Remote Rule Installation
Requirements:
Apache/IIS mod_security 2.9.5 or higher
Nginx Libmodsecurity 3.0.6 or higher
This method simplifies the WAF configuration by loading all the rule policies over a network connection. By default, the base policy includes anti-evation, strict content checking, Denial of service, Anti-malware, general attack, brute force detection, XSS, rootkit, DLP, and JITP rule classes.
Additional Rule Classes
antispam - Anti-spam rule policy, covering UCE, Gambling, Search Engine spoofing, etc.
proxy - Open Proxy blocking
recon - reconnaissance detection
redactor - Malicious content redactor
search - Search Engine automatic accesslisting
Apache
Step 1) Edit/Add your the ModSecurity configuration file:
RHEL/Rocky/Centos
/etc/httpd/modsecurity.d/tortix_waf.conf
Ubuntu/Debian
/etc/modsecurity/tortix_waf.conf
Step 2) Add the following to your mod_security tortix_waf.conf file, replacing <API Key> with the value in your license signup email:
SecRemoteRulesFailAction Warn SecRemoteRules <API Key> https://waf.atomicorp.com/rules/srr.php
Step 3) (Optional) Additional rule classes can be specified as follows
SecRemoteRules <API Key> https://waf.atomicorp.com/rules/srr.php?antispam,recons
- Step 4) Configure Apache to load the rules
Include conf.d/*.conf
Step 5) Verify the Modsecurity Core Rules Set and Local Configuration
# ModSecurity Core Rules Set and Local configuration IncludeOptional modsecurity.d/*.conf IncludeOptional modsecurity.d/activated_rules/*.conf IncludeOptional modsecurity.d/local_rules/*.conf
Nginx
Step 1) Configure nginx to load the modsecurity module in /etc/nginx/nginx.conf
load_module modules/ngx_http_modsecurity_module.so;
Step 2) Add the base ModSecurity configuration to nginx at /etc/nginx/conf.d/00_modsecurity.conf
modsecurity on; modsecurity_rules_file /etc/httpd/modsecurity.d/tortix_waf.conf;
Step 3) Add the following to your mod_security tortix_waf.conf file, replacing <API Key> with the value in your license signup email:
SecRemoteRulesFailAction Warn SecRemoteRules <API Key> https://waf.atomicorp.com/rules/srr.php
Step 4) (Optional) Additional rule classes can be specified as follows
SecRemoteRules <API Key> https://waf.atomicorp.com/rules/srr.php?antispam,recons
IIS
Step 1) Add the following to your mod_security configuration C:Program FilesModsecurity IISmodsecurity.conf, replacing <API Key> with the value in your license signup email:
SecRemoteRulesFailAction Warn SecRemoteRules <API Key> https://waf.atomicorp.com/rules/srr.php
Step 2) (Optional) Additional rule classes can be specified as follows
SecRemoteRules <API Key> https://waf.atomicorp.com/rules/srr.php?antispam,recons
cPanel
Step 1) Configure directory Permissions
cPanel does not run apache as a standard user (such as “apache”) but as the older, non-privileged user “nobody”. You will need to ensure that the work directories that modsecurity uses are owned by the user that cPanel uses to run apache. To find this out you can run the following command as root
ps auxwww| grep http
You should see output similar to the following:
root 20594 86.8 3.1 255148 181232 ? Ss 11:39 0:04 /usr/local/apache/bin/httpd -k restart root 20611 0.0 3.1 255060 179596 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20612 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20613 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20614 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20615 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20616 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart
In this example from a Centos system running Cpanel the user is “nobody”, so you would want to use these commands to configure the modsecurity work directories for a system where apache is running as “nobody”:
mkdir /var/asl mkdir /var/asl/data/ mkdir /var/asl/data/msa mkdir /var/asl/data/audit mkdir /var/asl/data/suspicious chown nobody.nobody /var/asl/data/msa chown nobody.nobody /var/asl/data/audit chown nobody.nobody /var/asl/data/suspicious chmod o-rx -R /var/asl/data/* chmod ug+rwx -R /var/asl/data/*
Step 2) Install ModSecurity
- Step 3) Make a change to the cPanel ModSec configuration. A typical modsec2.conf file looks like the following:
cPanel will overwrite this configuration therefore you need to modify the user config file (/usr/local/apache/conf/modsec2.user.conf) as indicated below:
SecRequestBodyAccess On SecAuditLogType Concurrent SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 2621440 SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecServerSignature Apache SecUploadDir /var/asl/data/suspicious SecUploadKeepFiles Off SecAuditLogParts ABIFHZ SecArgumentSeparator "&" SecCookieFormat 0 SecRequestBodyInMemoryLimit 131072 SecDataDir /var/asl/data/msa SecTmpDir /tmp SecAuditLogStorageDir /var/asl/data/audit SecResponseBodyLimitAction ProcessPartial
Add the following to your mod_security tortix_waf.conf file, replacing <API Key> with the value in your license signup email:
SecRemoteRulesFailAction Warn SecRemoteRules <API Key> https://waf.atomicorp.com/rules/srr.php
(Optional) Additional rule classes can be specified as follows SecRemoteRules <API Key> https://waf.atomicorp.com/rules/srr.php?antispam,recons
If you want to load just some of the rules, make sure you specify only those rule files. The default list above is the recommended and supported rulesets with cpanel. Do not use the other asl rulesets with cpanel, those other rules either use other apache modules (such as mod_sed) or Atomic Protector specific features that require Atomic Protector.
Make sure you have all of the settings on this page to use modsecurity with cpanel correctly, failing to do that will make it impossible for us to support you and modsecurity will not as quickly or correctly exposing your system to attack and slowing it down.
Step 4) Install mod_uniqueid: Cpanel users will need to manually verify that the mod_unique_id module is loaded by cpanel’s apache. It should be loaded by default, but check your cpanel configuration to be sure.
- Step 5) Restart Apache by running the following command:
..code-block:
service httpd restart