Mod Security Rule Check

Community support forums for the free/delayed modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the delayed modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
nootkan
Forum User
Forum User
Posts: 11
Joined: Tue Nov 15, 2011 7:16 pm
Location: Vancouver BC Canada

Mod Security Rule Check

Unread post by nootkan »

Looked through a lot of posts in this forum and learned a few things I didn't know before. :D

Not sure if this is the appropriate thread for my question but here it goes: I have a rule created for me by a third party that states:
# post content phrase match - catch pills, pron etc
SecRule ARGS_POST "@pmFromFile /home/mydomain/public_html/modsecurity/blacklist-post-content.txt" \
"phase:2, log,deny,status:406,t:none, t:compressWhiteSpace, t:replaceNulls, t:urlDecode, t:lowercase, msg:'POST: blacklisted post content. '"
I've created the spam list, named it blacklist-post-content.txt and uploaded to my domain. It doesn't seem to be working however as I never see any logs in WHM/Plugins/Mod Security logs. Is there another way to do this? I tried to click on the spam links in the delayed free individual rulesets on the home page but they seem to be broken. Thanks in advance.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Mod Security Rule Check

Unread post by mikeshinn »

Where did you add this rule, to the apache config?
nootkan
Forum User
Forum User
Posts: 11
Joined: Tue Nov 15, 2011 7:16 pm
Location: Vancouver BC Canada

Re: Mod Security Rule Check

Unread post by nootkan »

No I added it to the WHM/Plugins/Mod Security/Edit Config. See screenshot. I whited out the domain/ip details.
Attachments
ScreenHunter_03-Nov.-15-20.32.png
ScreenHunter_03-Nov.-15-20.32.png (24.26 KiB) Viewed 14841 times
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Mod Security Rule Check

Unread post by mikeshinn »

How are you testing that rule? Keep in mind you are only inspecting POST ARGS so only a POST will trigger this rule.

Also, check to make sure you have modsecurity configured to inspect the body. Out of the box cpanel has a pretty minimal configuration that wont inspect the body of a post.

https://www.atomicorp.com/wiki/index.ph ... _using_ASL
nootkan
Forum User
Forum User
Posts: 11
Joined: Tue Nov 15, 2011 7:16 pm
Location: Vancouver BC Canada

Re: Mod Security Rule Check

Unread post by nootkan »

I was testing it by reading my mod security logs after seeing multiple spam messages in my Mailwatch/Mailscanner program with the subject text I've blacklisted. There were no logs so I assumed it wasn't working.

Thanks for the link I've seen it before in my browsing and it was a bit confusing. As you probably have guessed by now, this is all new for me and I'm trying to learn as much as I can but my linux commands ( I have a cheat sheet) are very poor.

Before I found this forum, I had visited your parent company website and sent an email using the contact form asking if you provided a service that does the mod security upgrade (2.6) and install for asl for me but never heard back from anyone. I am still interested if such a service exists.

The support I see you providing on this forum is great and I see newbies like myself have a chance to learn something instead of being chastized or labelled like at so many other places I have tried before.

Awesome job!
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Mod Security Rule Check

Unread post by mikeshinn »

We do offer modsecurity support in a number of ways. The easiest option is to use our Atomic Secured Linux product which is a security suite add-on for Linux that comes with an easy to use GUI. That will setup modsecurity for you, and a whole lot more. You can read about it here:

https://www.atomicorp.com/products.html

And you can try it for free for 30 days! To access the trial just go to this page:

https://www.atomicorp.com/products/aslfreetrial.html
nootkan
Forum User
Forum User
Posts: 11
Joined: Tue Nov 15, 2011 7:16 pm
Location: Vancouver BC Canada

Re: Mod Security Rule Check

Unread post by nootkan »

Actually I've read through that link also and liked what I read. However, I already have the config server package installed on my server and just need to upgrade the mod security to 2.6 as per the instructions to use asl lite. I had a look at easy apache but it doesn't look like 2.6 is an option. Was wondering if you provided a service that would upgrade my version of mod security and install the asl lite rules. If not, I will keep plodding along and learn the good ole fashioned way (hard way).

I most definately will be using your firewall product on my next server lease when I decide to move my website over to it, to separate it from my clients. Something I am thinking of doing in the new year.

I am just learning how to do the sever management role part time as I have a day job (truck driver) that takes up a lot of my time. I got started in hosting when my website started using to much cpus with a shared host so I leased a dedicated server from Server Beach and all of my friends suddenly wanted me to host their sites as they seem to trust me explicitly ( a good thing I guess). Now word of mouth seems to be my best friend as my client list is growing, but I am a long way from being a responsible web host manager ( a lot to learn).

Again thanks for taking time to help me and rest assured I will definately use your product in the near future. Especially when the support is a class act like I've seen so far in this forum while reading as many threads as I can absorb.

Long winded...I'm sorry.
nootkan
Forum User
Forum User
Posts: 11
Joined: Tue Nov 15, 2011 7:16 pm
Location: Vancouver BC Canada

Re: Mod Security Rule Check

Unread post by nootkan »

Keep in mind you are only inspecting POST ARGS so only a POST will trigger this rule.
Just actually picked up on this statement of yours. Does this mean that the rule won't look for subject text in email messages? Is this more geared towards blogs and forums?
Post Reply