Update ModSecurity Vendor OWASP to OWASP ModSecurity Core Rule Set (CRS) 3
Completed
OWASP ModSecurity Core Rule Set (CRS) 3 has been released. ModSecurity™ Vendors needs to be updated to include this update. See: https://modsecurity.org/crs/
Additionally cPanel official docs for OWASP needs to be updated to include what version WHM loads when OWASP (Vendor) is installed: https://documentation.cpanel.net/display/CKB/OWASP+ModSecurity+CRS
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
This was added much more quickly, and you should see it on your servers now! Take a look, and let me know if you have any questions!
This was added much more quickly, and you should see it on your servers now! Take a look, and let me know if you have any questions!
I'd like to provide, what I believe are very sound and valid reasons, for cPanel to implement the CRS 3 rulesets as soon as possible.
With the current rulesets in place, there are a lot of false positives. CRS3 removes over 90% of these with a default installation. Currently, when cPanel is installed and ModSec is enabled, cPanel itself triggers a false positive! When cPanel checks to see if Apache is up and running every minute, a bunch of stuff gets written to the ModSec log files. Because this happens so often, it's a security concern. Valid security threats might be missed because there's sooooo many false positives in the logs. The REQUEST-01-COMMON-EXCEPTIONS.conf does not properly whitelist the whm-server-status stuff. I had to add a custom rule to my REQUEST-01-COMMON-EXCEPTIONS.conf file to prevent the false positive:
Another false positive can easily be triggered. If someone is running any type of forum software, just simply using the word curl will trigger a false positive. The current rulesets don't realize that sometimes the word curl might not be referring to the curl program. If a user tries posting an innocent thread like, "I just want to curl up next to the fire and relax", the CRS3 rulesets will block this post, thinking it's some sort of attack.
The log files for ModSec fill up sooooo fast from soooooo many false positives with the current ruleset, it's almost impossible to sort through the logs on a regular basis looking for hacking attempts. The majority, if not all, of these false positives will disappear as soon as CRS3 is implemented.
The ModSec team highly suggests everyone, including distributors, upgrade to the CRS3 ruleset as soon as possible. It's a stable release now and I feel it should be implemented immediately.
I'd like to provide, what I believe are very sound and valid reasons, for cPanel to implement the CRS 3 rulesets as soon as possible.
With the current rulesets in place, there are a lot of false positives. CRS3 removes over 90% of these with a default installation. Currently, when cPanel is installed and ModSec is enabled, cPanel itself triggers a false positive! When cPanel checks to see if Apache is up and running every minute, a bunch of stuff gets written to the ModSec log files. Because this happens so often, it's a security concern. Valid security threats might be missed because there's sooooo many false positives in the logs. The REQUEST-01-COMMON-EXCEPTIONS.conf does not properly whitelist the whm-server-status stuff. I had to add a custom rule to my REQUEST-01-COMMON-EXCEPTIONS.conf file to prevent the false positive:
Another false positive can easily be triggered. If someone is running any type of forum software, just simply using the word curl will trigger a false positive. The current rulesets don't realize that sometimes the word curl might not be referring to the curl program. If a user tries posting an innocent thread like, "I just want to curl up next to the fire and relax", the CRS3 rulesets will block this post, thinking it's some sort of attack.
The log files for ModSec fill up sooooo fast from soooooo many false positives with the current ruleset, it's almost impossible to sort through the logs on a regular basis looking for hacking attempts. The majority, if not all, of these false positives will disappear as soon as CRS3 is implemented.
The ModSec team highly suggests everyone, including distributors, upgrade to the CRS3 ruleset as soon as possible. It's a stable release now and I feel it should be implemented immediately.
I agree with the statements about the huge amount of false-positives showing in server logs. Each day i review several server logs and it can take up to a half hour to filter the ModSec logs alone. My solution was to finally disable ModSec and adjust my various server security components to cover the areas ModSec would.
So if a simple udate to the current ruleset would greatly reduce ModSec false positives for cPanel users, i ask why not update it? Especially since the ModSec team report that the current release is a stable version.
Thanks for considering this feature,
danielpmc
I agree with the statements about the huge amount of false-positives showing in server logs. Each day i review several server logs and it can take up to a half hour to filter the ModSec logs alone. My solution was to finally disable ModSec and adjust my various server security components to cover the areas ModSec would.
So if a simple udate to the current ruleset would greatly reduce ModSec false positives for cPanel users, i ask why not update it? Especially since the ModSec team report that the current release is a stable version.
Thanks for considering this feature,
danielpmc
Danielpmc,
Until cPanel updates the ModSec CRS, perhaps instead of disabling ModSec, you could just whitelist the local loopback on the server, like I did. ModSec is still running and protecting your server, but you won't see any false positives if they're triggered by the server. You will still see some false positives that are triggered by users visiting the site, but just that one SecRule I showed greatly reduces that very large number of log entries from cPanel whm-server-status false positive hit. You'd simply adjust the id number to fit your system. You just have to pick an ID that isn't being used. If 981022 doesn't exist, then you can just copy and paste it in a ModSec config file and enable the rule. I can help you with it if you'd like. I can provide step-by-step instructions.
Danielpmc,
Until cPanel updates the ModSec CRS, perhaps instead of disabling ModSec, you could just whitelist the local loopback on the server, like I did. ModSec is still running and protecting your server, but you won't see any false positives if they're triggered by the server. You will still see some false positives that are triggered by users visiting the site, but just that one SecRule I showed greatly reduces that very large number of log entries from cPanel whm-server-status false positive hit. You'd simply adjust the id number to fit your system. You just have to pick an ID that isn't being used. If 981022 doesn't exist, then you can just copy and paste it in a ModSec config file and enable the rule. I can help you with it if you'd like. I can provide step-by-step instructions.
Hello Ken,
Thanks for the offer of a how-to workaround. With my current server setup i am not accessible by the public, so i use my firewall and a couple third-party addons for my security.
But i still feel that your feature should be strongly considered. After all doesnt cPanel implore us to keep our WHM/cPanel up to date to prevent bugs, exploits and vulnerabilities? Updated server software creates a safe and secure enviroment, not only for the root user but also the public it serves.
danielpmc
Hello Ken,
Thanks for the offer of a how-to workaround. With my current server setup i am not accessible by the public, so i use my firewall and a couple third-party addons for my security.
But i still feel that your feature should be strongly considered. After all doesnt cPanel implore us to keep our WHM/cPanel up to date to prevent bugs, exploits and vulnerabilities? Updated server software creates a safe and secure enviroment, not only for the root user but also the public it serves.
danielpmc
Danielpmc,
You're absolutely right. My solution is just a small workaround, but the best course of action is to just update the Core Rule Sets to the latest version of 3. I believe and was told, but aren't 100% convinced, that cPanel actually ships with a very early version of the CRS3, from 2014. My VPS is currently broken (physical hardware problems) so I cannot tell you exactly what file, but one of the ModSec configuration files mentions CRS3 and has a date of 2014. It seems cPanel might really be using a very early beta version of the rules.
I think with cPanel, even if something is declared stable, they have to put it through a rigorous set of tests before implementing something like this. I also think they have a lot going on, including a ton of feature requests. Perhaps they just haven't gotten around to this feature request yet?
Thanks!
Danielpmc,
You're absolutely right. My solution is just a small workaround, but the best course of action is to just update the Core Rule Sets to the latest version of 3. I believe and was told, but aren't 100% convinced, that cPanel actually ships with a very early version of the CRS3, from 2014. My VPS is currently broken (physical hardware problems) so I cannot tell you exactly what file, but one of the ModSec configuration files mentions CRS3 and has a date of 2014. It seems cPanel might really be using a very early beta version of the rules.
I think with cPanel, even if something is declared stable, they have to put it through a rigorous set of tests before implementing something like this. I also think they have a lot going on, including a ton of feature requests. Perhaps they just haven't gotten around to this feature request yet?
Thanks!
There is an ongoing and current discussion about the OWASP ModSecurity false positives at cPanel Forums.
https://forums.cpanel.net/threads/issues-with-modsecurity-owasp-and-false-positives.557341/
Thanks cPanel crew for considering this feature,
danielpmc
There is an ongoing and current discussion about the OWASP ModSecurity false positives at cPanel Forums.
https://forums.cpanel.net/threads/issues-with-modsecurity-owasp-and-false-positives.557341/
Thanks cPanel crew for considering this feature,
danielpmc
Good news everyone! Our development team is working on this now, and we are hoping to deliver it in version 64!
Good news everyone! Our development team is working on this now, and we are hoping to deliver it in version 64!
Benny,
Do you know it's going to take so long to get into cPanel?
Benny,
Do you know it's going to take so long to get into cPanel?
This was added much more quickly, and you should see it on your servers now! Take a look, and let me know if you have any questions!
This was added much more quickly, and you should see it on your servers now! Take a look, and let me know if you have any questions!
Replies have been locked on this page!