Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

stylenone

Overview

...

The mod_security2

...

 Apache module provides the ModSecurity™ web application firewall for Apache.

Warning
titleWarnings:
  • This document only applies to systems that run EasyApache 4.
  • If your ruleset contains rule ID conflicts or syntactical errors, ModSecurity will fail and Apache will not start. For more information about how EasyApache handles issues with your ModSecurity rules, read the Compatibility section.

Usage

Use the mod_security2 Apache module to install the ModSecurity web application firewall. You can configure this module to protect your Apache web applications from various attacks. The ModSecurity web application firewall also provides additional tools to monitor your Apache web server.

Requirements

This module

...

possesses no additional requirements.

Anchor
Compatibility
Compatibility
Compatibility

Rule compatibility

Major versions of the  mod_security2  Apache module use different syntaxes for ModSecurity rules.

Warning
titleWarnings:
  • No conversion utility exists to rewrite rules between versions.
  • Minor versions of ModSecurity may also include syntactical changes that are incompatible with older rulesets.

For more information on the migration process from ModSecurity 1.x to ModSecurity 2.x, visit the following websites:

  • ModSecurity — This website includes ModSecurity 1.x to 2.x Migration Matrix documentation.
  • ModSecurity FAQ — This website includes directions for how to migrate rules from the ModSecurity 1.x format into the 2.x format.
  • The ModSecurity mailing list — This is the ModSecurity users' mailing list.

...

titleImportant:

...

An existing bug with ModSecurity2, the mod_ruid2, and mod_mpm_itk Apache modules causes some tracking functionality to not work properly with per-user MPMs. If your system uses either the mod_ruid2 or the mod_mpm_itk Apache modules and also uses Persistant Storage with the initcol, setuid, or setsid directives in the ModSecurity rules, Apache will fail to track that rule. Apache will also log errors to its error_log file. For example, the IP Reputation rule in the OWASP core ruleset may give this error. cPanel, Inc. cannot fix this bug, as this is a ModSecurity2 issue. For more information, read the ModSecurity bug report

Warning
titleWarnings:
  • No conversion utility exists to rewrite rules between versions.
  • Minor versions of ModSecurity may also include syntactical changes that are incompatible with older rulesets.

Anchor
InstallModSec
InstallModSec
How to install or uninstall mod_security2

To install the mod_security2 Apache module in EasyApache 4, run the following command on the command line:

Code Block
yum install ea-apache24-mod_security2
Warning
titleImportant:
  • After you install the mod_security2 Apache module, you must configure the application in WHM's ModSecurity™ Configuration interface (WHM >> Home >> Security Center >> ModSecurity™ Configuration).

 

  • To

...

Code Block
yum remove ea-apache24-mod_security2

...

titleImportant:

...

  • ensure the persistency of your selections, we strongly

...

  • recommend that you use a profile to install and uninstall the  mod_security2

...

Apache, mod_security2, and EasyApache

In the interface

The easiest way to install or uninstall the mod_security2 Apache module is to use WHM's EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4). 

On the command line

To install the mod_security2 Apache module in EasyApache 4, run the following command on the command line:

Code Block
yum install ea-apache24-mod_security2

To uninstall the mod_security2 Apache module in EasyApache 4, run the following command on the command line:  

Code Block
yum remove ea-apache24-mod_security2

Configuration

EasyApache 4 enables the mod_security2 Apache module for all virtual hosts by default, except for the default virtual host.

You can configure your ModSecurity installation in WHM's ModSecurity Configuration interface (WHM >> Home >> Security Center >> ModSecurity™ Configuration).

Configuration details

The section for the default virtual host in your /etc/apache2/conf/httpd.conf file contains the following directive:

Code Block
linenumberstrue
<IfModule mod_security2.c>
    SecRuleEngine Off
</IfModule>

By default,

...

the mod_security2

...

Apache module stores its log file in the /etc/apache2/logs/modsec_audit.log file. 

Warning
titleImportant:
  • EasyApache 4 adds information to the log files as the user. This action causes the system to use more disk space.
  • EasyApache 4 installs the mod_security2 Apache module with several include files.

Use the following file information to configure your ModSecurity firewall rules. 

cPanel & WHM

...

version 56 or earlier

  • When you install the mod_security2

...

  • Apache module, the installation places the following files into your /etc/apache2/conf.d directory:

    Code Block
    linenumberstrue
    modsec2.conf
    modsec2.cpanel.conf

    When the system loads, it uses the conf.d/*.conf glob file to pull the files into your configuration.

  • In EasyApache 4, the /etc/apache2/conf.d/modsec2.conf file contains the basic directives for the mod_security2 Apache module, and the following Include directives :

    Code Block
    linenumberstrue
    Include "/etc/apache2/conf.d/modsec2.user.conf"
    Include "/etc/apache2/conf.d/modsec2.cpanel.conf"


  • The /etc/apache2/conf.d/modsec2.user.conf file contains the ModSecurity firewall application rules that you define.

    Warning
    titleWarning:

    We strongly recommend that you do not use Include directives in the modsec2.user.conf file. When you convert to EasyApache 4, the system comments out any Include directives and you must manually verify the paths.


cPanel & WHM

...

version 58 or later

  • When you install the mod_security2 RPM, the installation places the following files into your /etc/apache2/conf.d/modsec/ directory:

    Code Block
    linenumberstrue
    modsec2.user.conf
    modsec2.cpanel.conf

    The installation places the following file into your /etc/apache2/conf.d/ directory:

    Code Block
    /etc/apache2/conf.d

 


  • When the system loads, it uses the
     conf.d/*.conf  glob file to pull the files into your configuration.

  • In EasyApache 4, the /etc/apache2/conf.d/modsec2.conf file contains the basic directives for the mod_security2 Apache module, and the following I nclude directives :

    Code Block
    linenumberstrue
    Include "/etc/apache2/conf.d/modsec/modsec2.user.conf"
    Include "/etc/apache2/conf.d/modsec/modsec2.cpanel.conf"

    The /etc/apache2/conf.d/modsec/modsec2.user.conf file contains the ModSecurity firewall application rules that you define.

    Warning
    titleWarning:

    We strongly recommend that you do not use Include directives in the modsec2.user.conf file. When you convert to EasyApache 4, the system comments out any Include directives and you must manually verify the paths.


ModSecurity utilities

ModSecurity SDBM

cPanel & WHM provides the ModSecurity SDBM utility to purge expired entries from the /var/cpanel/secdatadir/users/username/ip.pag cache file, where username represents the cPanel username. For more information, read

...

our ModSecurity SDBM Utility documentation.

ModSecurity Audit Log Collector (mlogc)

cPanel & WHM includes the ModSecurity Audit Log Collector (mlogc) with the ModSecurity installation. Mlogc implements remote logging of your ModSecurity audit logs. For more information, read the mlogc documentation

Vendor documentation

The following text is an excerpt from the ModSecurity website:

With over 70% of all attacks now carried out over the web application level, organizations need every help they can get in making their systems secure. Web application firewalls are deployed to establish an external security layer that increases security, detects, and prevents attacks before they reach web applications.

For more information on the mod_security2 Apache module, visit the ModSecurity for Apache website.

You can also install or uninstall mlogc in WHM's EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4).

Additional documentation

Localtab Group


Localtab
activetrue
titleSuggested documentation

...

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("apache","ea4","apachemodule","modsecurity") and label = "whm" and space = currentSpace()


Localtab
titleFor cPanel users

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("apache","ea4","apachemodule","modsecurity") and label = "cpanel" and space =

...

currentSpace()


Localtab
titleFor WHM users

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("apache","ea4","apachemodule","modsecurity") and label = "whm" and space in ("

...

CKB",

...

currentSpace())


Localtab
titleFor developers

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("apache","ea4","apachemodule","modsecurity") and space = "

...

DD"