| Fix is_glob taking precedence over not writable() in log reader, more details for subprocess.run() tasks (instead of os.system() now) | ||
|---|---|---|
| mario authored 0 days ago last checkin 21714627e ⎘ | ||
| π data | Add data/ dir, and common_false_positives.log (for CRS 2.2 however, nβΉβΊ | 8 days ago |
| π __init__.py | Release as 0.4.0βΉβΊ | 0 days ago |
| π __main__.py | Initial prototype (conf parser, log reader, mainwindow somewhat functβΉβΊ | 12 days ago |
| π crsoptions.py | Change `fn` to select with existing vhost/conf filesβΉβΊ | 1 days ago |
| π editor.py | Pointless featuritis: add "r/o" for editor statusbar, adapt flag on "βΉβΊ | 0 days ago |
| π icons.py | Use crs icon.βΉβΊ | 6 days ago |
| π logs.py | Fix is_glob taking precedence over not writable() in log reader, moreβΉβΊ | 0 days ago |
| π mainwindow.py | Release as 0.4.0βΉβΊ | 0 days ago |
| π recipe.py | Build data bad() from log line. Complete some comments for recipies, βΉβΊ | 0 days ago |
| π ruleinfo.py | Wrap .msg textβΉβΊ | 7 days ago |
| π secoptions.py | Reshuffle directive categories, add 0640 in place of "octal_mode"βΉβΊ | 6 days ago |
| π utils.py | Fix is_glob taking precedence over not writable() in log reader, moreβΉβΊ | 0 days ago |
| π vhosts.py | Introduce vhost.warn message (for writeability or multiple vhost warnβΉβΊ | 0 days ago |
| π writer.py | Fix missing lookahead for rx.end (closing VHost section got stripped βΉβΊ | 4 days ago |
modseccfg
WARNING: THIS IS ALPHA STAGE QUALITY AND WILL MOST CERTAINLY DELETE YOUR APACHE CONFIGURATION - It doesn't, but: no warranty and such. - Also, hasn't many features yet.
mod_security config
- Simple GUI editor for SecRuleRemoveById settings
- Tries to suggest false positives from error and audit logs
- Can configure mod_security directives and CoreRuleSet variables.
- Runs locally, via
ssh -Xforwarding, or permodseccfg vps5:/automount.
Installation
You can install this package locally or on a server:
pip3 install -U modseccfgRequires a full Python 3.x installation:
sudo apt install python3-tk ttf-unifont libapache2-mod-security2
Start options
To run the GUI locally / on test setups:
modseccfgTo start it on a server per X11 forwarding (terribly slow over SSH):
ssh -X vps5 modseccfgAlternatively use xpra:
xpra --start ssh:vps5 --start=modseccfgBest: use an automatic filesystem mount (with ssh shortcut/pubkey auth already configured). That's a bit slow on startup, but pays off when browsing for details.
modseccfg root@vps5:/
WARNING: This will bind the remote
/server root. Take care to configure the mount point (File β Settings β Utils β Remote binding), and no backup or cleanup job is running whilst modseccfg is active.
This doesn't strictly require the root user for ssh, but permissions for logs and individual*.conffiles when changed (chownthe ones that shall be editable). The sshfs/fuse mount will be terminated with the GUI, though.
Usage
You obviously should have Apache(2.x) + mod_security(2.9) + CRS(3.x) set up and running already (in DetectionOnly mode initially), to allow for log inspection and adapting rules.
- Start modseccfg (
python3 -m modseccfg) - Select a configuration/vhost file to inspect + work on.
- Pick the according error.log
- Inspect the rules with a high error count.
- [Disable] offending rules
- Don't just go by the error count however!
- Make sure you don't disable essential or heuristic rules.
- Compare error with access log details.
- Else craft an exception rule ([Modify] or βRecipes).
- Thenceforth restart Apache after testing changes (
apache2ctl -t).
Notes
- Preferrably do not edit default
/etc/apache*files - Work on separated
/srv/web/conf.d/*configuration, if available - And keep vhost settings in e.g.
vhost.*.dirfiles, rather than multiple<VirtualHost>in one*.conf(else only the first section will be augmented). - Use the editor (F4) to verify more complex settings.
Missing features
- Rule [modify] is still unimplemented.
- Recipes are not worth using yet.
- No sudo usage.