Hello. I'm using the GotRoot delayed modsecurity rules. I find that 00_asl_rbl.conf is being loaded, even though I do not have this specifically loaded in 00_mod_security.conf. Is 00_asl_rbl.conf supposed to be loaded by default when using the delayed rules? What is the best practice if I want to disable this? I commented out the unwanted xbl.spamhaus.org rule in 00_asl_rbl.conf for now, but not sure if this is the best way to handle it.
In the instructions at https://www.atomicorp.com/wiki/index.ph ... rity_Rules it says to add this line to enable all rules:
Include /full/path/to/your/rules/modsecurity.d/*asl*.conf
I did not add this line, but I notice this in the <IfModule mod_security2.c> section of this conf:
# Rule management is handled by ASL
Include modsecurity.d/*asl*.conf
Could this be loading modules I did not intend to load? Should this be commented out in a setup that uses the delayed rules?
I appreciate being able to use these rules at all. Any help with this will be appreciated.
Thanks,
Kirk
00_asl_rbl.conf loaded by default when using delayed rules?
Re: 00_asl_rbl.conf loaded by default when using delayed rul
Yes, basically that line will load all rules matching that regex that are in that directory. *IF* all your downloaded rules are in that directory then yes, everything matching will be loaded, including the rbl ruleset.
The simplest option is to remove that include line in the conf and then specifically load, by name, the rulesets you want. I don't know if this is the officially suggested method or not, but it should work.
The simplest option is to remove that include line in the conf and then specifically load, by name, the rulesets you want. I don't know if this is the officially suggested method or not, but it should work.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: 00_asl_rbl.conf loaded by default when using delayed rul
It is:I don't know if this is the officially suggested method or not, but it should work.
https://www.atomicorp.com/wiki/index.ph ... _the_rules
"Then make sure you have this line are the bottom of 00_modsecurity.conf, if you want to load all the rules (please read the bottom of this wiki article for what each ruleset does, you may not want to load all the rules):
Include /full/path/to/your/rules/modsecurity.d/*asl*.conf
Or if you want to load some of the rules, make sure you specify only those rule files. For example:
Include /full/path/to/your/rules/modsecurity.d/10_asl_rules.conf
Include /full/path/to/your/rules/modsecurity.d/99_asl_jitp.conf"
https://www.atomicorp.com/wiki/index.ph ... m_rulesets
"The recommended minimum ruleset to load is:
Include /full/path/to/your/rules/modsecurity.d/10_asl_antimalware.conf
Include /full/path/to/your/rules/modsecurity.d/10_asl_rules.conf
Include /full/path/to/your/rules/modsecurity.d/20_asl_useragents.conf
Include /full/path/to/your/rules/modsecurity.d/30_asl_antispam.conf
Include /full/path/to/your/rules/modsecurity.d/50_asl_rootkits.conf
Include /full/path/to/your/rules/modsecurity.d/60_asl_recons.conf
Include /full/path/to/your/rules/modsecurity.d/61_asl_recons_dlp.conf
Include /full/path/to/your/rules/modsecurity.d/99_asl_jitp.conf
If you have modsecurity 2.6.1 and up installed, you should also load additional rule files and should use this ruleset:
Include /full/path/to/your/rules/modsecurity.d/00_asl_z_antievasion.conf
Include /full/path/to/your/rules/modsecurity.d/09_asl_rules.conf
Include /full/path/to/your/rules/modsecurity.d/10_asl_antimalware.conf
Include /full/path/to/your/rules/modsecurity.d/10_asl_rules.conf
Include /full/path/to/your/rules/modsecurity.d/11_asl_adv_rules.conf
Include /full/path/to/your/rules/modsecurity.d/20_asl_useragents.conf
Include /full/path/to/your/rules/modsecurity.d/30_asl_antispam.conf
Include /full/path/to/your/rules/modsecurity.d/50_asl_rootkits.conf
Include /full/path/to/your/rules/modsecurity.d/60_asl_recons.conf
Include /full/path/to/your/rules/modsecurity.d/61_asl_recons_dlp.conf
Include /full/path/to/your/rules/modsecurity.d/99_asl_jitp.conf"
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: 00_asl_rbl.conf loaded by default when using delayed rul
Thanks mikeshinn. But is what faris says true?
<IfModule mod_security2.c>
# This is the ModSecurity Core Rules Set.
# Basic configuration goes in here
Include modsecurity.d/modsecurity_crs_10_config.conf
# Rule management is handled by ASL
Include modsecurity.d/*asl*.conf
</IfModule>
If the line 'Include modsecurity.d/*asl*.conf' in the IfModule section of 00_mod_security.conf loads all the modules regardless, then I find the instructions confusing. The instructions talk about adding the *asl*.conf include to the bottom of 00_mod_security.conf which I assumed means outside of the IfModule section. If what faris says is correct, I think it would be clearer to mention in the instructions that this line needs to be removed from the IfModule section in delayed rule setups. Either way I am still not sure I have it right and would appreciate some clarification.
Thanks,
Kirk
<IfModule mod_security2.c>
# This is the ModSecurity Core Rules Set.
# Basic configuration goes in here
Include modsecurity.d/modsecurity_crs_10_config.conf
# Rule management is handled by ASL
Include modsecurity.d/*asl*.conf
</IfModule>
If the line 'Include modsecurity.d/*asl*.conf' in the IfModule section of 00_mod_security.conf loads all the modules regardless, then I find the instructions confusing. The instructions talk about adding the *asl*.conf include to the bottom of 00_mod_security.conf which I assumed means outside of the IfModule section. If what faris says is correct, I think it would be clearer to mention in the instructions that this line needs to be removed from the IfModule section in delayed rule setups. Either way I am still not sure I have it right and would appreciate some clarification.
Thanks,
Kirk
Re: 00_asl_rbl.conf loaded by default when using delayed rul
Thanks I got it now. The first time I read your replies I missed something and sent a further inquiry which hasn't shown up, maybe the moderator can delete it? Now I see that both your replies are crystal clear. Just needed another cup of tea before my brain was fully working
Thanks,
Kirk
Thanks,
Kirk
Re: 00_asl_rbl.conf loaded by default when using delayed rul
I guess my confusion from the start was in thinking ANY of the includes were meant to go outside of the IfModule section.
If it takes a little effort to sort this out, it is still nothing compared to the effort it would take to get other mod security rule sets working without issue. Even with all the delayed rules added by mistake, RBL is the only one that has caused issues for us.
If it takes a little effort to sort this out, it is still nothing compared to the effort it would take to get other mod security rule sets working without issue. Even with all the delayed rules added by mistake, RBL is the only one that has caused issues for us.