Atomic Basic Modsecurity Ruleset. Please Try Again Later

• #1

Hi,

For some time we have been struggling with Atomic Secured Linux, which is a very comprehensive security parcel only seems to have multiple problems with cPanel and CloudLinux. As nosotros face however some other consequence, nosotros are looking for alternatives.

What is the best Mod Security scenario? I know that the cPanel default rules are not enough. We have considered the paid Atomicorp rules, only later our experience with the whole Atomic Secured Linux production, we are also looking at alternatives.

Comodo offers a gratuitous ruleset that looks good from the description, however I have heard that their installer and updater plugin are very buggy and can crusade bug with websites (unless that has been rectified).

So...what is the all-time option for Mod Security rules on a cPanel server? I know every situation is different...I'grand talking about general web hosting or WordPress hosting.

Thanks!

• #ii

Hello

You lot tin can find some alternatives discussed on the following thread:

Mod_Security Rules

Thank you.

• #three

Up until recently we accept been quite happy with the Atomicorp ruleset. However, at that place are some issues with these rules and the ii.eight version of Modsecurity that installs with Easyapache (simply partially resolved with the patched version of Modsecurity that cPanel included with EasyApache 3.24.21).

Atomicorp explicitly does not support Modsecurity version ii.8, recommending that cPanel users uninstall the EasyApache ModSecurity and utilize either ASL or their stand-alone AUM installer instead. Something we are non keen to do since information technology would probably hateful no support from cPanel.

Given that neither cPanel nor Atomicorp testify whatsoever great interest in ensuring that these rules work with cPanel, nosotros are also looking for alternatives. Would exist interesting to hear what others are doing.

Terminal edited: Jun 26, 2014

• #iv

I don't want to derail the thread, but what issues are you yet having with ModSecurity two.8 later nosotros patched it?

• #6

I don't want to derail the thread, but what issues are you still having with ModSecurity 2.8 after we patched it?

The Atomicorp ruleset + the patched version of Modsec ii.8 will crusade httpd to crash. This does not occur immediately, and it does not happen on a lightly loaded test server, only in production (presumably because the offending rule(s) does not become triggered with the low-cal load on the examination server).

On the production server we can run Atomicorps ruleset 201406131129 with no issues. We take not tried all rulesets released since and then, simply those we did effort all caused the crash.

Nosotros have not been able to find anything of interest in the fault logs. Nosotros did try disabling some of the rules nosotros thought might exist causing the problem, simply without success. Unfortunately we cannot test more exhaustively to isolate the problem since information technology is customer impacting.

• #seven

The consequence that was reported to us (or at to the lowest degree, how we interpreted it) was related to how IP addresses were handled. That issue should be fixed now. The thread linked was about the issues prior to the patch.

This sounds like a totally different outcome, merely obviously if in that location are bug so nosotros want to address them. Exercise you know what the load and weather condition were of your server when Apache crashed? We tin artificially induce weather to a test server, but we will demand some more detail in order to reproduce the situation.

• #8

The server is nowhere near a high load when httpd crashes, it just has real traffic including various spam and exploit attempts (we host mainly WordPress websites). Unfortunately I don't see a way to provide much more particular without updating the rules again and waiting for the crash to repeat itself. We are not keen to practise that.

Presumably Atomicorp have enough of test cases that could be used to determine where the trouble is, merely since they are explicitly not supporting ModSecurity 2.8 (quoting "multiple bugs" in that version) that does not really aid whatever.

The result could be with the Atomicorp ruleset rather than Modsecurity, of course. But since we cannot roll back to Modsec two.seven.seven - the version that Atomicorp does support - we don't have any way of finding out.

• #9

BTW, information technology looks like Trustwave's rules are $495 a year now? Yikes!!!

Would love to hear if anyone has had proficient luck with the gratis Comodo set.

• #10

I just downloaded the comodo rule set; it looks like they just took some rules from the CRS. All the rule IDs look like they are in the 200,000-299,999 range which is reserved for modsecurity.org:

200,000–299,999 Reserved for rules published at modsecurity.org. ( https://documentation.cpanel.net/brandish/EA/Apache+Module:+ModSecurity )

Even the headers in the files say:

Code:

                      # Comodo ModSecurity Rules # Copyright (java) 2014 Comodo Security solutions All rights reserved. # # The COMODO SECURITY SOLUTIONS Modern Security Rule Ready is distributed under # THE COMODO SECURITY SOLUTIONS Stop USER LICENSE AGREEMENT, # Delight see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # This is a FILE CONTAINING Changed or MODIFIED RULES FROM THE: # OWASP ModSecurity Core Rule Gear up (CRS) # ---------------------------------------------------------------                    

taylorsnet1967.blogspot.com

Source: https://forums.cpanel.net/threads/best-mod-security-rules.414912/

Share this post