First installation modsecurity error!

Migdiradmin · Jan 9, 2020

Its my first instalation with Directadmin , after i configure this without problems.

VPS 3GB ram

php 7.4
mariadb10.4
nginx_apache (mod_ruid2 disabled)

I tried to install waf comodo & Modsecurity to protect the host.

cd /usr/local/directadmin/custombuild
./build update
./build set modsecurity yes
./build set modsecurity_ruleset comodo
./build modsecurity (I stoped here, because give-me an error)
./build modsecurity_rules
./build rewrite_confs

./build modsecurity

Code:

 Found DirectAdmin version v.1.59.5
which: no sudo in (/bin:/usr/bin:/usr/local/bin:/usr/sbin:/usr/local/sbin:/usr/local/apache/bin:/usr/local/apache/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
ERROR: Not found SUDO utility.\nSUDO required for plugin.\nPlease setup it manually, then rerun this installation.
Can't open /etc/cwaf/main.conf: No such file or directory.
Can't open /etc/cwaf/main.conf: No such file or directory.
./build: line 19630: /usr/local/cwaf/scripts/updater.pl: No such file or directory
Defaulting to Comodo WAF SecDefaultAction...
Installation of ModSecurity Rule Set has been finished.
Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.

Migdiradmin · Jan 9, 2020

Needs sudo, works now.

Code:

yum install sudo

Migdiradmin · Jan 9, 2020

I have some questions about this comands.

Code:

cd /usr/local/directadmin/custombuild
./build update
./build set modsecurity yes
./build set modsecurity_ruleset comodo
./build modsecurity
./build modsecurity_rules
./build rewrite_confs

wen i use this comands i have only comodo rules right?
What is the modecurity_rules?
What is the best Comodo rules or owasp for nginx_apache ?

Migdiradmin · Jan 11, 2020

Migdiradmin said:
I have some questions about this comands.

Code:

cd /usr/local/directadmin/custombuild ./build update ./build set modsecurity yes ./build set modsecurity_ruleset comodo ./build modsecurity ./build modsecurity_rules ./build rewrite_confs

wen i use this comands i have only comodo rules right?
What is the modecurity_rules?
What is the best Comodo rules or owasp for nginx_apache ?

This forum(community) have low activity.

After searching and testing i have some answers.

wen i use this comands i have only comodo rules right?
Yes

What is the modecurity_rules?
??? I think is the modsecurity rules i have chosen (owasp or comodo)

What is the best Comodo rules or owasp for nginx_apache ?
After some tests i think owasp is more safety and fast, but more false positives out of the box.

Migdiradmin · Mar 31, 2020

CSF doesnt ban the ip and i use lf_modsec to ban but nothing.

The modsecurity is working ok.

Wen i test

Code:

https://www.domain.com/?q="><script>alert(1)</script>

406 - error
Not Acceptable
An appropriate representation of the requested resource could not be found on this server.

Migdiradmin · Jan 6, 2021

Now CSF its working with owasp, maybe some update from CSF or owasp.

IP: xxxxxx
Failures: 5 (mod_security)
Interval: 3600 seconds
Blocked: Permanent Block [LF_MODSEC]

Log entries:

[Wed Jan 06 15:00:35.889112 2021] [:error] [pid 2147:tid 139674525648640] [client xxxxxxxx] [client xxxxxxx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/modsecurity.d/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "xxxxxxx"] [severity "WARNING"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "xxxxxx"] [uri "/"] [unique_id "X-XQk1VwIpFeV0RSZ@0qPwAAAX0"]

factor · Jan 6, 2021

Migdiradmin said:
Found DirectAdmin version v.1.59.5

Your DA version is really old. You might upgrade.

Migdiradmin said:
This forum(community) have low activity.

It is just community forum. You only have 96 post yourself...

Migdiradmin said:
After searching and testing i have some answers.

wen i use this comands i have only comodo rules right?
Yes

What is the modecurity_rules?
??? I think is the modsecurity rules i have chosen (owasp or comodo)

What is the best Comodo rules or owasp for nginx_apache ?
After some tests i think owasp is more safety and fast, but more false positives out of the box.

You have the ones you chose in the ./build set modsecurity_ruleset comodo command

Migdiradmin said:
What is the best

What works to day might not work tomorrow.

Migdiradmin said:
CSF doesnt ban the ip and i use lf_modsec

MODSEC_LOG =
Is this set correctly in csf
You might look in

Code:

cat /var/log/httpd/error_log

or it might be here

All directadmin.conf values | Directadmin Docs

you might work through all of this

General system security | Directadmin Docs

Enable mod_security. See the CustomBuild Faq for available rulesets and options.

factor · Jan 6, 2021

I see in a double post you say its working.. Glad you got it going. Please try not to double post.

First installation modsecurity error!

Migdiradmin

Verified User

Migdiradmin

Verified User

Migdiradmin

Verified User

Migdiradmin

Verified User

Migdiradmin

Verified User

Migdiradmin

Verified User

factor

Verified User

factor

Verified User