Page 1 of 1

Mod Security Rule Check

Posted: Tue Nov 15, 2011 8:03 pm
by nootkan
Looked through a lot of posts in this forum and learned a few things I didn't know before. :D

Not sure if this is the appropriate thread for my question but here it goes: I have a rule created for me by a third party that states:
# post content phrase match - catch pills, pron etc
SecRule ARGS_POST "@pmFromFile /home/mydomain/public_html/modsecurity/blacklist-post-content.txt" \
"phase:2, log,deny,status:406,t:none, t:compressWhiteSpace, t:replaceNulls, t:urlDecode, t:lowercase, msg:'POST: blacklisted post content. '"
I've created the spam list, named it blacklist-post-content.txt and uploaded to my domain. It doesn't seem to be working however as I never see any logs in WHM/Plugins/Mod Security logs. Is there another way to do this? I tried to click on the spam links in the delayed free individual rulesets on the home page but they seem to be broken. Thanks in advance.

Re: Mod Security Rule Check

Posted: Tue Nov 15, 2011 11:11 pm
by mikeshinn
Where did you add this rule, to the apache config?

Re: Mod Security Rule Check

Posted: Wed Nov 16, 2011 12:47 am
by nootkan
No I added it to the WHM/Plugins/Mod Security/Edit Config. See screenshot. I whited out the domain/ip details.

Re: Mod Security Rule Check

Posted: Wed Nov 16, 2011 1:02 pm
by mikeshinn
How are you testing that rule? Keep in mind you are only inspecting POST ARGS so only a POST will trigger this rule.

Also, check to make sure you have modsecurity configured to inspect the body. Out of the box cpanel has a pretty minimal configuration that wont inspect the body of a post.

https://www.atomicorp.com/wiki/index.ph ... _using_ASL

Re: Mod Security Rule Check

Posted: Wed Nov 16, 2011 5:08 pm
by nootkan
I was testing it by reading my mod security logs after seeing multiple spam messages in my Mailwatch/Mailscanner program with the subject text I've blacklisted. There were no logs so I assumed it wasn't working.

Thanks for the link I've seen it before in my browsing and it was a bit confusing. As you probably have guessed by now, this is all new for me and I'm trying to learn as much as I can but my linux commands ( I have a cheat sheet) are very poor.

Before I found this forum, I had visited your parent company website and sent an email using the contact form asking if you provided a service that does the mod security upgrade (2.6) and install for asl for me but never heard back from anyone. I am still interested if such a service exists.

The support I see you providing on this forum is great and I see newbies like myself have a chance to learn something instead of being chastized or labelled like at so many other places I have tried before.

Awesome job!

Re: Mod Security Rule Check

Posted: Wed Nov 16, 2011 6:38 pm
by mikeshinn
We do offer modsecurity support in a number of ways. The easiest option is to use our Atomic Secured Linux product which is a security suite add-on for Linux that comes with an easy to use GUI. That will setup modsecurity for you, and a whole lot more. You can read about it here:

https://www.atomicorp.com/products.html

And you can try it for free for 30 days! To access the trial just go to this page:

https://www.atomicorp.com/products/aslfreetrial.html

Re: Mod Security Rule Check

Posted: Wed Nov 16, 2011 7:14 pm
by nootkan
Actually I've read through that link also and liked what I read. However, I already have the config server package installed on my server and just need to upgrade the mod security to 2.6 as per the instructions to use asl lite. I had a look at easy apache but it doesn't look like 2.6 is an option. Was wondering if you provided a service that would upgrade my version of mod security and install the asl lite rules. If not, I will keep plodding along and learn the good ole fashioned way (hard way).

I most definately will be using your firewall product on my next server lease when I decide to move my website over to it, to separate it from my clients. Something I am thinking of doing in the new year.

I am just learning how to do the sever management role part time as I have a day job (truck driver) that takes up a lot of my time. I got started in hosting when my website started using to much cpus with a shared host so I leased a dedicated server from Server Beach and all of my friends suddenly wanted me to host their sites as they seem to trust me explicitly ( a good thing I guess). Now word of mouth seems to be my best friend as my client list is growing, but I am a long way from being a responsible web host manager ( a lot to learn).

Again thanks for taking time to help me and rest assured I will definately use your product in the near future. Especially when the support is a class act like I've seen so far in this forum while reading as many threads as I can absorb.

Long winded...I'm sorry.

Re: Mod Security Rule Check

Posted: Wed Nov 16, 2011 7:19 pm
by nootkan
Keep in mind you are only inspecting POST ARGS so only a POST will trigger this rule.
Just actually picked up on this statement of yours. Does this mean that the rule won't look for subject text in email messages? Is this more geared towards blogs and forums?