GUI editor to tame mod_security rules

βŒˆβŒ‹ βŽ‡ branch:  modseccfg


Artifact [88875acd7b]

Download Hex Parsed

Artifact 88875acd7b66938a2ff6bfbd61e2cf87e0e9802ab0f07fd96acf61d14244a5d0:

Wiki page [modseccfg] by mario 2020-12-09 10:13:56. 
D 2020-12-09T10:13:56.184
L modseccfg
N text/x-markdown
P 302b15189bd8893e7a9e114ad37375b94d8723cfc23b6d1af4ad64618eddbc91
U mario
W 2673
## mod_security config GUI

 * GUI to define SecRuleRemoveById settings on a vhost-basis
 * Tries to suggest false positives from error and audit logs
 * And configure mod_security and CoreRuleSet variables.
 * Runs locally, via `ssh -X` forwarding, or per `modseccfg ssh:/`
   remoting.

<img src="/raw/59f5daf65f51e0642d0925d43aa6a6b262bb54aefd026cb342bcdecda01459c0?m=image/gif" width=640 height=480 style="margin:10pt">


<blockquote style="background:#fdc; padding: 20pt; border-radius: 10pt; border: 5pt solid #eba;">
 <b>WARNING: THIS IS ALPHA STAGE QUALITY AND WILL MOST CERTAINLY DELETE YOUR APACHE CONFIGURATION</b> - It doesn't, but: no warranty and such. - Also, hasn't many features yet.
</blockquote>


## Installation

 * You can install this package locally or on a server:

        pip3 install -U modseccfg

 * And your distro must provide a full Python installaton and mod_security:

        sudo apt install python3-tk ttf-unifont libapache2-mod-security2

## Start options

 * To run the GUI locally / on test setups:

        modseccfg


 * Or to [connect to a remote](wiki/remoting) server:
    
        modseccfg root@vps5:/

   Tales a bit longer on startup, but is heaps better than X11 forwarding.


## Usage

You obviously should have Apache + mod_security + CRS set up
and running already (in DetectionOnly mode initially), to allow for log
inspection and adapting rules.

 1. Start modseccfg (`python3 -m modseccfg`)
 2. Select a configuration/vhost file to inspect + work on.
 3. Pick the according error.log
 4. Inspect the rules with a high error count.
 5. [Disable] offending rules
     * **Don't just go by the error count however!**
     * Make sure you don't disable essential or heuristic rules.
     * Compare error with access log details.
     * Else craft an exception rule ([Modify] or β†’Recipes).
 6. Thenceforth restart Apache (after testing changes: `apache2ctl -t`).


See also:

  * [usage](wiki/usage)
  * [remoting](wiki/remoting)
  * [preconf setup](wiki/preconf) and [recipes](wiki/recpie)
  * [log scripts/](wiki/scripts)
  * or the ["FAQ"](doc/trunk/FAQ.md)


### Notes

 * Preferrably do not edit default `/etc/apache*` files
 * Work on separated `/srv/web/conf.d/*` configuration, if available
 * And keep vhost settings in e.g. `vhost.*.dir` files, rather than
   multiple `<VirtualHost>` in one `*.conf` (else only the first section
   will be augmented).
 * Use the editor (F4) to verify more complex settings.

### Missing features

 * Rule [modify] is still unimplemented.
 * Recipes are not worth using yet.
 * No sudo usage.


Z 57ff069c24a2d31a8d9deebd447557f8