Tag: ModSecurity

cPanel Request body no files data length is larger than the configured limit

On a WordPress website hosted on Cpanel server, when editing a page, i get 404 error. On checking ModSecurity logs, found the following

Message: Request body no files data length is larger than the configured limit (1048576).
Message: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/serverok-session": Permission denied
Apache-Error: [file "apache2_util.c"] [line 277] [level 3] [client 51.38.246.115] ModSecurity: Request body no files data length is larger than the configured limit (1048576). [hostname "serverok.in"] [uri "/wp-admin/admin-ajax.php"] [unique_id "ZHQozKnDG2AlaeRW-JY2IAAAAA8"]
Apache-Error: [file "mod_proxy_fcgi.c"] [line 1011] [level 3] [status 70007] AH01075: Error dispatching request to : (polling)
Apache-Error: [file "apache2_util.c"] [line 277] [level 3] [client 51.38.246.115] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/serverok-session": Permission denied [hostname "serverok.in"] [uri "/index.php"] [unique_id "ZHQozKnDG2AlaeRW-JY2IAAAAA8"]
Apache-Handler: proxy:unix:/opt/cpanel/ea-php80/root/usr/var/run/php-fpm/7a4f759cc09e45f3b275cfba3a7c520dee7d7128.sock|fcgi://serverok.in
Stopwatch: 1685334220711796 301144175 (- - -)
Stopwatch2: 1685334220711796 301144175; combined=1973, p1=110, p2=1759, p3=0, p4=0, p5=69, sr=25, sw=35, l=0, gc=0
Producer: ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/).
Server: Apache
WebApp-Info: "default" "14244c1b1b0e291067e05758571163ec" "-"
Engine-Mode: "ENABLED"

To fix the error, edit the file

vi /etc/apache2/conf.d/modsec/modsec2.user.conf

In the file, add

SecRequestBodyNoFilesLimit 1548576

Restart Apache

systemctl restart httpd

If the above did not work, you can try increasing value of SecRequestBodyNoFilesLimit. When you change the value, don’t forget to restart Apache webserver.

Back to Cpanel

May 29, 2023

How to disable a rule in ModSecurity Apache

To disable a rule in ModSecurity, edit Apache configuration, add

SecRuleRemoveById RULE_ID_SEPERATED_BY_SPACE

This needed to be added after all rules were loaded.

On Ubuntu, I edited the file

/etc/apache2/mods-enabled/security2.conf

Here is what I have in a server which disables rules 941180 949110 980130

<IfModule security2_module>
	# Default Debian dir for modsecurity's persistent data
	SecDataDir /var/cache/modsecurity

	# Include all the *.conf files in /etc/modsecurity.
	# Keeping your local configuration in that directory
	# will allow for an easy upgrade of THIS file and
	# make your life easier
        IncludeOptional /etc/modsecurity/*.conf

	# Include OWASP ModSecurity CRS rules if installed
	IncludeOptional /usr/share/modsecurity-crs/*.load
        SecRuleRemoveById 941180 949110 980130
</IfModule>

Back to ModSecurity

November 11, 2022

Nginx ModSecurity Not able to open file

On an Nginx server after updating Nginx and ModSecurity, I got the following error

[root@localhost ~]# nginx -t
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsecurity.conf. Line: 275. Column: 51. "/etc/nginx/coreruleset-3.3.2/rules/*.conf": Not able to open file. Looking at: '"/etc/nginx/coreruleset-3.3.2/rules/*.conf"', '"/etc/nginx/coreruleset-3.3.2/rules/*.conf"', '/etc/nginx/"/etc/nginx/coreruleset-3.3.2/rules/*.conf"', '/etc/nginx/"/etc/nginx/coreruleset-3.3.2/rules/*.conf"'. in /etc/nginx/conf.d/default.conf:5
nginx: configuration file /etc/nginx/nginx.conf test failed
[root@localhost ~]#

To fix the error, edit file

vi /etc/nginx/modsecurity.conf

Find

Include "/etc/nginx/coreruleset-3.3.2/rules/*.conf"

Replace with

Include /etc/nginx/coreruleset-3.3.2/rules/*.conf

Now restart Nginx, it will work.

systemctl restart nginx

Back to Install Nginx ModSecurity on CentOS 7

September 21, 2022

Install Nginx ModSecurity on CentOS 7

ModSecurity is a Web Application Firewall that protects your website from hacking attacks. It is Open Source and free to use. It can be used with webservers like Apache, Nginx, and IIS. To install ModSecurity with Nginx, we need to compile the ModSecurity Nginx module and activate it in the Nginx configuration file.

Install the compilers and libraries needed for building the source code.

yum groupinstall "Development Tools"

Install dependency

yum install bison curl curl-devel doxygen flex gcc-c++ git GeoIP-devel libxml2 libxml2-devel lmdb lmdb-devel lua lua-devel pcre-devel ssdeep ssdeep-devel yajl yajl-devel zlib-devel

Download and install ModSecurity

cd /usr/local/src/
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity/
git submodule init
git submodule update
./build.sh
./configure
make
make install

Clone ModSecurity-nginx repository. This contains Nginx ModSecurity module source code.

cd /usr/local/src
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git

We need to download the source code for the version of Nginx you are running now. For this, check Nginx version with the command

[root@ok ~]# nginx -v
nginx version: nginx/1.20.1
[root@ok ~]#

In this case, we use Nginx 1.20.1, go to http://nginx.org/en/download.html and download the source code for Nginx version you are using.

cd /usr/local/src
wget http://nginx.org/download/nginx-1.20.1.tar.gz
tar xvf nginx-1.20.1.tar.gz
cd nginx-1.20.1

Find out the configure command used to compile nginx.

[root@ok ~]# nginx -V
nginx version: nginx/1.20.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
[root@ok ~]#

You can see configure arguments on the last line, we need to use these arguments when we compile Nginx from source code.

Run

cd /usr/local/src/nginx-1.20.1
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --add-dynamic-module=../ModSecurity-nginx

In the above, we added –add-dynamic-module=../ModSecurity-nginx at end of the configure command to compile the Nginx module.

To build Nginx modules, run

make modules

Once the module is built, copy it to /etc/nginx/modules

cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules

Copy ModSecurity configuration files

cp /usr/local/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsecurity.conf
cp /usr/local/src/ModSecurity/unicode.mapping /etc/nginx/unicode.mapping

Enable ModSecurity

sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/g' /etc/nginx/modsecurity.conf

To load ModSecurity module, edit file

vi /etc/nginx/nginx.conf

Find

worker_processes  auto;

Add below

load_module modules/ngx_http_modsecurity_module.so;

Edit your server config (virtual host entry), add

modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity.conf;

Install ModSecurity Rules

You can download ModSecurity rules from

https://coreruleset.org

At the time of writing this, the latest version is v3.3.2. So let’s download and install it.

cd /usr/local/src
wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.4.tar.gz
tar xvf v3.3.4.tar.gz
mv coreruleset-3.3.4 /etc/nginx
cd /etc/nginx/coreruleset-3.3.4
cp crs-setup.conf.example crs-setup.conf

To activate the rule, edit the file

vi /etc/nginx/modsecurity.conf

At end of the file, add

Include /etc/nginx/coreruleset-3.3.4/crs-setup.conf
Include /etc/nginx/coreruleset-3.3.4/rules/*.conf
SecRule ARGS:sec-test "@contains hacker" "id:1234,deny,status:403"

Restart Nginx

systemctl restart nginx

To verify ModSecurity is working, access your website URL with

curl -I http://YOUR-SERVER-IP-OR-DOMAIN/?sec-test=hacker

You will see 403 Forbidden error.

boby@sok-01:~$ curl -I http://152.167.4.94?sec-test=hacker
HTTP/1.1 403 Forbidden
Server: nginx/1.20.1
Date: Mon, 12 Jul 2021 18:24:36 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

boby@sok-01:~$

See ModSecurity Web Application Firewall, Nginx

July 12, 2021

Enable ModSecurity in Cpanel Server
Login to WHM. Go to ModSecurity™ Vendors.

By default cpanel come with “OWASP ModSecurity Core Rule Set V3.0” rule. To enable it click on “+ install” link right side.

To add a third party rule set, click on “Add Vendor” button.

To install comodo WAF rules, enter
```
https://waf.comodo.com/doc/meta_comodo_apache.yaml
```
Click “Load”, you will see some info auto filled, scroll down and clikc “Save” button.

Now you have Comodo WAF rules enabled on your server.

See ModSecurity
October 1, 2020
Disable ModSecurity for a specific URL
On a web site that is protected with ModSecurity, when admin edit HTML pages in admin area, ModSecurity falsely detect it as XSS attack.

What we can do is disable specific rules that create this false positive. But in this case, it is bceause HTML is submitted. This application normally done need HTML submitted on any other part of the site. So it is better to disable ModSecurity for the specific URL that causes this error.

To do this, add the following code to the Apache VirtualHost entry for this website.
```
<If "%{REQUEST_URI} =~ m#/admin_area/manage_pages.php#">
    SecRuleEngine Off
</If>

<If "%{REQUEST_URI} =~ m#/admin_area/edit_announcement.php#">
    SecRuleEngine Off
</If>
```
This will disable ModSecurity for URLs /admin_area/manage_pages.php and /admin_area/edit_announcement.php

Back to ModSecurity
April 20, 2020

Install ModSecurity on Debian

To install ModSecurity on Debian/Ubuntu Apache web server, run

apt-get install libapache2-mod-security2

Restart Apache web server

service apache2 restart

Verify mod_security installed with

apachectl -M | grep security

To activate ModSecurity rules, run

cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Edit

vi /etc/modsecurity/modsecurity.conf

set

SecRuleEngine = on

Get latest rules

mv /usr/share/modsecurity-crs /usr/share/modsecurity-crs.bk
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs

Emable the config file

cp /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf

Edit file

vi  /etc/apache2/mods-enabled/security2.conf

Add

IncludeOptional /usr/share/modsecurity-crs/*.conf
IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf

Restart Apache

service apache2 restart

April 17, 2020

ModSecurity Web Application Firewall
ModSecurity is a Web Application Firewall. Protect sites from SQL injection and Application level hacking.
To install ModSecurity on Ubuntu/Debian with Apache, run
```
apt install libapache2-mod-security2 -y
```
verify Apache module is installed with
```
apachectl -M | grep security
```
Enable config file
```
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
```
Update config
```
sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/" /etc/modsecurity/modsecurity.conf
sed -i "s/SecResponseBodyAccess On/SecResponseBodyAccess Off/" /etc/modsecurity/modsecurity.conf
```
Restart Apache
```
systemctl restart apache2
```
February 19, 2018