Artifact [a1dc2fada8]
Artifact a1dc2fada8e58e00dcf73ab5f25b11b3e6ea285656d251e0ec1db79d704fddc6:
- File README.md — part of check-in [a7de0f8780] at 2022-10-21 22:50:25 on branch trunk — comment fixes (user: mario size: 4332)
mod_security config GUI
- GUI to define SecRuleRemoveById settings on a vhost-basis
- Tries to suggest false positives from error and audit logs
- And configure mod_security and CoreRuleSet variables.
- Runs locally, via
ssh -X
forwarding, or permodseccfg ssh:/
remoting.
Installation
You can install this package locally or on a server:
pip3 install modseccfg
And your distro must provide a full Python installaton and mod_security:
sudo apt install python3-tk ttf-unifont libapache2-mod-security2
Start options
To run the GUI locally / on test setups:
modseccfg
Or with sshfs remoting directly to the servers filesystem:
modseccfg root@vps5:/
A little slower on startup, but allows live log inspection. Requires
preconfigured ssh hosts and automatic pubkey authorization. Be aware
of the implicit ~/mnt/
point, if connecting as root.
Alternatively there's also slow X11 forwarding (ssh -X vps modseccfg
) or
xpra --start ssh:vps5 --start=modseccfg
to run it on
on the server.
Usage
You obviously should have Apache + mod_security + CRS set up and running already (in DetectionOnly mode initially), to allow for log inspection and adapting rules.
- Start modseccfg (
python3 -m modseccfg
) - Select a configuration/vhost file to inspect + work on.
- Pick the according error.log
- Inspect the rules with a high error count (→[info] button to see docs).
- [Disable] offending rules
- Don't just go by the error count however!
- Make sure you don't disable essential or heuristic rules.
- Compare error with access log details.
- Else craft an exception rule ([Modify] or →Recipes).
- Thenceforth restart Apache (after testing changes:
apache2ctl -t
).
See also: usage remoting, or preconf/recipe setup, or the "FAQ".
Notes
- Preferrably do not edit default
/etc/apache*
files - Work on separated
/srv/web/conf.d/*
configuration, if available - And keep vhost settings in e.g.
vhost.*.dir
files, rather than multiple<VirtualHost>
in one*.conf
(else only the first section will be augmented). - Requires some setup for the recipes (notably *.preconf includes for vhosts), but not for basic rule disabling/modifications.
- File→Install packages are Debian-only
- Reporting scripts also require Ruby
from project
import meta
meta | info |
---|---|
depends | python:pysimplegui, python:pluginconf, python:tkinter, sys:mod-security, bin:sshfs |
compat | Python ≥3.6, Apache 2.x, mod_security 2.9.x, CRS 3.x, BSD/Linux |
compliancy | xdg, pluginspec, !pep8, logfmt, !desktop, !xdnd, mallard, man, sshrc, !netrc, !http_proxy, !nobackup, !releases.json, !doap, !packfile |
system usage | opportune shell invokes (sshfs, find, cat, dpkg, xdg-open) |
paths | ~/mnt/, ~/backup-config/, ~/.config/modseccfg/ |
testing | few data-driven assertions, only manual UI and usage tests |
docs | minimal wiki, yelp, news |
activity | burst, temporary |
state | beta |
support | None |
contrib | mail, fossil DVCS (create an account or send bundles) |
announce | freshcode.club, pypi.org |