|
In order to use the AutoUpdater, you need to have ModSec rules installed and running in your server, this guide will show you how to install the rules for the first time.
To install ASL or GotRoot rules for the first time you will need to do the following:
1. Unpack the
rules in /usr/local/apache/conf/modsec_rules, if the directory doesn't
exist create it.
After uploading the rules, search for the following
rules and delete them:
rm -f 00_asl_rbl.conf
rm -f 00_asl_z_antievasion.conf
rm -f 05_asl_scanner.conf
rm -f 09_asl_rules.conf
rm -f 11_asl_data_loss.conf
rm -f 15_asl_paranoid_rules.conf
rm -f 40_asl_apache2-rules.conf
rm -f 70_asl_csrf_experimental.conf
rm -f 98_asl_jitp.conf
rm -f 99_asl_a_redactor.conf
rm -f 99_asl_redactor.conf
rm -f 99_asl_redactor_post.conf
rm -f 99_asl_scanner.conf
Modify the rule 00_asl_whitelist.conf as follows:
OLD: @pmFromFile /etc/asl/whitelist
NEW: @pmFromFile whitelist.txt Before you continue, double check that the rules ARE in the directory /modsec_rules and not
in any other subdirectory.
2. Create the following directories and chmod them accordingly:
mkdir /var/asl
mkdir /var/asl/data/
mkdir /var/asl/data/msa
mkdir /var/asl/data/audit
mkdir /var/asl/data/suspicious
chown nobody.nobody /var/asl/data/msa
chown nobody.nobody /var/asl/data/audit
chown nobody.nobody /var/asl/data/suspicious
chmod o-rx -R /var/asl/data/*
chmod ug+rwx -R /var/asl/data/*
you will never need to use these directories but they have to be present for the rules to work.
3. MAKE A BACKUP OF THIS FILE BEFORE YOU MODIFY IT!!
modify the following file /usr/local/apache/conf/modsec2.user.conf to have the following commands:
MAKE A BACKUP OF THIS FILE BEOFRE YOU MODIFY IT!!
SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 50000
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 20621440
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyLimit 20621440
SecRequestBodyInMemoryLimit 2062144
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial
# ADD THE FOLLOWING LINE ONLY IF YOU HAVE CXS INSTALLED!
# cxs web script scanning
# SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" "log,auditlog,deny,severity:2,id:'1010101'"
# ConfigServer ModSecurity whitelist file
Include /usr/local/apache/conf/modsec2.whitelist.conf
# ASL/GOTROOT Rules
Include /usr/local/apache/conf/modsec_rules/*asl*.conf
4.
Restart apache and check for no errors, if there are any errors then
RESTORE the file modsec2.user.conf and restart apache
again, that will
bring you back to what you have before.
5. If apache restarted
without errors, you are done.
6. After you have installed ModSecurity, I recommend that you install CMC from ConfigServer, it is a really nice Plugin for WHM that lets you check in real time the rules that are triggered by ModSecutiry.
That's it, if
everything went fine, you will have your new rules up and working, after you have installed your modsec rules you can start using the ModSec AutoUpdater, enjoy.
| 
