Uncategorized

Mod_security :: upgrading from 1.x to 2.x (part 2)

unocode_pnz3cj

Hello All

Well, I was able to get mod_security upgraded from 1.x to 2.x on all servers. There were issues along the way, mainly the problem with mod_limitipconn and mod_security-2.x not playing nice with each other (please review posts below on the matter since it may not be isolated to mod_limitipconn, and resulted in full mod_security bypass!).

They did a major re-work porting 1.x to 2.x, almost all the rule syntax and directives have been changed. Also, they did a much better job on the core rulesets. I’m experiencing some small false positives and issues relating to a few of the rules, but overall the core ruleset is very nice.

Okay, if you’re running mod_security-1.8.7 or mod_security-1.9.4 and need to upgrade to 2.1.1, here is how I did it:

Hello All

Well, I was able to get mod_security upgraded from 1.x to 2.x on all servers. There were issues along the way, mainly the problem with mod_limitipconn and mod_security-2.x not playing nice with each other (please review posts below on the matter since it may not be isolated to mod_limitipconn, and resulted in full mod_security bypass!).

They did a major re-work porting 1.x to 2.x, almost all the rule syntax and directives have been changed. Also, they did a much better job on the core rulesets. I’m experiencing some small false positives and issues relating to a few of the rules, but overall the core ruleset is very nice.

Okay, if you’re running mod_security-1.8.7 or mod_security-1.9.4 and need to upgrade to 2.1.1, here is how I did it:


emerge -pv mod_security
dispatch-conf

Take the new 99_mod_security.conf (since new rules are broken out and included in /etc/apache2/modules/mod_security/*conf.


vi /etc/apache2/httpd.conf

We need to add the unique_id_module (I deactivated all non-essential modules for Apache when I initially set it up, so I need to remove the comment in front of that line). Your Apache set up might already have that enabled.


vi /etc/apache2/modules/mod_security/10_config.conf

This is the main global settings for mod_security. It is set up to ‘pass’ by default, so we want to deny. Look for the following:


SecDefaultAction "phase:2,log,pass,status:403"

and set it to


SecDefaultAction "phase:2,log,deny,status:403"

I like to forbid uploads to the server by default (this may not work for your situation, but I’ll include it anyway). Set this in the 10_config.conf


SecRule REQUEST_HEADERS:Content-Type "^multipart/form-data"

Now, if you have some custom or specific arguments that you want to bring over from 1.x, you’ll need to get comfortable with the migration matrix document. They did a great job including this, and was extremely helpful:

ModSecurity 1.x to 2.x Migration Matrix

With my setup, I had specific overrides within certain vhosts, etc (playing with Inheritance Off, etc). So, I had the great pleasure of updating all of my vhosts to update them with the new rule syntax, and changing the IfModule from mod_security.c to mod_security2.c. You may have to do the same.

Once you have everything updated, check your config


apache2ctl -t

If all is good, restart Apache


/etc/init.d/apache restart

You’ll want to keep a close eye on your error_log and the new modsec_audit.log. Things will definitely be more ‘chatty’ than before (with the new core rules). To handle this, you may want to change the log to nolog in the rules and auditlog to noauditlog to ‘ignore’ the rules in the logs, but still have them applied.

I would also recommend joining their mailing list. Devs are active and helpful, which is great for understanding the functionality changes and rule changes.

Good luck!