store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Tue Jul 22, 2014 7:22 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: Mod Security Rule Check
Unread postPosted: Tue Nov 15, 2011 8:03 pm 
Offline
Forum User
Forum User

Joined: Tue Nov 15, 2011 7:16 pm
Posts: 11
Location: Vancouver BC Canada
Looked through a lot of posts in this forum and learned a few things I didn't know before. :D

Not sure if this is the appropriate thread for my question but here it goes: I have a rule created for me by a third party that states:
Quote:
# post content phrase match - catch pills, pron etc
SecRule ARGS_POST "@pmFromFile /home/mydomain/public_html/modsecurity/blacklist-post-content.txt" \
"phase:2, log,deny,status:406,t:none, t:compressWhiteSpace, t:replaceNulls, t:urlDecode, t:lowercase, msg:'POST: blacklisted post content. '"

I've created the spam list, named it blacklist-post-content.txt and uploaded to my domain. It doesn't seem to be working however as I never see any logs in WHM/Plugins/Mod Security logs. Is there another way to do this? I tried to click on the spam links in the delayed free individual rulesets on the home page but they seem to be broken. Thanks in advance.


Top
 Profile  
 
 Post subject: Re: Mod Security Rule Check
Unread postPosted: Tue Nov 15, 2011 11:11 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3599
Location: Chantilly, VA
Where did you add this rule, to the apache config?

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Mod Security Rule Check
Unread postPosted: Wed Nov 16, 2011 12:47 am 
Offline
Forum User
Forum User

Joined: Tue Nov 15, 2011 7:16 pm
Posts: 11
Location: Vancouver BC Canada
No I added it to the WHM/Plugins/Mod Security/Edit Config. See screenshot. I whited out the domain/ip details.


Attachments:
ScreenHunter_03-Nov.-15-20.32.png
ScreenHunter_03-Nov.-15-20.32.png [ 24.26 KiB | Viewed 3773 times ]
Top
 Profile  
 
 Post subject: Re: Mod Security Rule Check
Unread postPosted: Wed Nov 16, 2011 1:02 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3599
Location: Chantilly, VA
How are you testing that rule? Keep in mind you are only inspecting POST ARGS so only a POST will trigger this rule.

Also, check to make sure you have modsecurity configured to inspect the body. Out of the box cpanel has a pretty minimal configuration that wont inspect the body of a post.

https://www.atomicorp.com/wiki/index.ph ... _using_ASL

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Mod Security Rule Check
Unread postPosted: Wed Nov 16, 2011 5:08 pm 
Offline
Forum User
Forum User

Joined: Tue Nov 15, 2011 7:16 pm
Posts: 11
Location: Vancouver BC Canada
I was testing it by reading my mod security logs after seeing multiple spam messages in my Mailwatch/Mailscanner program with the subject text I've blacklisted. There were no logs so I assumed it wasn't working.

Thanks for the link I've seen it before in my browsing and it was a bit confusing. As you probably have guessed by now, this is all new for me and I'm trying to learn as much as I can but my linux commands ( I have a cheat sheet) are very poor.

Before I found this forum, I had visited your parent company website and sent an email using the contact form asking if you provided a service that does the mod security upgrade (2.6) and install for asl for me but never heard back from anyone. I am still interested if such a service exists.

The support I see you providing on this forum is great and I see newbies like myself have a chance to learn something instead of being chastized or labelled like at so many other places I have tried before.

Awesome job!


Top
 Profile  
 
 Post subject: Re: Mod Security Rule Check
Unread postPosted: Wed Nov 16, 2011 6:38 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3599
Location: Chantilly, VA
We do offer modsecurity support in a number of ways. The easiest option is to use our Atomic Secured Linux product which is a security suite add-on for Linux that comes with an easy to use GUI. That will setup modsecurity for you, and a whole lot more. You can read about it here:

https://www.atomicorp.com/products.html

And you can try it for free for 30 days! To access the trial just go to this page:

https://www.atomicorp.com/products/aslfreetrial.html

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Mod Security Rule Check
Unread postPosted: Wed Nov 16, 2011 7:14 pm 
Offline
Forum User
Forum User

Joined: Tue Nov 15, 2011 7:16 pm
Posts: 11
Location: Vancouver BC Canada
Actually I've read through that link also and liked what I read. However, I already have the config server package installed on my server and just need to upgrade the mod security to 2.6 as per the instructions to use asl lite. I had a look at easy apache but it doesn't look like 2.6 is an option. Was wondering if you provided a service that would upgrade my version of mod security and install the asl lite rules. If not, I will keep plodding along and learn the good ole fashioned way (hard way).

I most definately will be using your firewall product on my next server lease when I decide to move my website over to it, to separate it from my clients. Something I am thinking of doing in the new year.

I am just learning how to do the sever management role part time as I have a day job (truck driver) that takes up a lot of my time. I got started in hosting when my website started using to much cpus with a shared host so I leased a dedicated server from Server Beach and all of my friends suddenly wanted me to host their sites as they seem to trust me explicitly ( a good thing I guess). Now word of mouth seems to be my best friend as my client list is growing, but I am a long way from being a responsible web host manager ( a lot to learn).

Again thanks for taking time to help me and rest assured I will definately use your product in the near future. Especially when the support is a class act like I've seen so far in this forum while reading as many threads as I can absorb.

Long winded...I'm sorry.


Top
 Profile  
 
 Post subject: Re: Mod Security Rule Check
Unread postPosted: Wed Nov 16, 2011 7:19 pm 
Offline
Forum User
Forum User

Joined: Tue Nov 15, 2011 7:16 pm
Posts: 11
Location: Vancouver BC Canada
Quote:
Keep in mind you are only inspecting POST ARGS so only a POST will trigger this rule.

Just actually picked up on this statement of yours. Does this mean that the rule won't look for subject text in email messages? Is this more geared towards blogs and forums?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group