Updating rules

Community support forums for the free/delayed modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the delayed modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
chrismfz
Forum User
Forum User
Posts: 7
Joined: Tue Sep 24, 2013 3:26 pm
Location: Greece

Updating rules

Unread post by chrismfz »

On a cPanel server I installed delayed rules as instructed in wiki in

Code: Select all

/etc/httpd/conf/modsec_rules/
and I include them in modsec2.user.conf like this:

Code: Select all

Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf
Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf
Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf
Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf
Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf
Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf
Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf
Include /usr/local/apache/conf/modsec2.whitelist.conf
If I get a normal subscription for rules only is there a way/script/cron to auto-update the rules from your website?
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Updating rules

Unread post by mikeshinn »

If I get a normal subscription for rules only is there a way/script/cron to auto-update the rules from your website?
Thank you for the question. Yes, if you use ASL, ASL will automatically keep your rules up to date.
chrismfz
Forum User
Forum User
Posts: 7
Joined: Tue Sep 24, 2013 3:26 pm
Location: Greece

Re: Updating rules

Unread post by chrismfz »

I really don't know (yet) but I would like to know,
I am using now cPanel on cloudlinux because of its features which I heavily use like php selector and cagefs.

ASL works with it without changing kernel (and thus keep using lve/cagefs/php selector) ?
That's why I was only at first wondering how I can get the rules (thinking that it may not work asl+cl)

If this doesn't work, is there a way to get only the rules automatically or only by hand ? (if I am correct I see somewhere related to asl-lite ?)
Manually is not a problem but just wondering if I can lower the workload.

Thanks for your help :)
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Updating rules

Unread post by mikeshinn »

Thank you for your questions.
ASL works with it without changing kernel (and thus keep using lve/cagefs/php selector) ?
Yes, ASL works just fine without changing the kernel.
That's why I was only at first wondering how I can get the rules (thinking that it may not work asl+cl)
ASL is fully supported with Cloud Linux:

https://www.atomicorp.com/products/asl.html

https://www.atomicorp.com/wiki/index.ph ... support.3F
As of June 2013, we officially support:

Centos 5.9
Centos 6.4
Redhat Linux 5 and 6.
Scientific Linux 5 and 6
CloudLinux 5 and 6
Amazon EC2 (We support RHEL and Centos in EC2, we do not support AMI and other customized distributions)
Trixbox 2.8
chrismfz
Forum User
Forum User
Posts: 7
Joined: Tue Sep 24, 2013 3:26 pm
Location: Greece

Re: Updating rules

Unread post by chrismfz »

Considering using ASL I read this
Provides Security to all Layers, from the Firewall to the Kernal
(by the way, kernal it's a typo ?)

ASL will disable ConfigServer's CSF and LFD ?

Because it's a very handful tool. Any script / user alert that sending it's useful
(if it's a script that sending spam, or a false positive block, blocking modsec's repeated attacks or/and auth attacks, etc)

I always read those emails and they are really helpful troubleshooting something.

ASL has something similar (or even better I assume) or I can keep csf/lfd and cxs ?


Thanks for your time :)
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Updating rules

Unread post by mikeshinn »

Thank you for your questions.
ASL will disable ConfigServer's CSF and LFD ?
ASL will not disable either of these. With that said, you do not need CSF or LFD with ASL. ASL does everything those scripts do and much more.
ASL has something similar (or even better I assume) or I can keep csf/lfd and cxs ?
You assumption is correct, ASL has a more advanced set of capabilities than either of those scripts.

Heres just a few of the features of ASL:
* Advanced firewall system, with a full GUI to allow you create complex and simple rules (and lots of other features, like Geoblocking, portscan detection, etc.)
* DOS protection
* Malware upload protection systems including real time antimalware protection
* our malware removal system which removes malicious code in real time from your web pages (so if you come to us with a compromised system, that part of ASL can help clean up your compromised server)
* Intrusion Prevention System, which includes real time host, log and kernel based intrusion prevention systems
* Self healing vulnerability scanning (it will fix vulnerabilities in your system)
* Self Learning Role Based Access Control system
* Secure Kernel that immunizes your system against entire classes of vulnerabilities
* Web Application Firewall and real time rules, which also allows you to protect other HTTP servers local or remote. Its your own professional grade WAF.
* Our advanced clamav signatures
* Full correlation engine that can detect sophisticated attacks over multiple protocols/IPs/vulnerabilities/attacks as well as detect suspicious behavior on your system and stop it (compromised account detection for example, correlating attacks with a known vulnerability on the system, etc.)
* Web based Security Event and Information Management system, which lets you view and manage all your security events and incidents, block attackers, modify ASL behavior (such as whitelisting IPs, changing how ASL responds to certain events, alert management, etc.)

You get all of this, in one integrated product with a single web based management interface to make it easy for you to manage the security of your system.

But dont take my word for it, give ASL a try and see if its right for you. You can use ASL for 30 days for free, if you dont like it it doesnt cost you a cent to try ASL out.

https://www.atomicorp.com/amember/signu ... aysys=free
Thanks for your time :)
You're welcome, and thank you again for your questions. Please dont hesitate to ask more if you have any!
chrismfz
Forum User
Forum User
Posts: 7
Joined: Tue Sep 24, 2013 3:26 pm
Location: Greece

Re: Updating rules

Unread post by chrismfz »

mikeshinn wrote: You're welcome, and thank you again for your questions. Please dont hesitate to ask more if you have any!
I don't think I will regret that but in case I do is it uninstallable ?

Because the best "test" environment to test it is what else ...an already production cpanel server :)
(which is already a pain in the ass - multiple 1.5 joomla installations, old 1.x cs-carts, just found a bot trying to connect to dalnet - botnet I assume, mailers, etc)

But in case something will go wrong I don't want to break a production system.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Updating rules

Unread post by mikeshinn »

I don't think I will regret that but in case I do is it uninstallable ?
Yes, please see this FAQ:

https://www.atomicorp.com/wiki/index.ph ... all_ASL.3F
Post Reply