ModSecurity settings not working

crenet

crenet

Verified User
Joined
Sep 23, 2019
Messages
115
Hi,

Initially I set owasp
cd /usr/local/directadmin/custombuild
./build set modsecurity yes
./build set modsecurity_ruleset owasp
./build modsecurity
./build apache
./build rewrite_confs

Then I change it to Comodo

cd /usr/local/directadmin/custombuild
./build set modsecurity_ruleset comodo
./build modsecurity
./build modsecurity_rules
./build rewrite_confs

Is there something wrong here ? Do I need to rebuild apache ?

Then I followed this guide and I can not get the ModSecurity working.

How to manage ModSecurity with DirectAdmin

If you decided to use Modsecurity on your server with DirectAdmin, there is sometimes a need to disable the module for a particular domain (virtual host). And here I'm going to describe how to achieve the desired.
help.poralix.com help.poralix.com

Everything goes well till I create the /etc/httpd/conf/extra/httpd-custom-modsecurity.conf

After this the https goes down and does not restart anymore

As soon as I remove the
Include /etc/httpd/conf/extra/httpd-custom-modsecurity.conf
from /etc/httpd/conf/httpd.conf
Apache restarts

Anybody knows where do I find the https.conf file to remover the ssl:warm for www.domain.com (default) virtual host ?

UPDATE: OS Debian 9.3 does not have the /etc/modsecurity2 after this setup.
I thought this DA build will install the package....
Should I do any other steps or a different order ?

This is the apache error.log

[Mon Nov 25 17:02:22.264736 2019] [:notice] [pid 23195:tid 139645556480128] ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured.
[Mon Nov 25 17:02:22.264747 2019] [:notice] [pid 23195:tid 139645556480128] ModSecurity: APR compiled version="1.6.5"; loaded version="1.6.5"
[Mon Nov 25 17:02:22.264758 2019] [:notice] [pid 23195:tid 139645556480128] ModSecurity: PCRE compiled version="8.43 "; loaded version="8.43 2019-02-23"
[Mon Nov 25 17:02:22.264768 2019] [:notice] [pid 23195:tid 139645556480128] ModSecurity: LIBXML compiled version="2.9.9"
[Mon Nov 25 17:02:22.264777 2019] [:notice] [pid 23195:tid 139645556480128] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
[Mon Nov 25 17:02:23.707901 2019] [ssl:warn] [pid 23195:tid 139645556480128] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Mon Nov 25 17:02:23.708633 2019] [ssl:warn] [pid 23195:tid 139645556480128] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Mon Nov 25 17:02:23.709006 2019] [lbmethod_heartbeat:notice] [pid 23195:tid 139645556480128] AH02282: No slotmem from mod_heartmonitor
[Mon Nov 25 17:02:23.748357 2019] [mpm_event:notice] [pid 23195:tid 139645556480128] AH00489: Apache/2.4.41 (Unix) OpenSSL/1.1.0l configured -- resuming normal operations
[Mon Nov 25 17:02:23.748467 2019] [core:notice] [pid 23195:tid 139645556480128] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Nov 25 17:15:05.306204 2019] [mpm_event:notice] [pid 23195:tid 139645556480128] AH00493: SIGUSR1 received. Doing graceful restart
[Mon Nov 25 17:15:08.211634 2019] [ssl:warn] [pid 23195:tid 139645556480128] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Mon Nov 25 17:15:08.214142 2019] [ssl:warn] [pid 23195:tid 139645556480128] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Mon Nov 25 17:15:08.214670 2019] [lbmethod_heartbeat:notice] [pid 23195:tid 139645556480128] AH02282: No slotmem from mod_heartmonitor
[Mon Nov 25 17:15:08.215319 2019] [mpm_event:notice] [pid 23195:tid 139645556480128] AH00489: Apache/2.4.41 (Unix) OpenSSL/1.1.0l configured -- resuming normal operations
[Mon Nov 25 17:15:08.215378 2019] [core:notice] [pid 23195:tid 139645556480128] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Nov 25 17:20:53.007633 2019] [mpm_event:notice] [pid 23195:tid 139645556480128] AH00492: caught SIGWINCH, shutting down gracefully
 
Last edited:
UPDATE

I use part of this guide to install
sudo apt-get install libapache2-mod-security2
and
owasp-modsecurity-crs rules and conf in /etc/modsecurity2/

After installing owasp-modsecurity-crs rules and conf in /etc/modsecurity2/ https service seems to be working well.

I also have Comodo plugin does that interfere with owasp-modsecurity rule set ?
 
I see that etc/apache2/mods-available/security2.conf has this:

Code: 
<IfModule security2_module>
        # Default Debian dir for modsecurity's persistent data
        SecDataDir /var/cache/modsecurity

        # Include all the *.conf files in /etc/modsecurity.
        # Keeping your local configuration in that directory
        # will allow for an easy upgrade of THIS file and
        # make your life easier
        IncludeOptional /etc/modsecurity/*.conf

        # Include OWASP ModSecurity CRS rules if installed
        IncludeOptional /usr/share/modsecurity-crs/owasp-crs.load
</IfModule>

If the original etc/apache2/mods-available/security2.conf uses
IncludeOptional /etc/modsecurity/*.conf
Why do we need to add an extra Include /etc/modsecurity2/*.conf in /etc/httpd/conf/extra/httpd-custom-modsecurity.conf ?!??!
That way it seems that the module will load settings from /etc/modsecurity/*.conf and /etc/modsecurity2/*.conf
Settings from /etc/modsecurity/*.conf are not updated just /etc/modsecurity2/*.conf.
As the default module config in /etc/apache2/mods-available/security2.conf say "Include all the *.conf files in /etc/modsecurity. Keeping your local configuration in that directory" so I do not understand this setup.

So should I change to IncludeOptional /etc/modsecurity2/*.conf to load the settings there or move all OWASP rules to /usr/share/modsecurity-crs/owasp-crs.load and move the configuration files to /etc/modsecurity/ ?

I think its better to keep it simple all configuration files in /etc/modsecurity/*.conf and set the rules where /usr/share/modsecurity-crs/owasp-crs.load expect them /usr/share/modsecurity-crs/rules/*.conf

Any thoughts about this setup ?
 
Last edited:
/etc/apache2 is not used on DA systems at all. Apache should be managed using CustomBuild, not apt-get, including the mods/packages like libapache2-mod-security2 etc. It should be set in the options.conf and "./build modsecurity" ran then. CustomBuild plugin can also be used for this if you find CLI confusing.
 
Hi Martynas,
In fact I already had set ./build modsecurity
So I think I did a mistake to try to fix my issue that maybe its not an issue because DA already have Comodo.
I run apt-get install libapache2-mod-security2 now is there something that I should fix, remove ?
 
Yes, it should be removed, as well as any other webserver related packages you installed using apt-get, as /etc/apache2 shouldn't even exist.
 
If fact I just have
/etc/apache2# ls
conf.d.cwaf-backup mods-available

/etc/apache2/mods-available# ls
security2.conf security2.load

So this commands will fix it
apt-get remove libapache2-mod-security2
or
apt-get purge libapache2-mod-security2
or
just remove the /etc/apache2 folder and all contents

Or will they change the DA apache setup?

Thanks
 
Last edited:
remove --purge can be used, and then remove /etc/apache2 at all.
 
You must log in or register to reply here.
Back
Top