GUI editor to tame mod_security rules

⌈⌋ branch:  modseccfg


Artifact [f6b837c90c]

Artifact f6b837c90c431daae5bce0a5e9d4f43cf053ccd6c6441fa3c441b2fe93773ab5:

  • File README.md — part of check-in [d9a54476b3] at 2021-01-12 22:51:06 on branch trunk — Man pages (in data_files=) are now handled by pluginconf.setup (user: mario size: 4330)

mod_security config GUI

  • GUI to define SecRuleRemoveById settings on a vhost-basis
  • Tries to suggest false positives from error and audit logs
  • And configure mod_security and CoreRuleSet variables.
  • Runs locally, via ssh -X forwarding, or per modseccfg ssh:/ remoting.

Installation

  • You can install this package locally or on a server:

    pip3 install modseccfg
    
  • And your distro must provide a full Python installaton and mod_security:

    sudo apt install python3-tk ttf-unifont libapache2-mod-security2
    

Start options

  • To run the GUI locally / on test setups:

    modseccfg
    
  • Or with sshfs remoting directly to the servers filesystem:

    modseccfg root@vps5:/
    

A little slower on startup, but allows live log inspection. Requires preconfigured ssh hosts and automatic pubkey authorization. Beware of the implicit ~/mnt/ point, if connecting as root.

Alternatively there's also slow X11 forwarding (ssh -X vps modseccfg) or xpra --start ssh:vps5 --start=modseccfg to run it on on the server.

Usage

You obviously should have Apache + mod_security + CRS set up and running already (in DetectionOnly mode initially), to allow for log inspection and adapting rules.

  1. Start modseccfg (python3 -m modseccfg)
  2. Select a configuration/vhost file to inspect + work on.
  3. Pick the according error.log
  4. Inspect the rules with a high error count (→[info] button to see docs).
  5. [Disable] offending rules
    • Don't just go by the error count however!
    • Make sure you don't disable essential or heuristic rules.
    • Compare error with access log details.
    • Else craft an exception rule ([Modify] or →Recipes).
  6. Thenceforth restart Apache (after testing changes: apache2ctl -t).

See also: usage remoting, or preconf/recipe setup, or the "FAQ".

Notes

  • Preferrably do not edit default /etc/apache* files
  • Work on separated /srv/web/conf.d/* configuration, if available
  • And keep vhost settings in e.g. vhost.*.dir files, rather than multiple <VirtualHost> in one *.conf (else only the first section will be augmented).
  • Requires some setup for the recipes (notably *.preconf includes for vhosts), but not for basic rule disabling/modifications.
  • File→Install packages are Debian-only
  • Reporting scripts also require Ruby

from project import meta

meta info
depends python:pysimplegui, python:pluginconf, python:tkinter, sys:mod-security, bin:sshfs
compat Python ≥3.6, Apache 2.x, mod_security 2.9.x, CRS 3.x, BSD/Linux
compliancy xdg, pluginspec, !pep8, logfmt, !desktop, !xdnd, mallard, man, sshrc, !netrc, !http_proxy, !nobackup, !releases.json, !doap, !packfile
system usage opportune shell invokes (sshfs, find, cat, dpkg, xdg-open)
paths ~/mnt/, ~/backup-config/, ~/.config/modseccfg/
testing few data-driven assertions, only manual UI and usage tests
docs minimal wiki, yelp, news
activity burst, temporary
state beta
support None
contrib mail, fossil DVCS (create an account or send bundles)
announce freshcode.club, pypi.org