first two lines tell it about the other directories for further configuration:

        IncludeOptional modsecurity.d/*.conf
        IncludeOptional modsecurity.d/activated_rules/*.conf

   SecRuleEngine On
    SecRequestBodyAccess On
    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
         "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProce
ssor=XML"
    SecRequestBodyLimit 13107200
    SecRequestBodyNoFilesLimit 131072
    SecRequestBodyInMemoryLimit 131072

I also have some global tuning in that file (again, not saying that's "right"), like several:
SecRuleRemoveById XXXXs


/etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf  is the base rule for the core rule set (I believe). The mod sec engine needs rules to enforce; CRS is a good starting point.  With that base CRS configuration in place, the files in /etc/httpd/modsecurity.d/activated_rules are the real meat of the rules to enforce with some brief file names to outline the sorts of things they look for and protect against, like protocol_anomalies.conf or bad_robots.conf.

I hope that bit of my experience will help.

-David


-----Original Message-----
From: Jason Long via mod-security-users <mod...@li...> 
Sent: Tuesday, March 2, 2021 1:56 PM
To: Ervin Hegedüs <ai...@gm...>
Cc: Jason Long <hac...@ya...>; Jason Long via mod-security-users <mod...@li...>
Subject: Re: [mod-security-users] How to configure ModSecurity on CentOS 8?

Hi Ervin,
Thank you so much.
I found two files:

1- /etc/httpd/conf.modules.d/10-mod_security.conf 
2- /etc/httpd/conf.d/mod_security.conf

The content of the first file is :

$ cat /etc/httpd/conf.modules.d/10-mod_security.conf 
LoadModule security2_module modules/mod_security2.so

<IfModule !mod_unique_id.c>
    LoadModule unique_id_module modules/mod_unique_id.so
</IfModule>

And the content of the second file is :
....

I don't know the difference between of the two files :(
Nobody here using CentOS?




On Tuesday, March 2, 2021, 01:18:13 PM GMT+3:30, Ervin Hegedüs <ai...@gm...> wrote: 





Hi Jason,

On Tue, Mar 02, 2021 at 09:13:30AM +0000, Jason Long wrote:
>  Hi Ervin,Thank you so much for your reply.I ... and I have other questions:
> 1- At ... I read "Download our release from ...    and unpack it into a new owasp-modsecurity-crs folder". Thus, I must create a "owasp-modsecurity-crs" directory in the "/etc/httpd/modsecurity.d/" directory?

that's your decision. You can unpack them where you want: into a
new (sub) directory, or you can overwrite the existing rules.

> 2- In the "httpd.conf" file, you can add some configuration lines and as ... said, it is :
>  <IfModule security2_module>          Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf          Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf    </IfModule>

(sorry for the side-note, others already wrote you please stop
the HTML e-mails)

> But, it just for Debian? The "httpd.conf/apache2.conf" file is for Debian.

No. Debian uses /etc/apache2 directory to store the configuration
files.

> How about CentOS? Should I add above lines to "/etc/httpd/conf/httpd.conf" file?

You need to find where CentOS stores the configuration files,
which loads the modules. I have few RH instance, they stores
these files under /etc/httpd/conf.modules.d, eg:

# cat /etc/httpd/conf.modules.d/01-cgi.conf 
# This configuration file loads a CGI module appropriate to the MPM
# which has been configured in 00-mpm.conf.  mod_cgid should be used
# with a threaded MPM; mod_cgi with the prefork MPM.

<IfModule mpm_worker_module>
  LoadModule cgid_module modules/mod_cgid.so
</IfModule>
<IfModule mpm_event_module>
  LoadModule cgid_module modules/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
  LoadModule cgi_module modules/mod_cgi.so
</IfModule>

You should read the CentOS Apache documentation.

> 3- You said "Also I think local_rules contains the whole rule set", but in the "local_rules" directory, I just have one "modsecurity_localrules.conf" with below contents:
> # User defined rules and settings .## You can use this file/directory to drop your local rules or# to remove some rules provided by mod_security_crs package with SecRuleRemoveById## You can also disable mod_security for some incompatible web applications (eg. phpMyAdmin).##
> Is it normal?

may be - as I wrote, I don't know CentOS.





a.



_______________________________________________
mod-security-users mailing list
mod...@li...
...

Re: [mod-security-users] How to configure ModSecurity on CentOS 8?

[Ervin H. <ai...@gm...>]

Hi Jason,

On Tue, Mar 02, 2021 at 06:55:51PM +0000, Jason Long wrote:
> I found two files:
> 
> 1- /etc/httpd/conf.modules.d/10-mod_security.conf 
> 2- /etc/httpd/conf.d/mod_security.conf
> 
> The content of the first file is :
> 
> $ cat /etc/httpd/conf.modules.d/10-mod_security.conf 
> LoadModule security2_module modules/mod_security2.so
> 
> <IfModule !mod_unique_id.c>
>     LoadModule unique_id_module modules/mod_unique_id.so
> </IfModule>
> 
> And the content of the second file is :
> https://paste.ubuntu.com/p/Rtz6jRrwzT/
> 
> I don't know the difference between of the two files :(

I assume these directories came from default installation, which
means the Apache had set up that reads the necessary modules from
the directory /etc/httpd/conf.modules.d/, and the configuration
files from /etc/httpd/conf.d/. There must be two directives which
reads these directories, eg:

IncludeOptional /etc/httpd/conf.modules.d/*.conf
IncludeOptional /etc/httpd/conf.d/*.conf

or something similar...


/etc/httpd/conf.modules.d/10-mod_security.conf - this files loads
the mod_security Apache module. By this Apache will be able to
work as a WAF.


/etc/httpd/conf.d/mod_security.conf - this file is a
configuration file, in other words, this file sets up mod_security
module, tells to module how should it works.

The first 49 lines contains the general settings - for more info,
please check this page:

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)

Take a look to these lines:

52.	IncludeOptional modsecurity.d/*.conf
53.	IncludeOptional modsecurity.d/activated_rules/*.conf
54.	IncludeOptional modsecurity.d/local_rules/*.conf

These lines loads the rule set. On the last link I given you can
find so many usefull information about rules. The Apache's
IncludeOptional directive tells to Apache that read the directory
given that name, load the files with name the given pattern
(*.conf) - if there isn't any file with name *.conf, it's no
problem.

I think I think I think the parent modsecurity.d/ directory above
should be under /etc/httpd, or /etc/httpd/conf.d/ - just try it.
If Apache doesn't found the files, you will see in the error.log.

The order of loading of files is very important.

You have to copy the CRS rules/ directory content into the
activated_rules/ directory. I think the crs-setup.conf must be
copied under modsecurity.d/ directly. The local_rules/ can be
empty.

Because the SecRuleEngine is On in your setup
(10-mod_security.conf), and audit.log had configured, you have to
see any attack in that log, and in your error.log.


Hope this helps.


a.

Re: [mod-security-users] How to configure ModSecurity on CentOS 8?

[Jason L. <hac...@ya...>]

Hi Ervin,
Thank you so much.
I found two files:

1- /etc/httpd/conf.modules.d/10-mod_security.conf 
2- /etc/httpd/conf.d/mod_security.conf

The content of the first file is :

$ cat /etc/httpd/conf.modules.d/10-mod_security.conf 
LoadModule security2_module modules/mod_security2.so

<IfModule !mod_unique_id.c>
    LoadModule unique_id_module modules/mod_unique_id.so
</IfModule>

And the content of the second file is :
https://paste.ubuntu.com/p/Rtz6jRrwzT/

I don't know the difference between of the two files :(
Nobody here using CentOS?




On Tuesday, March 2, 2021, 01:18:13 PM GMT+3:30, Ervin Hegedüs <ai...@gm...> wrote: 





Hi Jason,

On Tue, Mar 02, 2021 at 09:13:30AM +0000, Jason Long wrote:
>  Hi Ervin,Thank you so much for your reply.I read "https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL" and I have other questions:
> 1- At "https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL" I read "Download our release from https://coreruleset.org/installation/    and unpack it into a new owasp-modsecurity-crs folder". Thus, I must create a "owasp-modsecurity-crs" directory in the "/etc/httpd/modsecurity.d/" directory?

that's your decision. You can unpack them where you want: into a
new (sub) directory, or you can overwrite the existing rules.

> 2- In the "httpd.conf" file, you can add some configuration lines and as "https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL" said, it is :
>  <IfModule security2_module>          Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf          Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf    </IfModule>

(sorry for the side-note, others already wrote you please stop
the HTML e-mails)

> But, it just for Debian? The "httpd.conf/apache2.conf" file is for Debian.

No. Debian uses /etc/apache2 directory to store the configuration
files.

> How about CentOS? Should I add above lines to "/etc/httpd/conf/httpd.conf" file?

You need to find where CentOS stores the configuration files,
which loads the modules. I have few RH instance, they stores
these files under /etc/httpd/conf.modules.d, eg:

# cat /etc/httpd/conf.modules.d/01-cgi.conf 
# This configuration file loads a CGI module appropriate to the MPM
# which has been configured in 00-mpm.conf.  mod_cgid should be used
# with a threaded MPM; mod_cgi with the prefork MPM.

<IfModule mpm_worker_module>
  LoadModule cgid_module modules/mod_cgid.so
</IfModule>
<IfModule mpm_event_module>
  LoadModule cgid_module modules/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
  LoadModule cgi_module modules/mod_cgi.so
</IfModule>

You should read the CentOS Apache documentation.

> 3- You said "Also I think local_rules contains the whole rule set", but in the "local_rules" directory, I just have one "modsecurity_localrules.conf" with below contents:
> # User defined rules and settings .## You can use this file/directory to drop your local rules or# to remove some rules provided by mod_security_crs package with SecRuleRemoveById## You can also disable mod_security for some incompatible web applications (eg. phpMyAdmin).##
> Is it normal?

may be - as I wrote, I don't know CentOS.





a.

Re: [mod-security-users] How to configure ModSecurity on CentOS 8?

[Ervin H. <ai...@gm...>]

Hi Jason,

On Tue, Mar 02, 2021 at 09:13:30AM +0000, Jason Long wrote:
>  Hi Ervin,Thank you so much for your reply.I read "https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL" and I have other questions:
> 1- At "https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL" I read "Download our release from https://coreruleset.org/installation/    and unpack it into a new owasp-modsecurity-crs folder". Thus, I must create a "owasp-modsecurity-crs" directory in the "/etc/httpd/modsecurity.d/" directory?

that's your decision. You can unpack them where you want: into a
new (sub) directory, or you can overwrite the existing rules.

> 2- In the "httpd.conf" file, you can add some configuration lines and as "https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL" said, it is :
>  <IfModule security2_module>          Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf          Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf    </IfModule>

(sorry for the side-note, others already wrote you please stop
the HTML e-mails)

> But, it just for Debian? The "httpd.conf/apache2.conf" file is for Debian.

No. Debian uses /etc/apache2 directory to store the configuration
files.

> How about CentOS? Should I add above lines to "/etc/httpd/conf/httpd.conf" file?

You need to find where CentOS stores the configuration files,
which loads the modules. I have few RH instance, they stores
these files under /etc/httpd/conf.modules.d, eg:

# cat /etc/httpd/conf.modules.d/01-cgi.conf 
# This configuration file loads a CGI module appropriate to the MPM
# which has been configured in 00-mpm.conf.  mod_cgid should be used
# with a threaded MPM; mod_cgi with the prefork MPM.

<IfModule mpm_worker_module>
   LoadModule cgid_module modules/mod_cgid.so
</IfModule>
<IfModule mpm_event_module>
   LoadModule cgid_module modules/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
   LoadModule cgi_module modules/mod_cgi.so
</IfModule>

You should read the CentOS Apache documentation.

> 3- You said "Also I think local_rules contains the whole rule set", but in the "local_rules" directory, I just have one "modsecurity_localrules.conf" with below contents:
> # User defined rules and settings .## You can use this file/directory to drop your local rules or# to remove some rules provided by mod_security_crs package with SecRuleRemoveById## You can also disable mod_security for some incompatible web applications (eg. phpMyAdmin).##
> Is it normal?

may be - as I wrote, I don't know CentOS.




a.

Re: [mod-security-users] How to configure ModSecurity on CentOS 8?

[Jason L. <hac...@ya...>]

 Hi Ervin,Thank you so much for your reply.I read "https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL" and I have other questions:
1- At "https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL" I read "Download our release from https://coreruleset.org/installation/    and unpack it into a new owasp-modsecurity-crs folder". Thus, I must create a "owasp-modsecurity-crs" directory in the "/etc/httpd/modsecurity.d/" directory?
2- In the "httpd.conf" file, you can add some configuration lines and as "https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL" said, it is :
 <IfModule security2_module>          Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf          Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf    </IfModule>

But, it just for Debian? The "httpd.conf/apache2.conf" file is for Debian. How about CentOS? Should I add above lines to "/etc/httpd/conf/httpd.conf" file?
3- You said "Also I think local_rules contains the whole rule set", but in the "local_rules" directory, I just have one "modsecurity_localrules.conf" with below contents:
# User defined rules and settings .## You can use this file/directory to drop your local rules or# to remove some rules provided by mod_security_crs package with SecRuleRemoveById## You can also disable mod_security for some incompatible web applications (eg. phpMyAdmin).##
Is it normal?


    On Monday, March 1, 2021, 12:55:51 PM GMT+3:30, Ervin Hegedüs <ai...@gm...> wrote:  
 
 hi Jason,

On Sat, Feb 27, 2021 at 09:52:58AM +0000, Jason Long wrote:
>  Hi Ervin,Thank you so much for your help.My problem was that I forgot to install "mod_security_crs" package. After it, I have a "modsecurity.d" directory in the "/etc/httpd" directory.I changed "SecRuleEngine DetectionOnly" to "SecRuleEngine On" and restarted my Apache. I have some questions:
> 1- In the "modsecurity.d" directory, I have below directories:
> activated_rules  crs-setup.conf  local_rules
> 
> Which directory is OK for the OWASP ModSecurity Rules?

I assume that crs-setup.conf is a regular file, not a directory.

Also I think local_rules contains the whole rule set,
activated_rules contains symlinks to rule files to local_rules.

You have to decide, what rules you need.

crs-setup.conf is a configuration file for CRS - you can set up
the CRS variables, eg. paranoia level, and many other things.
Please check this file:

https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL

> 2- Any header must be enabled in the "httpd.conf" file?

Sorry, what do you mean exactly? Which header?

I don't know CentOS, but I assume in httpd.conf you have to
enable the security module.

> 3- I scanned my website with "Sucuri Security", but it can't detect any Website Firewall. Why?

I have no idea - may be you should ask Sucuri... (Note, I also
checked one of my server, which *RUNS* ModSecurity, and I got same
result...)

> 4- Why ModSecurity does not allow uploading files to the website? Which log file must be examined?

you should check the Apache's error.log, and if the audit.log
is enabled that file too.



a.

  

Re: [mod-security-users] How to configure ModSecurity on CentOS 8?

[Ervin H. <ai...@gm...>]

hi Jason,

On Sat, Feb 27, 2021 at 09:52:58AM +0000, Jason Long wrote:
>  Hi Ervin,Thank you so much for your help.My problem was that I forgot to install "mod_security_crs" package. After it, I have a "modsecurity.d" directory in the "/etc/httpd" directory.I changed "SecRuleEngine DetectionOnly" to "SecRuleEngine On" and restarted my Apache. I have some questions:
> 1- In the "modsecurity.d" directory, I have below directories:
> activated_rules  crs-setup.conf  local_rules
> 
> Which directory is OK for the OWASP ModSecurity Rules?

I assume that crs-setup.conf is a regular file, not a directory.

Also I think local_rules contains the whole rule set,
activated_rules contains symlinks to rule files to local_rules.

You have to decide, what rules you need.

crs-setup.conf is a configuration file for CRS - you can set up
the CRS variables, eg. paranoia level, and many other things.
Please check this file:

https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL

> 2- Any header must be enabled in the "httpd.conf" file?

Sorry, what do you mean exactly? Which header?

I don't know CentOS, but I assume in httpd.conf you have to
enable the security module.

> 3- I scanned my website with "Sucuri Security", but it can't detect any Website Firewall. Why?

I have no idea - may be you should ask Sucuri... (Note, I also
checked one of my server, which *RUNS* ModSecurity, and I got same
result...)

> 4- Why ModSecurity does not allow uploading files to the website? Which log file must be examined?

you should check the Apache's error.log, and if the audit.log
is enabled that file too.



a.

Re: [mod-security-users] How to configure ModSecurity on CentOS 8?

[Jason L. <hac...@ya...>]

 Hi Ervin,Thank you so much for your help.My problem was that I forgot to install "mod_security_crs" package. After it, I have a "modsecurity.d" directory in the "/etc/httpd" directory.I changed "SecRuleEngine DetectionOnly" to "SecRuleEngine On" and restarted my Apache. I have some questions:
1- In the "modsecurity.d" directory, I have below directories:
activated_rules  crs-setup.conf  local_rules

Which directory is OK for the OWASP ModSecurity Rules?
2- Any header must be enabled in the "httpd.conf" file?3- I scanned my website with "Sucuri Security", but it can't detect any Website Firewall. Why?4- Why ModSecurity does not allow uploading files to the website? Which log file must be examined?
Thank you.
    On Friday, February 19, 2021, 10:41:36 AM GMT+3:30, Ervin Hegedüs <ai...@gm...> wrote:  
 
 Hi Jason,

On Fri, Feb 19, 2021 at 06:10:16AM +0000, Jason Long via mod-security-users wrote:
> Hello,I'm using CentOS 8 x86_64 and I want to configure ModSecurity for Apache. I looked at "https://phoenixnap.com/kb/setup-configure-modsecurity-on-apache" tutorial, but I can't find any "/etc/modsecurity" directory!!!I used below find command to find that directory:
> # find / -name modsecurity -print
> But no result.
> Is "/etc/modsecurity" directory replaced by "/etc/httpd/conf.d/mod_security.conf" and "/etc/httpd/conf.modules.d/10-mod_security.conf" ?

I think you should install modsecurity-crs package:
https://git.centos.org/rpms/mod_security_crs/tree/c8

or donwload the latest stable version:
https://github.com/coreruleset/coreruleset/releases/tag/v3.3.0

Note, in this case the "/etc/modsecurity" directory not needed,
you can make your structure as you want.


Hope this helps,


a.