Thread: [mod-security-users] How to configure ModSecurity on CentOS 8?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Jason L. <hac...@ya...> - 2021-02-19 06:10:30
|
Hello,I'm using CentOS 8 x86_64 and I want to configure ModSecurity for Apache. I looked at "https://phoenixnap.com/kb/setup-configure-modsecurity-on-apache" tutorial, but I can't find any "/etc/modsecurity" directory!!!I used below find command to find that directory: # find / -name modsecurity -print But no result. Is "/etc/modsecurity" directory replaced by "/etc/httpd/conf.d/mod_security.conf" and "/etc/httpd/conf.modules.d/10-mod_security.conf" ? Thank you. |
|
From: Reindl H. <h.r...@th...> - 2021-02-19 07:08:07
|
Am 19.02.21 um 07:10 schrieb Jason Long via mod-security-users: > Hello, > I'm using CentOS 8 x86_64 and I want to configure ModSecurity for > Apache. I looked at > "https://phoenixnap.com/kb/setup-configure-modsecurity-on-apache" > tutorial, but I can't find any "/etc/modsecurity" directory!!! > I used below find command to find that directory: > > # find / -name modsecurity -print > > But no result. > > Is "/etc/modsecurity" directory replaced by > "/etc/httpd/conf.d/mod_security.conf" and > "/etc/httpd/conf.modules.d/10-mod_security.conf" ? besides that's that higly packaging dependent you don't even say which version of modsec you are using and from where the package comes my private packages of modsec2 as example expecting their rules in /etc/httpd/modsecurity.d/ BTW: CentOS8 is dying! |
|
From: Ervin H. <ai...@gm...> - 2021-02-19 07:11:51
|
Hi Jason, On Fri, Feb 19, 2021 at 06:10:16AM +0000, Jason Long via mod-security-users wrote: > Hello,I'm using CentOS 8 x86_64 and I want to configure ModSecurity for Apache. I looked at "https://phoenixnap.com/kb/setup-configure-modsecurity-on-apache" tutorial, but I can't find any "/etc/modsecurity" directory!!!I used below find command to find that directory: > # find / -name modsecurity -print > But no result. > Is "/etc/modsecurity" directory replaced by "/etc/httpd/conf.d/mod_security.conf" and "/etc/httpd/conf.modules.d/10-mod_security.conf" ? I think you should install modsecurity-crs package: https://git.centos.org/rpms/mod_security_crs/tree/c8 or donwload the latest stable version: https://github.com/coreruleset/coreruleset/releases/tag/v3.3.0 Note, in this case the "/etc/modsecurity" directory not needed, you can make your structure as you want. Hope this helps, a. |
|
From: Jason L. <hac...@ya...> - 2021-02-19 11:54:14
|
Thank you.I did:# yum install mod_securityLast metadata expiration check: 1:10:47 ago on Thu 18 Feb 2021 05:21:45 PM +0330.Package mod_security-2.9.2-8.el8.x86_64 is already installed.Dependencies resolved.Nothing to do.Complete!
As you see, it installed mod_security-2.9.2. My main problem is how to configure it!The URL that I sent is a little old tutorial.
On Friday, February 19, 2021, 10:41:44 AM GMT+3:30, Reindl Harald <h.r...@th...> wrote:
Am 19.02.21 um 07:10 schrieb Jason Long via mod-security-users:
> Hello,
> I'm using CentOS 8 x86_64 and I want to configure ModSecurity for
> Apache. I looked at
> "https://phoenixnap.com/kb/setup-configure-modsecurity-on-apache"
> tutorial, but I can't find any "/etc/modsecurity" directory!!!
> I used below find command to find that directory:
>
> # find / -name modsecurity -print
>
> But no result.
>
> Is "/etc/modsecurity" directory replaced by
> "/etc/httpd/conf.d/mod_security.conf" and
> "/etc/httpd/conf.modules.d/10-mod_security.conf" ?
besides that's that higly packaging dependent you don't even say which
version of modsec you are using and from where the package comes
my private packages of modsec2 as example expecting their rules in
/etc/httpd/modsecurity.d/
BTW: CentOS8 is dying!
_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
|
|
From: Jason L. <hac...@ya...> - 2021-02-21 15:11:34
|
Hello,Any tutorial about configuring it?
On Friday, February 19, 2021, 03:28:00 PM GMT+3:30, Jason Long via mod-security-users <mod...@li...> wrote:
Thank you.I did:# yum install mod_securityLast metadata expiration check: 1:10:47 ago on Thu 18 Feb 2021 05:21:45 PM +0330.Package mod_security-2.9.2-8.el8.x86_64 is already installed.Dependencies resolved.Nothing to do.Complete!
As you see, it installed mod_security-2.9.2. My main problem is how to configure it!The URL that I sent is a little old tutorial.
On Friday, February 19, 2021, 10:41:44 AM GMT+3:30, Reindl Harald <h.r...@th...> wrote:
Am 19.02.21 um 07:10 schrieb Jason Long via mod-security-users:
> Hello,
> I'm using CentOS 8 x86_64 and I want to configure ModSecurity for
> Apache. I looked at
> "https://phoenixnap.com/kb/setup-configure-modsecurity-on-apache"
> tutorial, but I can't find any "/etc/modsecurity" directory!!!
> I used below find command to find that directory:
>
> # find / -name modsecurity -print
>
> But no result.
>
> Is "/etc/modsecurity" directory replaced by
> "/etc/httpd/conf.d/mod_security.conf" and
> "/etc/httpd/conf.modules.d/10-mod_security.conf" ?
besides that's that higly packaging dependent you don't even say which
version of modsec you are using and from where the package comes
my private packages of modsec2 as example expecting their rules in
/etc/httpd/modsecurity.d/
BTW: CentOS8 is dying!
_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
|
|
From: Ervin H. <ai...@gm...> - 2021-02-21 15:47:09
|
On Sun, Feb 21, 2021 at 03:11:17PM +0000, Jason Long via mod-security-users wrote: > Hello,Any tutorial about configuring it? https://coreruleset.org/installation/ https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/ Not a CentOS 8 specific, but hope this helps. a. |
|
From: Jason L. <hac...@ya...> - 2021-02-21 19:28:40
|
Thank you so much for your answer.I installed ModSecurity as below: # yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel# cd /opt/# git clone https://github.com/SpiderLabs/ModSecurity# cd ModSecurity# git checkout -b v3/master origin/v3/master# sh build.sh# git submodule init# git submodule update# ./configure# yum install https://archives.fedoraproject.org/pub/archive/fedora/linux/updates/23/x86_64/b/bison-3.0.4-3.fc23.x86_64.rpm# make# make install But I can't see any "mod_security.conf" file in "httpd" directory! Why? On Sunday, February 21, 2021, 07:16:54 PM GMT+3:30, Ervin Hegedüs <ai...@gm...> wrote: On Sun, Feb 21, 2021 at 03:11:17PM +0000, Jason Long via mod-security-users wrote: > Hello,Any tutorial about configuring it? https://coreruleset.org/installation/ https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/ Not a CentOS 8 specific, but hope this helps. a. |
|
From: Ervin H. <ai...@gm...> - 2021-02-22 07:41:52
|
Hi Jason, On Sun, Feb 21, 2021 at 07:28:21PM +0000, Jason Long wrote: > Thank you so much for your answer.I installed ModSecurity as below: > # yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel# cd /opt/# git clone https://github.com/SpiderLabs/ModSecurity# cd ModSecurity# git checkout -b v3/master origin/v3/master# sh build.sh# git submodule init# git submodule update# ./configure# yum install https://archives.fedoraproject.org/pub/archive/fedora/linux/updates/23/x86_64/b/bison-3.0.4-3.fc23.x86_64.rpm# make# make install in your first mail you wrote: > I'm using CentOS 8 x86_64 and I want to configure ModSecurity > for Apache. I looked at > "https://phoenixnap.com/kb/setup-configure-modsecurity-on-apache" > tutorial and that tutorial suggests install "mod_security" package: `sudo yum install mod_security` Therefore I don't see the reason why did you installed these development tools and why did you installed ModSecurity v3... > But I can't see any "mod_security.conf" file in "httpd" directory! Why? I don't have any CentOS (ANY) system, just downloaded the package from here: http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/mod_security-2.9.2-8.el8.x86_64.rpm and found mod_security.conf with name '/etc/httpd/conf.d/mod_security.conf'. a. |
|
From: Reindl H. <h.r...@th...> - 2021-02-22 12:04:06
|
Am 21.02.21 um 20:28 schrieb Jason Long via mod-security-users: > Thank you so much for your answer. > I installed ModSecurity as below: > > # yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl > GeoIP-devel doxygen zlib-devel pcre-devel > # cd /opt/ > # git clone https://github.com/SpiderLabs/ModSecurity > # cd ModSecurity > # git checkout -b v3/master origin/v3/master > # sh build.sh > # git submodule init > # git submodule update > # ./configure > # yum install > https://archives.fedoraproject.org/pub/archive/fedora/linux/updates/23/x86_64/b/bison-3.0.4-3.fc23.x86_64.rpm > # make > # make install what he hell are you doing? compiling stuff? mixing Fedora and CentOS packaging? > But I can't see any "mod_security.conf" file in "httpd" directory! > Why? what about install modsec and the core ruleset from *packages* (EPEL if needed) and look tighter with "ls -lhaR /etc/httpd/"? yum install mod_security mod_security_crs it's in /etc/httpd/conf.d [harry@srv-rhsoft:/downloads]$ rpm -q --filesbypkg mod_security-2.9.3-9.eln109.x86_64.rpm mod_security /etc/httpd/conf.d/mod_security.conf mod_security /etc/httpd/conf.modules.d/10-mod_security.conf mod_security /etc/httpd/modsecurity.d mod_security /etc/httpd/modsecurity.d/activated_rules mod_security /etc/httpd/modsecurity.d/local_rules mod_security /etc/httpd/modsecurity.d/local_rules/modsecurity_localrules.conf mod_security /usr/lib/.build-id mod_security /usr/lib/.build-id/c0 mod_security /usr/lib/.build-id/c0/9fe3397f1beb60cd30f4fa5a3ac1a24f2c93df mod_security /usr/lib64/httpd/modules/mod_security2.so mod_security /usr/share/doc/mod_security mod_security /usr/share/doc/mod_security/CHANGES mod_security /usr/share/doc/mod_security/LICENSE mod_security /usr/share/doc/mod_security/NOTICE mod_security /usr/share/doc/mod_security/README.md mod_security /var/lib/mod_security [harry@srv-rhsoft:/downloads]$ rpm -q --filesbypkg mod_security_crs-3.0.0-12.eln109.noarch.rpm mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-905-COMMON-EXCEPTIONS.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-910-IP-REPUTATION.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-911-METHOD-ENFORCEMENT.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-912-DOS-PROTECTION.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-913-SCANNER-DETECTION.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-921-PROTOCOL-ATTACK.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/RESPONSE-950-DATA-LEAKAGES.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/RESPONSE-959-BLOCKING-EVALUATION.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/RESPONSE-980-CORRELATION.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/crawlers-user-agents.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/iis-errors.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/java-code-leakages.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/java-errors.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/lfi-os-files.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/php-config-directives.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/php-errors.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/php-function-names-933150.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/php-function-names-933151.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/php-variables.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/restricted-files.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/scanners-headers.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/scanners-urls.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/scanners-user-agents.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/scripting-user-agents.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/sql-errors.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/sql-function-names.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/unix-shell.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/windows-powershell-commands.data mod_security_crs /etc/httpd/modsecurity.d/crs-setup.conf mod_security_crs /usr/share/doc/mod_security_crs mod_security_crs /usr/share/doc/mod_security_crs/CHANGES mod_security_crs /usr/share/doc/mod_security_crs/README.md mod_security_crs /usr/share/licenses/mod_security_crs mod_security_crs /usr/share/licenses/mod_security_crs/LICENSE mod_security_crs /usr/share/mod_modsecurity_crs mod_security_crs /usr/share/mod_modsecurity_crs/rules mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-901-INITIALIZATION.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-910-IP-REPUTATION.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-912-DOS-PROTECTION.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-913-SCANNER-DETECTION.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/RESPONSE-950-DATA-LEAKAGES.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/RESPONSE-980-CORRELATION.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/crawlers-user-agents.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/iis-errors.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/java-code-leakages.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/java-errors.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/lfi-os-files.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/php-config-directives.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/php-errors.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/php-function-names-933150.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/php-function-names-933151.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/php-variables.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/restricted-files.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/scanners-headers.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/scanners-urls.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/scanners-user-agents.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/scripting-user-agents.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/sql-errors.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/sql-function-names.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/unix-shell.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/windows-powershell-commands.data |
|
From: Jason L. <hac...@ya...> - 2021-02-22 17:49:23
|
I thought nobody here answered because that version 2.9.2 is old! Uninstall version 3? On Monday, February 22, 2021, 03:37:55 PM GMT+3:30, Reindl Harald <h.r...@th...> wrote: Am 21.02.21 um 20:28 schrieb Jason Long via mod-security-users: > Thank you so much for your answer. > I installed ModSecurity as below: > > # yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl > GeoIP-devel doxygen zlib-devel pcre-devel > # cd /opt/ > # git clone https://github.com/SpiderLabs/ModSecurity > # cd ModSecurity > # git checkout -b v3/master origin/v3/master > # sh build.sh > # git submodule init > # git submodule update > # ./configure > # yum install > https://archives.fedoraproject.org/pub/archive/fedora/linux/updates/23/x86_64/b/bison-3.0.4-3.fc23.x86_64.rpm > # make > # make install what he hell are you doing? compiling stuff? mixing Fedora and CentOS packaging? > But I can't see any "mod_security.conf" file in "httpd" directory! > Why? what about install modsec and the core ruleset from *packages* (EPEL if needed) and look tighter with "ls -lhaR /etc/httpd/"? yum install mod_security mod_security_crs it's in /etc/httpd/conf.d [harry@srv-rhsoft:/downloads]$ rpm -q --filesbypkg mod_security-2.9.3-9.eln109.x86_64.rpm mod_security /etc/httpd/conf.d/mod_security.conf mod_security /etc/httpd/conf.modules.d/10-mod_security.conf mod_security /etc/httpd/modsecurity.d mod_security /etc/httpd/modsecurity.d/activated_rules mod_security /etc/httpd/modsecurity.d/local_rules mod_security /etc/httpd/modsecurity.d/local_rules/modsecurity_localrules.conf mod_security /usr/lib/.build-id mod_security /usr/lib/.build-id/c0 mod_security /usr/lib/.build-id/c0/9fe3397f1beb60cd30f4fa5a3ac1a24f2c93df mod_security /usr/lib64/httpd/modules/mod_security2.so mod_security /usr/share/doc/mod_security mod_security /usr/share/doc/mod_security/CHANGES mod_security /usr/share/doc/mod_security/LICENSE mod_security /usr/share/doc/mod_security/NOTICE mod_security /usr/share/doc/mod_security/README.md mod_security /var/lib/mod_security [harry@srv-rhsoft:/downloads]$ rpm -q --filesbypkg mod_security_crs-3.0.0-12.eln109.noarch.rpm mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-905-COMMON-EXCEPTIONS.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-910-IP-REPUTATION.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-911-METHOD-ENFORCEMENT.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-912-DOS-PROTECTION.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-913-SCANNER-DETECTION.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-921-PROTOCOL-ATTACK.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/RESPONSE-950-DATA-LEAKAGES.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/RESPONSE-959-BLOCKING-EVALUATION.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/RESPONSE-980-CORRELATION.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf mod_security_crs /etc/httpd/modsecurity.d/activated_rules/crawlers-user-agents.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/iis-errors.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/java-code-leakages.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/java-errors.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/lfi-os-files.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/php-config-directives.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/php-errors.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/php-function-names-933150.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/php-function-names-933151.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/php-variables.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/restricted-files.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/scanners-headers.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/scanners-urls.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/scanners-user-agents.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/scripting-user-agents.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/sql-errors.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/sql-function-names.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/unix-shell.data mod_security_crs /etc/httpd/modsecurity.d/activated_rules/windows-powershell-commands.data mod_security_crs /etc/httpd/modsecurity.d/crs-setup.conf mod_security_crs /usr/share/doc/mod_security_crs mod_security_crs /usr/share/doc/mod_security_crs/CHANGES mod_security_crs /usr/share/doc/mod_security_crs/README.md mod_security_crs /usr/share/licenses/mod_security_crs mod_security_crs /usr/share/licenses/mod_security_crs/LICENSE mod_security_crs /usr/share/mod_modsecurity_crs mod_security_crs /usr/share/mod_modsecurity_crs/rules mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-901-INITIALIZATION.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-910-IP-REPUTATION.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-912-DOS-PROTECTION.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-913-SCANNER-DETECTION.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/RESPONSE-950-DATA-LEAKAGES.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/RESPONSE-980-CORRELATION.conf mod_security_crs /usr/share/mod_modsecurity_crs/rules/crawlers-user-agents.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/iis-errors.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/java-code-leakages.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/java-errors.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/lfi-os-files.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/php-config-directives.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/php-errors.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/php-function-names-933150.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/php-function-names-933151.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/php-variables.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/restricted-files.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/scanners-headers.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/scanners-urls.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/scanners-user-agents.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/scripting-user-agents.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/sql-errors.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/sql-function-names.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/unix-shell.data mod_security_crs /usr/share/mod_modsecurity_crs/rules/windows-powershell-commands.data _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
|
From: Reindl H. <h.r...@th...> - 2021-02-22 18:38:06
|
first can you use a proper mail client not converting everything to HTML? Am 22.02.21 um 18:49 schrieb Jason Long via mod-security-users: > I thought nobody here answered because that version 2.9.2 is old! you got answers you problem is that you touch 1000 things at once while not understand modsec and the corerules and your distribution at all > Uninstall version 3? most likely yes i get tired from your "But I can't see any "mod_security.conf" file in "httpd" directory!" *what* is the "httpd" directory - /etc/httpd or /etc/httpd/conf.d - maybe you even don't understand .d-directories please do your homework just learn some basics like "rpm -q --filesbypkg", make sure you have *both* the corerules and modsec installed and don't insist in edit things you don't understand at the moment just get a basic install without nonsense like compile stuff at your own and fankly don't mix random fedira packages into your centos setup - you won't be able to maintain the mess you are creating "yum install mod_security mod_security_crs" should give you everything you need and then *look* what files it provide and where - forget random howtos at least for details, i can package every file whereever i want when building a package > On Monday, February 22, 2021, 03:37:55 PM GMT+3:30, Reindl Harald > <h.r...@th...> wrote: > > > > > Am 21.02.21 um 20:28 schrieb Jason Long via mod-security-users: > > Thank you so much for your answer. > > I installed ModSecurity as below: > > > > # yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl > > GeoIP-devel doxygen zlib-devel pcre-devel > > # cd /opt/ > > # git clone https://github.com/SpiderLabs/ModSecurity > <https://github.com/SpiderLabs/ModSecurity> > > # cd ModSecurity > > # git checkout -b v3/master origin/v3/master > > # sh build.sh > > # git submodule init > > # git submodule update > > # ./configure > > # yum install > > > https://archives.fedoraproject.org/pub/archive/fedora/linux/updates/23/x86_64/b/bison-3.0.4-3.fc23.x86_64.rpm > <https://archives.fedoraproject.org/pub/archive/fedora/linux/updates/23/x86_64/b/bison-3.0.4-3.fc23.x86_64.rpm> > > # make > > # make install > > what he hell are you doing? > > compiling stuff? > mixing Fedora and CentOS packaging? > > > But I can't see any "mod_security.conf" file in "httpd" directory! > > Why? > > what about install modsec and the core ruleset from *packages* (EPEL if > needed) and look tighter with "ls -lhaR /etc/httpd/"? > > yum install mod_security mod_security_crs > > it's in /etc/httpd/conf.d > > > [harry@srv-rhsoft <mailto:harry@srv-rhsoft>:/downloads]$ rpm -q > --filesbypkg > mod_security-2.9.3-9.eln109.x86_64.rpm > mod_security /etc/httpd/conf.d/mod_security.conf > mod_security /etc/httpd/conf.modules.d/10-mod_security.conf > mod_security /etc/httpd/modsecurity.d > mod_security /etc/httpd/modsecurity.d/activated_rules > mod_security /etc/httpd/modsecurity.d/local_rules > mod_security > /etc/httpd/modsecurity.d/local_rules/modsecurity_localrules.conf > mod_security /usr/lib/.build-id > mod_security /usr/lib/.build-id/c0 > > mod_security > > /usr/lib/.build-id/c0/9fe3397f1beb60cd30f4fa5a3ac1a24f2c93df > mod_security /usr/lib64/httpd/modules/mod_security2.so > mod_security /usr/share/doc/mod_security > mod_security /usr/share/doc/mod_security/CHANGES > mod_security /usr/share/doc/mod_security/LICENSE > mod_security /usr/share/doc/mod_security/NOTICE > mod_security /usr/share/doc/mod_security/README.md > mod_security /var/lib/mod_security > > > [harry@srv-rhsoft <mailto:harry@srv-rhsoft>:/downloads]$ rpm -q > --filesbypkg > mod_security_crs-3.0.0-12.eln109.noarch.rpm > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/REQUEST-905-COMMON-EXCEPTIONS.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/REQUEST-910-IP-REPUTATION.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/REQUEST-911-METHOD-ENFORCEMENT.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/REQUEST-912-DOS-PROTECTION.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/REQUEST-913-SCANNER-DETECTION.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/REQUEST-921-PROTOCOL-ATTACK.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/RESPONSE-950-DATA-LEAKAGES.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/RESPONSE-959-BLOCKING-EVALUATION.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/RESPONSE-980-CORRELATION.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/crawlers-user-agents.data > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/iis-errors.data > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/java-code-leakages.data > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/java-errors.data > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/lfi-os-files.data > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/php-config-directives.data > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/php-errors.data > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/php-function-names-933150.data > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/php-function-names-933151.data > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/php-variables.data > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/restricted-files.data > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/scanners-headers.data > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/scanners-urls.data > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/scanners-user-agents.data > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/scripting-user-agents.data > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/sql-errors.data > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/sql-function-names.data > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/unix-shell.data > mod_security_crs > /etc/httpd/modsecurity.d/activated_rules/windows-powershell-commands.data > mod_security_crs /etc/httpd/modsecurity.d/crs-setup.conf > mod_security_crs /usr/share/doc/mod_security_crs > mod_security_crs /usr/share/doc/mod_security_crs/CHANGES > mod_security_crs /usr/share/doc/mod_security_crs/README.md > mod_security_crs /usr/share/licenses/mod_security_crs > mod_security_crs /usr/share/licenses/mod_security_crs/LICENSE > mod_security_crs /usr/share/mod_modsecurity_crs > mod_security_crs /usr/share/mod_modsecurity_crs/rules > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/REQUEST-901-INITIALIZATION.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/REQUEST-910-IP-REPUTATION.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/REQUEST-912-DOS-PROTECTION.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/REQUEST-913-SCANNER-DETECTION.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/RESPONSE-950-DATA-LEAKAGES.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/RESPONSE-980-CORRELATION.conf > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/crawlers-user-agents.data > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/iis-errors.data > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/java-code-leakages.data > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/java-errors.data > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/lfi-os-files.data > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/php-config-directives.data > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/php-errors.data > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/php-function-names-933150.data > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/php-function-names-933151.data > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/php-variables.data > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/restricted-files.data > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/scanners-headers.data > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/scanners-urls.data > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/scanners-user-agents.data > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/scripting-user-agents.data > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/sql-errors.data > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/sql-function-names.data > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/unix-shell.data > mod_security_crs > /usr/share/mod_modsecurity_crs/rules/windows-powershell-commands.data |
|
From: Jason L. <hac...@ya...> - 2021-02-27 09:53:12
|
Hi Ervin,Thank you so much for your help.My problem was that I forgot to install "mod_security_crs" package. After it, I have a "modsecurity.d" directory in the "/etc/httpd" directory.I changed "SecRuleEngine DetectionOnly" to "SecRuleEngine On" and restarted my Apache. I have some questions:
1- In the "modsecurity.d" directory, I have below directories:
activated_rules crs-setup.conf local_rules
Which directory is OK for the OWASP ModSecurity Rules?
2- Any header must be enabled in the "httpd.conf" file?3- I scanned my website with "Sucuri Security", but it can't detect any Website Firewall. Why?4- Why ModSecurity does not allow uploading files to the website? Which log file must be examined?
Thank you.
On Friday, February 19, 2021, 10:41:36 AM GMT+3:30, Ervin Hegedüs <ai...@gm...> wrote:
Hi Jason,
On Fri, Feb 19, 2021 at 06:10:16AM +0000, Jason Long via mod-security-users wrote:
> Hello,I'm using CentOS 8 x86_64 and I want to configure ModSecurity for Apache. I looked at "https://phoenixnap.com/kb/setup-configure-modsecurity-on-apache" tutorial, but I can't find any "/etc/modsecurity" directory!!!I used below find command to find that directory:
> # find / -name modsecurity -print
> But no result.
> Is "/etc/modsecurity" directory replaced by "/etc/httpd/conf.d/mod_security.conf" and "/etc/httpd/conf.modules.d/10-mod_security.conf" ?
I think you should install modsecurity-crs package:
https://git.centos.org/rpms/mod_security_crs/tree/c8
or donwload the latest stable version:
https://github.com/coreruleset/coreruleset/releases/tag/v3.3.0
Note, in this case the "/etc/modsecurity" directory not needed,
you can make your structure as you want.
Hope this helps,
a.
|
|
From: Ervin H. <ai...@gm...> - 2021-03-01 09:26:13
|
hi Jason, On Sat, Feb 27, 2021 at 09:52:58AM +0000, Jason Long wrote: > Hi Ervin,Thank you so much for your help.My problem was that I forgot to install "mod_security_crs" package. After it, I have a "modsecurity.d" directory in the "/etc/httpd" directory.I changed "SecRuleEngine DetectionOnly" to "SecRuleEngine On" and restarted my Apache. I have some questions: > 1- In the "modsecurity.d" directory, I have below directories: > activated_rules crs-setup.conf local_rules > > Which directory is OK for the OWASP ModSecurity Rules? I assume that crs-setup.conf is a regular file, not a directory. Also I think local_rules contains the whole rule set, activated_rules contains symlinks to rule files to local_rules. You have to decide, what rules you need. crs-setup.conf is a configuration file for CRS - you can set up the CRS variables, eg. paranoia level, and many other things. Please check this file: https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL > 2- Any header must be enabled in the "httpd.conf" file? Sorry, what do you mean exactly? Which header? I don't know CentOS, but I assume in httpd.conf you have to enable the security module. > 3- I scanned my website with "Sucuri Security", but it can't detect any Website Firewall. Why? I have no idea - may be you should ask Sucuri... (Note, I also checked one of my server, which *RUNS* ModSecurity, and I got same result...) > 4- Why ModSecurity does not allow uploading files to the website? Which log file must be examined? you should check the Apache's error.log, and if the audit.log is enabled that file too. a. |
|
From: Jason L. <hac...@ya...> - 2021-03-02 09:14:18
|
Hi Ervin,Thank you so much for your reply.I read "https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL" and I have other questions: 1- At "https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL" I read "Download our release from https://coreruleset.org/installation/ and unpack it into a new owasp-modsecurity-crs folder". Thus, I must create a "owasp-modsecurity-crs" directory in the "/etc/httpd/modsecurity.d/" directory? 2- In the "httpd.conf" file, you can add some configuration lines and as "https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL" said, it is : <IfModule security2_module> Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf </IfModule> But, it just for Debian? The "httpd.conf/apache2.conf" file is for Debian. How about CentOS? Should I add above lines to "/etc/httpd/conf/httpd.conf" file? 3- You said "Also I think local_rules contains the whole rule set", but in the "local_rules" directory, I just have one "modsecurity_localrules.conf" with below contents: # User defined rules and settings .## You can use this file/directory to drop your local rules or# to remove some rules provided by mod_security_crs package with SecRuleRemoveById## You can also disable mod_security for some incompatible web applications (eg. phpMyAdmin).## Is it normal? On Monday, March 1, 2021, 12:55:51 PM GMT+3:30, Ervin Hegedüs <ai...@gm...> wrote: hi Jason, On Sat, Feb 27, 2021 at 09:52:58AM +0000, Jason Long wrote: > Hi Ervin,Thank you so much for your help.My problem was that I forgot to install "mod_security_crs" package. After it, I have a "modsecurity.d" directory in the "/etc/httpd" directory.I changed "SecRuleEngine DetectionOnly" to "SecRuleEngine On" and restarted my Apache. I have some questions: > 1- In the "modsecurity.d" directory, I have below directories: > activated_rules crs-setup.conf local_rules > > Which directory is OK for the OWASP ModSecurity Rules? I assume that crs-setup.conf is a regular file, not a directory. Also I think local_rules contains the whole rule set, activated_rules contains symlinks to rule files to local_rules. You have to decide, what rules you need. crs-setup.conf is a configuration file for CRS - you can set up the CRS variables, eg. paranoia level, and many other things. Please check this file: https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL > 2- Any header must be enabled in the "httpd.conf" file? Sorry, what do you mean exactly? Which header? I don't know CentOS, but I assume in httpd.conf you have to enable the security module. > 3- I scanned my website with "Sucuri Security", but it can't detect any Website Firewall. Why? I have no idea - may be you should ask Sucuri... (Note, I also checked one of my server, which *RUNS* ModSecurity, and I got same result...) > 4- Why ModSecurity does not allow uploading files to the website? Which log file must be examined? you should check the Apache's error.log, and if the audit.log is enabled that file too. a. |
|
From: Ervin H. <ai...@gm...> - 2021-03-02 09:48:29
|
Hi Jason, On Tue, Mar 02, 2021 at 09:13:30AM +0000, Jason Long wrote: > Hi Ervin,Thank you so much for your reply.I read "https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL" and I have other questions: > 1- At "https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL" I read "Download our release from https://coreruleset.org/installation/ and unpack it into a new owasp-modsecurity-crs folder". Thus, I must create a "owasp-modsecurity-crs" directory in the "/etc/httpd/modsecurity.d/" directory? that's your decision. You can unpack them where you want: into a new (sub) directory, or you can overwrite the existing rules. > 2- In the "httpd.conf" file, you can add some configuration lines and as "https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL" said, it is : > <IfModule security2_module> Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf </IfModule> (sorry for the side-note, others already wrote you please stop the HTML e-mails) > But, it just for Debian? The "httpd.conf/apache2.conf" file is for Debian. No. Debian uses /etc/apache2 directory to store the configuration files. > How about CentOS? Should I add above lines to "/etc/httpd/conf/httpd.conf" file? You need to find where CentOS stores the configuration files, which loads the modules. I have few RH instance, they stores these files under /etc/httpd/conf.modules.d, eg: # cat /etc/httpd/conf.modules.d/01-cgi.conf # This configuration file loads a CGI module appropriate to the MPM # which has been configured in 00-mpm.conf. mod_cgid should be used # with a threaded MPM; mod_cgi with the prefork MPM. <IfModule mpm_worker_module> LoadModule cgid_module modules/mod_cgid.so </IfModule> <IfModule mpm_event_module> LoadModule cgid_module modules/mod_cgid.so </IfModule> <IfModule mpm_prefork_module> LoadModule cgi_module modules/mod_cgi.so </IfModule> You should read the CentOS Apache documentation. > 3- You said "Also I think local_rules contains the whole rule set", but in the "local_rules" directory, I just have one "modsecurity_localrules.conf" with below contents: > # User defined rules and settings .## You can use this file/directory to drop your local rules or# to remove some rules provided by mod_security_crs package with SecRuleRemoveById## You can also disable mod_security for some incompatible web applications (eg. phpMyAdmin).## > Is it normal? may be - as I wrote, I don't know CentOS. a. |
|
From: Jason L. <hac...@ya...> - 2021-03-02 18:56:02
|
Hi Ervin, Thank you so much. I found two files: 1- /etc/httpd/conf.modules.d/10-mod_security.conf 2- /etc/httpd/conf.d/mod_security.conf The content of the first file is : $ cat /etc/httpd/conf.modules.d/10-mod_security.conf LoadModule security2_module modules/mod_security2.so <IfModule !mod_unique_id.c> LoadModule unique_id_module modules/mod_unique_id.so </IfModule> And the content of the second file is : https://paste.ubuntu.com/p/Rtz6jRrwzT/ I don't know the difference between of the two files :( Nobody here using CentOS? On Tuesday, March 2, 2021, 01:18:13 PM GMT+3:30, Ervin Hegedüs <ai...@gm...> wrote: Hi Jason, On Tue, Mar 02, 2021 at 09:13:30AM +0000, Jason Long wrote: > Hi Ervin,Thank you so much for your reply.I read "https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL" and I have other questions: > 1- At "https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL" I read "Download our release from https://coreruleset.org/installation/ and unpack it into a new owasp-modsecurity-crs folder". Thus, I must create a "owasp-modsecurity-crs" directory in the "/etc/httpd/modsecurity.d/" directory? that's your decision. You can unpack them where you want: into a new (sub) directory, or you can overwrite the existing rules. > 2- In the "httpd.conf" file, you can add some configuration lines and as "https://github.com/coreruleset/coreruleset/blob/v3.4/dev/INSTALL" said, it is : > <IfModule security2_module> Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf </IfModule> (sorry for the side-note, others already wrote you please stop the HTML e-mails) > But, it just for Debian? The "httpd.conf/apache2.conf" file is for Debian. No. Debian uses /etc/apache2 directory to store the configuration files. > How about CentOS? Should I add above lines to "/etc/httpd/conf/httpd.conf" file? You need to find where CentOS stores the configuration files, which loads the modules. I have few RH instance, they stores these files under /etc/httpd/conf.modules.d, eg: # cat /etc/httpd/conf.modules.d/01-cgi.conf # This configuration file loads a CGI module appropriate to the MPM # which has been configured in 00-mpm.conf. mod_cgid should be used # with a threaded MPM; mod_cgi with the prefork MPM. <IfModule mpm_worker_module> LoadModule cgid_module modules/mod_cgid.so </IfModule> <IfModule mpm_event_module> LoadModule cgid_module modules/mod_cgid.so </IfModule> <IfModule mpm_prefork_module> LoadModule cgi_module modules/mod_cgi.so </IfModule> You should read the CentOS Apache documentation. > 3- You said "Also I think local_rules contains the whole rule set", but in the "local_rules" directory, I just have one "modsecurity_localrules.conf" with below contents: > # User defined rules and settings .## You can use this file/directory to drop your local rules or# to remove some rules provided by mod_security_crs package with SecRuleRemoveById## You can also disable mod_security for some incompatible web applications (eg. phpMyAdmin).## > Is it normal? may be - as I wrote, I don't know CentOS. a. |
|
From: Williams, D. A. <dav...@US...> - 2021-03-02 20:22:12
|
I'm not claiming this is right... (And I apologize for editing the included email chain, Outlook likes to rebuild links in ways I don't like.)
I installed via yum these two packages: mod_security-2.9.2-1.el7.x86_64 and mod_security_crs-2.2.9-1.el7.noarch. I recognize that's an older version, but I expect the configuration files may be similar. That gave me /etc/httpd/conf.d/mod_security.conf: the entry point to the configuration; I can't include the full file, but in my case these are some key lines to set up engine. The first two lines tell it about the other directories for further configuration:
IncludeOptional modsecurity.d/*.conf
IncludeOptional modsecurity.d/activated_rules/*.conf
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProce
ssor=XML"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
I also have some global tuning in that file (again, not saying that's "right"), like several:
SecRuleRemoveById XXXXs
/etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf is the base rule for the core rule set (I believe). The mod sec engine needs rules to enforce; CRS is a good starting point. With that base CRS configuration in place, the files in /etc/httpd/modsecurity.d/activated_rules are the real meat of the rules to enforce with some brief file names to outline the sorts of things they look for and protect against, like protocol_anomalies.conf or bad_robots.conf.
I hope that bit of my experience will help.
-David
-----Original Message-----
From: Jason Long via mod-security-users <mod...@li...>
Sent: Tuesday, March 2, 2021 1:56 PM
To: Ervin Hegedüs <ai...@gm...>
Cc: Jason Long <hac...@ya...>; Jason Long via mod-security-users <mod...@li...>
Subject: Re: [mod-security-users] How to configure ModSecurity on CentOS 8?
Hi Ervin,
Thank you so much.
I found two files:
1- /etc/httpd/conf.modules.d/10-mod_security.conf
2- /etc/httpd/conf.d/mod_security.conf
The content of the first file is :
$ cat /etc/httpd/conf.modules.d/10-mod_security.conf
LoadModule security2_module modules/mod_security2.so
<IfModule !mod_unique_id.c>
LoadModule unique_id_module modules/mod_unique_id.so
</IfModule>
And the content of the second file is :
....
I don't know the difference between of the two files :(
Nobody here using CentOS?
On Tuesday, March 2, 2021, 01:18:13 PM GMT+3:30, Ervin Hegedüs <ai...@gm...> wrote:
Hi Jason,
On Tue, Mar 02, 2021 at 09:13:30AM +0000, Jason Long wrote:
> Hi Ervin,Thank you so much for your reply.I ... and I have other questions:
> 1- At ... I read "Download our release from ... and unpack it into a new owasp-modsecurity-crs folder". Thus, I must create a "owasp-modsecurity-crs" directory in the "/etc/httpd/modsecurity.d/" directory?
that's your decision. You can unpack them where you want: into a
new (sub) directory, or you can overwrite the existing rules.
> 2- In the "httpd.conf" file, you can add some configuration lines and as ... said, it is :
> <IfModule security2_module> Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf </IfModule>
(sorry for the side-note, others already wrote you please stop
the HTML e-mails)
> But, it just for Debian? The "httpd.conf/apache2.conf" file is for Debian.
No. Debian uses /etc/apache2 directory to store the configuration
files.
> How about CentOS? Should I add above lines to "/etc/httpd/conf/httpd.conf" file?
You need to find where CentOS stores the configuration files,
which loads the modules. I have few RH instance, they stores
these files under /etc/httpd/conf.modules.d, eg:
# cat /etc/httpd/conf.modules.d/01-cgi.conf
# This configuration file loads a CGI module appropriate to the MPM
# which has been configured in 00-mpm.conf. mod_cgid should be used
# with a threaded MPM; mod_cgi with the prefork MPM.
<IfModule mpm_worker_module>
LoadModule cgid_module modules/mod_cgid.so
</IfModule>
<IfModule mpm_event_module>
LoadModule cgid_module modules/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
LoadModule cgi_module modules/mod_cgi.so
</IfModule>
You should read the CentOS Apache documentation.
> 3- You said "Also I think local_rules contains the whole rule set", but in the "local_rules" directory, I just have one "modsecurity_localrules.conf" with below contents:
> # User defined rules and settings .## You can use this file/directory to drop your local rules or# to remove some rules provided by mod_security_crs package with SecRuleRemoveById## You can also disable mod_security for some incompatible web applications (eg. phpMyAdmin).##
> Is it normal?
may be - as I wrote, I don't know CentOS.
a.
_______________________________________________
mod-security-users mailing list
mod...@li...
...
|
|
From: Ervin H. <ai...@gm...> - 2021-03-02 20:14:06
|
Hi Jason, On Tue, Mar 02, 2021 at 06:55:51PM +0000, Jason Long wrote: > I found two files: > > 1- /etc/httpd/conf.modules.d/10-mod_security.conf > 2- /etc/httpd/conf.d/mod_security.conf > > The content of the first file is : > > $ cat /etc/httpd/conf.modules.d/10-mod_security.conf > LoadModule security2_module modules/mod_security2.so > > <IfModule !mod_unique_id.c> > LoadModule unique_id_module modules/mod_unique_id.so > </IfModule> > > And the content of the second file is : > https://paste.ubuntu.com/p/Rtz6jRrwzT/ > > I don't know the difference between of the two files :( I assume these directories came from default installation, which means the Apache had set up that reads the necessary modules from the directory /etc/httpd/conf.modules.d/, and the configuration files from /etc/httpd/conf.d/. There must be two directives which reads these directories, eg: IncludeOptional /etc/httpd/conf.modules.d/*.conf IncludeOptional /etc/httpd/conf.d/*.conf or something similar... /etc/httpd/conf.modules.d/10-mod_security.conf - this files loads the mod_security Apache module. By this Apache will be able to work as a WAF. /etc/httpd/conf.d/mod_security.conf - this file is a configuration file, in other words, this file sets up mod_security module, tells to module how should it works. The first 49 lines contains the general settings - for more info, please check this page: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x) Take a look to these lines: 52. IncludeOptional modsecurity.d/*.conf 53. IncludeOptional modsecurity.d/activated_rules/*.conf 54. IncludeOptional modsecurity.d/local_rules/*.conf These lines loads the rule set. On the last link I given you can find so many usefull information about rules. The Apache's IncludeOptional directive tells to Apache that read the directory given that name, load the files with name the given pattern (*.conf) - if there isn't any file with name *.conf, it's no problem. I think I think I think the parent modsecurity.d/ directory above should be under /etc/httpd, or /etc/httpd/conf.d/ - just try it. If Apache doesn't found the files, you will see in the error.log. The order of loading of files is very important. You have to copy the CRS rules/ directory content into the activated_rules/ directory. I think the crs-setup.conf must be copied under modsecurity.d/ directly. The local_rules/ can be empty. Because the SecRuleEngine is On in your setup (10-mod_security.conf), and audit.log had configured, you have to see any attack in that log, and in your error.log. Hope this helps. a. |
|
From: Jason L. <hac...@ya...> - 2021-03-02 21:19:21
|
Hi Ervin, Thank you again. I created a "owasp-modsecurity-crs" directory in the "/etc/httpd/modsecurity.d" directory, then downloaded OWASP ModSecurity Rules from "https://coreruleset.org/installation/" and extracted it in the "owasp-modsecurity-crs" directory. I renamed "crs-setup.conf.example" file to "crs-setup.conf". In the "rules" directory, I renamed below files too: # mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf # mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf I have other questions: 1- I must add below lines to the "/etc/httpd/conf.d/mod_security.conf" file: IncludeOptional modsecurity.d/owasp-modsecurity-crs/*.conf IncludeOptional modsecurity.d/owasp-modsecurity-crs/rules/*.conf ? 2- I must not add anything to "httpd.conf" file to enable ModSecurity? On Tuesday, March 2, 2021, 11:50:25 PM GMT+3:30, Ervin Hegedüs <ai...@gm...> wrote: Hi Jason, On Tue, Mar 02, 2021 at 06:55:51PM +0000, Jason Long wrote: > I found two files: > > 1- /etc/httpd/conf.modules.d/10-mod_security.conf > 2- /etc/httpd/conf.d/mod_security.conf > > The content of the first file is : > > $ cat /etc/httpd/conf.modules.d/10-mod_security.conf > LoadModule security2_module modules/mod_security2.so > > <IfModule !mod_unique_id.c> > LoadModule unique_id_module modules/mod_unique_id.so > </IfModule> > > And the content of the second file is : > https://paste.ubuntu.com/p/Rtz6jRrwzT/ > > I don't know the difference between of the two files :( I assume these directories came from default installation, which means the Apache had set up that reads the necessary modules from the directory /etc/httpd/conf.modules.d/, and the configuration files from /etc/httpd/conf.d/. There must be two directives which reads these directories, eg: IncludeOptional /etc/httpd/conf.modules.d/*.conf IncludeOptional /etc/httpd/conf.d/*.conf or something similar... /etc/httpd/conf.modules.d/10-mod_security.conf - this files loads the mod_security Apache module. By this Apache will be able to work as a WAF. /etc/httpd/conf.d/mod_security.conf - this file is a configuration file, in other words, this file sets up mod_security module, tells to module how should it works. The first 49 lines contains the general settings - for more info, please check this page: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x) Take a look to these lines: 52. IncludeOptional modsecurity.d/*.conf 53. IncludeOptional modsecurity.d/activated_rules/*.conf 54. IncludeOptional modsecurity.d/local_rules/*.conf These lines loads the rule set. On the last link I given you can find so many usefull information about rules. The Apache's IncludeOptional directive tells to Apache that read the directory given that name, load the files with name the given pattern (*.conf) - if there isn't any file with name *.conf, it's no problem. I think I think I think the parent modsecurity.d/ directory above should be under /etc/httpd, or /etc/httpd/conf.d/ - just try it. If Apache doesn't found the files, you will see in the error.log. The order of loading of files is very important. You have to copy the CRS rules/ directory content into the activated_rules/ directory. I think the crs-setup.conf must be copied under modsecurity.d/ directly. The local_rules/ can be empty. Because the SecRuleEngine is On in your setup (10-mod_security.conf), and audit.log had configured, you have to see any attack in that log, and in your error.log. Hope this helps. a. |
|
From: Jason L. <hac...@ya...> - 2021-03-03 11:53:42
|
Hello, I added below line to "/etc/httpd/conf.d/mod_security.conf" file: IncludeOptional modsecurity.d/owasp-modsecurity-crs/*.conf IncludeOptional modsecurity.d/owasp-modsecurity-crs/rules/*.conf An when I restarted my Apache then I got an error: AH00526: Syntax error on line 829 of /etc/httpd/modsecurity.d/owasp-modsecur... And line 829 of that file is: SecAction \ "id:900990,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:tx.crs_setup_version=330" ==> Line 829 How to solve it? On Wednesday, March 3, 2021, 12:52:27 AM GMT+3:30, Jason Long via mod-security-users <mod...@li...> wrote: Hi Ervin, Thank you again. I created a "owasp-modsecurity-crs" directory in the "/etc/httpd/modsecurity.d" directory, then downloaded OWASP ModSecurity Rules from "https://coreruleset.org/installation/" and extracted it in the "owasp-modsecurity-crs" directory. I renamed "crs-setup.conf.example" file to "crs-setup.conf". In the "rules" directory, I renamed below files too: # mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf # mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf I have other questions: 1- I must add below lines to the "/etc/httpd/conf.d/mod_security.conf" file: IncludeOptional modsecurity.d/owasp-modsecurity-crs/*.conf IncludeOptional modsecurity.d/owasp-modsecurity-crs/rules/*.conf ? 2- I must not add anything to "httpd.conf" file to enable ModSecurity? On Tuesday, March 2, 2021, 11:50:25 PM GMT+3:30, Ervin Hegedüs <ai...@gm...> wrote: Hi Jason, On Tue, Mar 02, 2021 at 06:55:51PM +0000, Jason Long wrote: > I found two files: > > 1- /etc/httpd/conf.modules.d/10-mod_security.conf > 2- /etc/httpd/conf.d/mod_security.conf > > The content of the first file is : > > $ cat /etc/httpd/conf.modules.d/10-mod_security.conf > LoadModule security2_module modules/mod_security2.so > > <IfModule !mod_unique_id.c> > LoadModule unique_id_module modules/mod_unique_id.so > </IfModule> > > And the content of the second file is : > https://paste.ubuntu.com/p/Rtz6jRrwzT/ > > I don't know the difference between of the two files :( I assume these directories came from default installation, which means the Apache had set up that reads the necessary modules from the directory /etc/httpd/conf.modules.d/, and the configuration files from /etc/httpd/conf.d/. There must be two directives which reads these directories, eg: IncludeOptional /etc/httpd/conf.modules.d/*.conf IncludeOptional /etc/httpd/conf.d/*.conf or something similar... /etc/httpd/conf.modules.d/10-mod_security.conf - this files loads the mod_security Apache module. By this Apache will be able to work as a WAF. /etc/httpd/conf.d/mod_security.conf - this file is a configuration file, in other words, this file sets up mod_security module, tells to module how should it works. The first 49 lines contains the general settings - for more info, please check this page: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x) Take a look to these lines: 52. IncludeOptional modsecurity.d/*.conf 53. IncludeOptional modsecurity.d/activated_rules/*.conf 54. IncludeOptional modsecurity.d/local_rules/*.conf These lines loads the rule set. On the last link I given you can find so many usefull information about rules. The Apache's IncludeOptional directive tells to Apache that read the directory given that name, load the files with name the given pattern (*.conf) - if there isn't any file with name *.conf, it's no problem. I think I think I think the parent modsecurity.d/ directory above should be under /etc/httpd, or /etc/httpd/conf.d/ - just try it. If Apache doesn't found the files, you will see in the error.log. The order of loading of files is very important. You have to copy the CRS rules/ directory content into the activated_rules/ directory. I think the crs-setup.conf must be copied under modsecurity.d/ directly. The local_rules/ can be empty. Because the SecRuleEngine is On in your setup (10-mod_security.conf), and audit.log had configured, you have to see any attack in that log, and in your error.log. Hope this helps. a. _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
Thanks for helping keep SourceForge clean.
X