D 2020-11-24T19:57:24.579
L modseccfg
N text/x-markdown
P 0f1eb171cf238aea3439e1f450fb84823d83c575a16fdcd9a35cea5cbc029420
U mario
W 3175
<blockquote style="background:#fdc; padding: 20pt; border-radius: 10pt; border: 5pt solid #eba;">
<b>WARNING: THIS IS ALPHA STAGE QUALITY AND WILL MOST CERTAINLY DELETE YOUR APACHE CONFIGURATION</b> - It doesn't, but: no warranty and such. - Also, hasn't many features yet.
</blockquote>
## mod_security config
* Simple GUI editor for SecRuleRemoveById settings
* Tries to suggest false positives from error and audit logs
* Can configure mod_security directives and CoreRuleSet variables.
* Runs locally, via `ssh -X` forwarding, or per `modseccfg vps5:/`
automount.
<img src="/raw/59f5daf65f51e0642d0925d43aa6a6b262bb54aefd026cb342bcdecda01459c0?m=image/gif" width=640 height=480 style="margin:10pt">
## Installation
* You can install this package locally or on a server:
pip3 install -U modseccfg
* Requires a full Python 3.x installation:
sudo apt install python3-tk ttf-unifont libapache2-mod-security2
## Start options
* To run the GUI locally / on test setups:
modseccfg
* To start it on a server per X11 forwarding (terribly slow over SSH):
ssh -X vps5 modseccfg
* Alternatively use [xpra](https://xpra.org/):
xpra --start ssh:vps5 --start=modseccfg
* **Best:** use an automatic filesystem mount (with ssh shortcut/pubkey auth
already configured). That's a bit slow on startup, but pays off when
browsing for details.
modseccfg root@vps5:/
> **WARNING**: This will bind the remote `/` server root. Take care to
configure the mount point (File β Settings β Utils β Remote binding),
and no backup or cleanup job is running whilst modseccfg is active.
This doesn't strictly require the root user for ssh, but permissions
for logs and individual `*.conf` files when changed (`chown` the ones
that shall be editable).
The sshfs/fuse mount will be terminated with the GUI, though.
## Usage
You obviously should have Apache(2.x) + mod_security(2.9) + CRS(3.x) set up
and running already (in DetectionOnly mode initially), to allow for log
inspection and adapting rules.
1. Start modseccfg (`python3 -m modseccfg`)
2. Select a configuration/vhost file to inspect + work on.
3. Pick the according error.log
4. Inspect the rules with a high error count.
5. [Disable] offending rules
* **Don't just go by the error count however!**
* Make sure you don't disable essential or heuristic rules.
* Compare error with access log details.
* Else craft an exception rule ([Modify] or βRecipes).
6. Thenceforth restart Apache after testing changes (`apache2ctl -t`).
### Notes
* Preferrably do not edit default `/etc/apache*` files
* Work on separated `/srv/web/conf.d/*` configuration, if available
* And keep vhost settings in e.g. `vhost.*.dir` files, rather than
multiple `<VirtualHost>` in one `*.conf` (else only the first section
will be augmented).
* Use the editor (F4) to verify more complex settings.
### Missing features
* Rule [modify] is still unimplemented.
* Recipes are not worth using yet.
* No sudo usage.
Z 6f0f2c862271ea472826b18e5967dfba