mod_security thoughts

LinqLOL · Mar 3, 2015

Testing the mod_security functionality (in combination with the Atomic corp live rules) in active mode . Below some of my findings about the current state of mod_security in Plesk:

On the manual page they are talking about /var/log/httpd/modsec_audit.log but the correct location is /var/log/modsec_audit
Whats the best way to test if mod_security working? The prefered testing method with index.php?foo=http://www.foo.com/ does not trigger anything
the modsec_audit is flooded (all request details are logged?) can the default logging level be lowered? I only want this filled when a request is blocked
cli: it's not possible to change the update frequency (default = update disabled) with the server_pref cli tool
how/where are my atomic corp logins stored? When I check /etc/asl.config I see "plesk_global_unpaid" as USERNAME

What are you thoughts about the current state of the WAF in Plesk?

IgorG · Mar 3, 2015

After enabling WAF in Plesk UI I see:

[root@ppu12-0 ~]# ls -la /var/log/modsec_audit.log
-rw-r----- 1 root root 0 Mar 3 16:38 /var/log/modsec_audit.log

How to test WAF (mod_security) Plesk 12

LinqLOL · Mar 3, 2015

@igor The link you gave me is interesting. I had the atomic turtle rpm installed but i'm pretty sure I did not do that! I uninstalled the turtle rpm and reinstalled the original
rpm. Now it seems to work.

But the modsec_audit.log keeps growing (today 82 MB already)!

atomicturtle · Mar 3, 2015

We favor sticking with the LSB guidelines, where the audit logs will be in the same directory as the rest of the httpd logs: /var/log/httpd/

LinqLOL · Mar 4, 2015

atomicturtle said:
We favor sticking with the LSB guidelines, where the audit logs will be in the same directory as the rest of the httpd logs: /var/log/httpd/

Yes your right, but Parallels is not doing that

They put the log in /var/log

websavers · Mar 28, 2015

The log file not rotating should be considered a bug in Plesk.

Within the Plesk GUI you can go to the web application firewall settings tab and specify under Custom directives:
SecAuditLog "/var/log/httpd/modsec_audit.log"

OR

You can alternatively do what the Plesk devs should have done for us: edit /usr/local/psa/etc/logrotate.conf and insert

/var/log/modsec_audit.log {
daily
rotate 12
missingok
notifempty
copytruncate
compress
}

IgorG · Mar 29, 2015

On my test Plesk 12 server I see:

# cat /etc/logrotate.d/mod_security
/var/log/modsec_audit.log {
daily
rotate 7
missingok
compress
postrotate
/sbin/service httpd reload > /dev/null 2>/dev/null || true
endscript
}

# rpm -qf /etc/logrotate.d/mod_security
mod_security-2.8.0-14061715.i386

websavers · Mar 30, 2015

Perhaps that logrotate file was set up by an earlier version or a very very recent update added it? I just freshly installed this server last week from CLI and that file does not exist:

Code:

# ls -al /etc/logrotate.d

total 60

drwxr-xr-x  2 root root    4096 Mar 28 20:22 .
drwxr-xr-x 86 root root    4096 Mar 29 04:24 ..
-rw-r--r--  1 root root      80 Nov  9  2012 drwebd
-rw-r--r--  1 root root     112 Feb 27  2013 drweb-update
-rw-r--r--  1 root root     185 Aug 15  2014 httpd
-rw-r--r--  1 root root      70 Feb  1  2013 lfd
-rw-r--r--  1 root mailman  407 Nov 20  2012 mailman
-rw-r--r--  1 root root     871 Feb  9 17:13 mysqld
-rw-r-----  1 root named    170 Dec 11 21:25 named
-rw-r--r--  1 root root     164 May 15  2014 nginx
-rw-r--r--  1 root root     207 Feb 23 16:29 php-fpm
-rw-r--r--  1 root root     115 Feb 23 06:31 samba
-rw-r--r--  1 root root      68 Jun 18  2012 sa-update
-rw-r--r--  1 root root     210 Dec 10 05:05 syslog
-rw-r--r--  1 root root      87 Oct 16 11:15 yum

Code:

# rpm -qa | grep security
plesk-modsecurity-configurator-12.0.18-cos6.build1200140724.12.noarch
mod_security-2.8.0-24.el6.art.x86_64
plesk-modsecurity-crs-12.0.14-14033112.x86_64

IgorG · Mar 30, 2015

You have mod_security from Atomic. What about

# rpm -ql mod_security-2.8.0-24.el6.art.x86_64 | grep

websavers · Mar 31, 2015

Code:

# rpm -ql mod_security-2.8.0-24.el6.art.x86_64
/etc/httpd/conf.d/00_mod_security.conf
/etc/httpd/modsecurity.d
/usr/lib64/httpd/modules/mod_security2.so
/usr/share/doc/mod_security-2.8.0
/usr/share/doc/mod_security-2.8.0/CHANGES
/usr/share/doc/mod_security-2.8.0/LICENSE
/usr/share/doc/mod_security-2.8.0/README.TXT
/usr/share/doc/mod_security-2.8.0/doc
/usr/share/doc/mod_security-2.8.0/doc/README.txt
/usr/share/doc/mod_security-2.8.0/modsecurity.conf-recommended

Since Plesk sets up the configuration (including the log file) shouldn't it be Plesk's responsibility to set up logrotate no matter where the RPM is from? I could understand how Plesk would be exempt from this if the RPM came with the log file configuration built in, but the above referenced conf file is empty.

atomicturtle · Apr 1, 2015

This is why the LSB uses /var/log/httpd, logrotate is already set up to do that for every log file that drops into that directory.

Additionally you would not associate a logrotate config with an apache module, since a module does not restart apache (and should not to avoid multiple restarts) . Were you to do that in a apache module, your log file would be rotated, and the inode would be lost, losing all your new logs.

mod_security thoughts

LinqLOL

Basic Pleskian

IgorG

Plesk addicted!

LinqLOL

Basic Pleskian

atomicturtle

Golden Pleskian

LinqLOL

Basic Pleskian

websavers

Regular Pleskian

IgorG

Plesk addicted!

websavers

Regular Pleskian

IgorG

Plesk addicted!

websavers

Regular Pleskian

atomicturtle

Golden Pleskian

Similar threads