Anybody using Got Root's mod_security rules, they seem very good and well worked out. There lots of rules hows the overhead if your using these rules?

http://gotroot.com/tiki-index.php?page=mod_security+rules

yeah, LOTS of rules.... not sure that a 256mb VPS can handle that many without significant increase in load, but if anyone can prove me wrong I would be glad to give them a try...

Yes I was wondering the same thing about load, I have been considering using them as well. Even just for the fact that it is updated regularly.

The previous site I was using went under. (monkeydev.org)

They update every day i believe. ;x

I looked more deeply than when you posted it... ( well, because i played with mod_sec rules today ... i added a rule to avoid any request that have more than 3 BCCs... i wasn't victim of any spammer... but i don't want to trust my customers script :))

anyway, I think the rules for Applications are the most important... they seems to contains a lot of old vulnerability from a lot of webapplications... If they update it often, it could be very helpful and avoid us to write or search forums for new rules every day a vuln. is out for a popular webapp...

Other rules sets are so huge... i believe it could slow down a http request... i mean, if the request have to pass through a shitload of rules before it's accepted, it's hardcore... So i think we should use the most important rules only... and avoid useless rules sets like "Blacklist of rootkit sites, owned machines and other bad players"

Did you tried any rules from the site ? and for the automatic update script ?

I agree with Fred, the necessary ones seem to be exclude.conf and rules.conf.

I've tried loading them but I must have mistyped something as httpd couldn't restart afterwards until I removed the Include lines for those external rules from the config file of mod_security.

Any luck with implementing those rules with the new mod_security 1.9.1? And what did you do with the existing rules in the config file by the way?

it would be preferable to do an include and put the file in the directory where your rules are...

For the implentation, i didn't so far... no time... But notice that you should use the rules with the appropriate version of apache... So if you are using 1.3 you can use the rules for apache 1.3 only... the site contains rules for 1.3 and 2.0...

What about PVPS offering a hardware firewall option?
It would also help reduce overall server loads considerably, right?

- Vince

i tried the rules...

I'm not sure... but i think they are not working because the modsec version used by cpanel is not equals or higher 1.9 as required by the http://www.gotroot.com/downloads/ftp/mod_security/rules.conf

AND
( sorry didn,t find a better way to know version... )
cat /usr/local/cpanel/modules-install/modsecurity-Linux-i686/progversion
1.8.7


:)

Didnt try the rules yet. Am looking at the link now.

But modsecurity was installed from WHM by me.....which now has been updated to 1.9.1-1.3

My mod_sec is also at 1.9.xx so I reckon that's okay. And the rules by GotROOT are in external files referenced to by the Include lines in mod_sec's config file, just like how it was described in the installation guide on their site (although it was mentioned that was for Apache 2, so I'm not sure if this works for 1.3.x as well).

Yeah I did try out only the rules for Apache 1.3.x although I'm led to believe that some of the rules in rules.conf are also actually for Apache 2.x too. They haven't seem to isolate all the Apache 2.x rules judging by glancing at some of the posts on their forum, but I can't verify this yet. Will be wanting to explore this further later.

So far I got httpd not being able to be rebooted with the new rules in place. It got restarted fine when I commented out the Include lines. If anyone gets it working, would appreciate to hear how you did it.

Thanks.

PS Thanks, Fred for the version check. I was trying to figure out how to do that. :) Mine says 1.9.1. Like Zaf, I got mine updated via WHM.

I'm on cPanel and applied some GotRoot's rules. They seem to be working good and I've no problems.

Awesome. Mine works now too. Configuration exactly the same as before so my guess is it's either the new rules which I've downloaded from GotRoot, or it's a new version of mod_security, I think it's currently at 1.9.1-1.5 IIRC.

I am looking forward to 1.9.2 as I hear that can be compiled with PCRE which makes it faster on the otherwise slower running of mod_sec on Apache 1.3.x as compared to Apache 2.x

What about PVPS offering a hardware firewall option?
It would also help reduce overall server loads considerably, right?

- Vince
eh barely, but interesting idea. It would be cool if it's kind of like GigeServers' proxyshield - http://gigeservers.com/ProxyShield/

just an FYI I'm running the gotroot rules just fine with hardly any performance decrease - granted this is on a pretty beastly machine . .

Dual AMD Opteron 244
4GB ECC Reg'd Kingston RAM
2x250GB SEAGATE
LSI Logic RAID1
InterNAP (yeah I had to include that) Transfer :)


overall, there should be no problems running it on a VPS. *NVM*

err the rules weren't added correctly,

here are the real results.

Before adding rules:
27 req/s on vB

After adding rules
8 req/s on vB

=\

(the more the better, the more requests served per second)

I am looking forward to 1.9.2 as I hear that can be compiled with PCRE which makes it faster on the otherwise slower running of mod_sec on Apache 1.3.x as compared to Apache 2.x


Same here, so I'm doing some research, and recording here for future reference and review.


Find the version currently running on a cpanel VPS.
cat /usr/local/cpanel/modules-install/modsecurity-Linux-i686/progversion

or go to whm->Addon Modules
Mine reported 1.9.1-1.7 (oops we need 1.9.2)


Find out if PCRE is installed
locate libpcre.so

Mine reported /lib/libpcre.so.0
(no idea why the zero at end)


So I'm stumped on both points.
1. When, how, will 1.9.2 be available for cpanel.. or can i update it without wreaking havok with cpanel...
2. I have no clue about pcre and if it's really there and working yet.


Notes from the modsecurity site:

"Compiling the Apache 1.x version against PCRE

By default ModSecurity relies on the regular expression library built into Apache for pattern matching. This works well with Apache 2.x but not so much with Apache 1.x. The Apache 1.x regular expression engine is several times slower. Since 1.9.2 it is possible to compile ModSecurity for Apache 1.x against an external regular expression library (PCRE, http://www.pcre.org, the same library used in Apache 2.x) and achieve significant performance increase. This is achieved with the USE_PCRE compile-time flag.

If you have PCRE already installed on your system it may be sufficient to compile ModSecurity like this:

# <apache1-home>/bin/apxs -DUSE_PCRE -cia mod_security.c

If you don't already have PCRE then you will have to download, configure, and compile it first. It is not necessary to install it.

$ cd <pcre-source>
$ ./configure && make
# cp ./.libs/libpcre.so <apache1-home>/libexec

Then compile and install ModSecurity:

# <apache1-home>/bin/apxs -I <pcre-source> -DUSE_PCRE -cia mod_security.c

Finally, tell Apache to load the PCRE library before ModSecurity. Add the following line before the line that loads ModSecurity (LoadModule ...):

LoadFile libexec/libpcre.so

Now you can stop then start Apache and observe the performance improvements."

You can remove ModSec from WHM then install your own version of ModSec.
You lose the WHM interface, logging and the mysql db.
You would have to set up your own cron jobs/db to do the same as WHM does it.

Not sure if you will break things if you try and up grade the cPanel install.
It would be over written on a cPanel upcp and/or nightly update anyway if you have that 'keep updated' feature ticked in WHM.