cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

mod_sec rules

jimlongo shared this idea 7 years ago
Completed

Since there are no longer a free delayed ruleset offered by Atomicorp, it would be beneficial to users if we had cPanel strike a partnership with either Trustwave or Atomicorp to offer their rulesets as a cPanel option, much like the way that cPanel offers Trustwave security certificates from within WHM.

Best Answer
photo

This feature is currently under development. We hope to deliver this for cPanel & WHM 11.48.


After some research and investigation, the current intention is to provide the OWASP ModSecurity Core Rule Set.


The rule set would be automatically updated within the usual cPanel & WHM update mechanism, with the intention of providing rule updates as quickly as OWASP produces them.


Further, features are being developed alongside this feature that will:

  • Allow easily reporting bad rules that generate false positives back to OWASP so that they can curate and resolve any rule set issues
  • Allow for hosting companies/3rd parties to host their own ModSecurity ruleset (if they elect not to use OWASP distributed by cPanel) that, through our API, would allow for auto-updates and rule reporting as well.

Again, the intention here is to deliver this for cPanel & WHM 11.48.


I also encourage everyone to take a look a the revamped ModSecurity UI for cPanel & WHM 11.46 once it his the EDGE tier. That revamp was the first stage in this process of improving ModSecurity within cPanel & WHM. Feedback regarding the 11.46 ModSecurity UI revamp will assist in shaping this feature request.

Comments (11)

photo
2

I would like to see further discussion and feedback regarding this feature request.


-If you use a ruleset provided by an organization such as Atomicorp or Trustwave, which organization do you obtain your ruleset from?

-How long have you employed this ruleset?

-Have you experienced any significant amounts of false positives or otherwise problematic rules?


In other words, any input that could demonstrate what ruleset(s) are in use and how they've been received would be appreciated.


While any consensus/opinions expressed in this feature request will not guarantee any specific action(s) by cPanel, it would be helpful to us to receive this feedback.

photo
2

I am using Atomic rules.

I've been using the paid rules for about 3 months, for 6 months before that the free rules.

I haven't seen any false positives.

I'm completely happy.


The only difficulty is coming up with a solution to keep your rules updated. I wrote my own cron script. A built in solution would be a big selling point to many users.

photo
2

Cpanel did a survey about willingness to pay for mod_sec rules subscriptions months ago.

photo
1

This feature is currently under development. We hope to deliver this for cPanel & WHM 11.48.


After some research and investigation, the current intention is to provide the OWASP ModSecurity Core Rule Set.


The rule set would be automatically updated within the usual cPanel & WHM update mechanism, with the intention of providing rule updates as quickly as OWASP produces them.


Further, features are being developed alongside this feature that will:

  • Allow easily reporting bad rules that generate false positives back to OWASP so that they can curate and resolve any rule set issues
  • Allow for hosting companies/3rd parties to host their own ModSecurity ruleset (if they elect not to use OWASP distributed by cPanel) that, through our API, would allow for auto-updates and rule reporting as well.

Again, the intention here is to deliver this for cPanel & WHM 11.48.


I also encourage everyone to take a look a the revamped ModSecurity UI for cPanel & WHM 11.46 once it his the EDGE tier. That revamp was the first stage in this process of improving ModSecurity within cPanel & WHM. Feedback regarding the 11.46 ModSecurity UI revamp will assist in shaping this feature request.

photo
2

It would be nice if you can choose Atomic Rules paying something extra at cPanel or at Atomicorp.

Thank you

photo
2

I've used paid AtomiCorp rulesets for years. Never a problem with Wordpress. Sometimes has required removal of a particular rule for Joomla [mostly on older versions] and Concrete5. Never had a problem with Frontpage or any other PHP software that I am aware of. I have no plan to switch away from AtomiCorp rules.


Just read a discussion in the cPanel forum regarding the ability to disallow users from managing / disabling modsecurity. I definitely feel that it should not be possible for a customer / accountholder to disable modsecurity.


m

photo
2

mtindor wrote:

I've used paid AtomiCorp rulesets for years. Never a problem with Wordpress. Sometimes has required removal of a particular rule for Joomla [mostly on older versions] and Concrete5. Never had a problem with Frontpage or any other PHP software that I am aware of. I have no plan to switch away from AtomiCorp rules.


Just read a discussion in the cPanel forum regarding the ability to disallow users from managing / disabling modsecurity. I definitely feel that it should not be possible for a customer / accountholder to disable modsecurity.


m

Thank you for your feedback. The ability for a user to disable mod_security is a privilege that the admin can grant or revoke as the need arises.

photo
2

I think the biggest must when using custom rulesets is the ability to disable on a per website basis. Configserver does this perfectly.


would be good to see this functionality in combination with the OWASP rule list

photo
2

I'm in favor of anything that will help protect Wordpress better!

photo
2

We have used all rule sets out there, Atomic, OWASP and others. The best one to date with the least amount of false-positives as been Comodo's WAF https://waf.comodo.com/


They have a WHM plugin that auto-updates, rule exclusions, protects against brute force for CMS's, it's well maintained and FREE.


They also provide just a rules download so, their rules could easily be incorporated into the nightly WHM updates. The plugin interface has a lot to be desired and if I were going to model an interface to handle modsec server and domain exclusions, I'd model after Configservers ModSec control.

photo
2

Instead of allowing end-users to completely disable ModSecurity, I think it would be much safer if you'd provide the end-users the ability to view the triggered rules, report false positives and disable specific rules (domain-wide or for specific scripts/locations only). So basically port the features from WHM to cPanel, but limited to the end-users' domains/accounts only.


We've disabled the ModSecurity feature from cPanel mainly because many clients decide to disable ModSecurity on their first 403 error, without being aware that this will degrade security for their websites. I actually consider it much more annoying having to deal with successful remote attacks than having to deal with false positives.


So please, try to provide a more efficient solution other than the option to completely disable ModSecurity.

Replies have been locked on this page!