store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Fri Dec 19, 2014 7:55 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: Plesk Clients and ASL GUI
Unread postPosted: Fri Apr 23, 2010 3:46 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Apr 10, 2006 12:55 pm
Posts: 673
This might be a very tall order but here it goes.

I have a client with a forum where the participants talk about things that often challenge the ASL rules. This often produces a false positive. As a result they contact me and I contact Atomic Support. Then I get to chase down the false positive (most often using that tool of tools, grep) and paste it into an email (since it's long since fallen off the GUI). He's frustrated and I don't have time to run through his logs looking for false positives all the time. Worst of all, he wants modsec turned off because of that frustration. I don't blame him but, at the same time, I want my server to be secure. I might just shut off anti-spam rules for that domain but that's less than optimal for both him and his users who will see an immediate jump in spam and XSS attacks.. I see all the value of ASL but he really can't.

What would be superb is for my client to see exactly what ASL is doing for him. A mini-GUI, basically. I could give him a login (or maybe tie it to his Plesk login?) and he could see ASL events related to his domains. If he had a false positive he could report it to me directly and I could then, with one click, turn around and report it to you guys.

Win for him because now he sees all the crap ASL is blocking and can do something constructive about FP reports.
Win for me because I can simply see there's a FP for me to approve and I don't have to chase anything down.
Win for ASL because reporting just got a lot easier.

_________________
"Its not a mac. I run linux... I'm actually cool." - scott


Top
 Profile  
 
 Post subject: Re: Plesk Clients and ASL GUI
Unread postPosted: Sat Apr 24, 2010 8:33 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2113
Well, you could set up a monitor thing that would extract anything involving his domain from the logs and email them to him every night. Alternatively, you could do the same thing and stick them into a directory on his website with a simple gui on top with a button that allows him to email you the false positives. Probably a day's work to get done and debugged?

The alternative I'd go for, however, would be to ask him to improve the security on his forum. Specifically, for him to manually approve everybody who joins (and to ask some non-trivial questions during sign-up -- this will help weed out at least 75% of the spammers and script kiddies), and ideally to moderate new posts from said new members for a few days. You could then disable certain rules without significant risk to security.

Depending on the forum, you could alternatively or additionally block access to it from certain countries. Seriously -- the number of mod_sec alerts we get is almost insignificant since we started blocked the "usual suspects".

You are welcome to try our mod_sec DNSBL for a week or so to see how well it works (or does not). I'd be happy to customise which countries it blocks for you too. If it works well then you might consider setting up your own - it is not hard to get set up, but does need a dedicated IP to run the dnsbl on, at least in my implementation.

Faris.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: Plesk Clients and ASL GUI
Unread postPosted: Sun Apr 25, 2010 5:23 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3679
Location: Chantilly, VA
Quote:
What would be superb is for my client to see exactly what ASL is doing for him. A mini-GUI, basically. I could give him a login (or maybe tie it to his Plesk login?) and he could see ASL events related to his domains. If he had a false positive he could report it to me directly and I could then, with one click, turn around and report it to you guys.


Neat idea. We'll look into the dependencies. This would require some pretty tight integration with the control panel to figure out what users have access to which domains. Much to think about...

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Plesk Clients and ASL GUI
Unread postPosted: Fri Apr 01, 2011 2:16 pm 
Offline
Forum User
Forum User

Joined: Mon Jan 15, 2007 2:03 am
Posts: 45
+1 on this feature request. Basically it would be nice to have an email alert sent to the domain administrator as well as a gui for the client/domain to add a false positive to the list.

Another useful feature to the GUI in general would be to be able to add ignore rules to vhost.conf so the rule can be ignored for the time being until it is processed as a false positive.


Top
 Profile  
 
 Post subject: Re: Plesk Clients and ASL GUI
Unread postPosted: Fri Apr 22, 2011 11:41 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 645
mod sec messages are already placed in the error log, if they see an error on their page or get one reported they could pretty easily go lookup the alert Id and send it in.

Personally Im not a fan of allowing users to say something was good becuase typically users are stupid and dont understand what an attack is or why something was blocked (and supposed to be). Especially if some one is trying to be bad, marks something like a known xss or app vulnerbility as a false positive and then since its ignored, succeeds in an attack since its no longer being blocked.

I can see a benifit for this in specific instances - maybe instead of a global inclusion system you can select specific users to have access to this instead, and then it may be of more value - but then it will have a much smaller user impact since a lot of hosts wont use it or may have only 1 user that will see it.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group