GUI editor to tame mod_security rules

⌈⌋ branch:  modseccfg


Update of "modseccfg"

History Page Raw

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview

Artifact ID: 302b15189bd8893e7a9e114ad37375b94d8723cfc23b6d1af4ad64618eddbc91
Page Name:modseccfg
Date: 2020-11-24 19:57:24
Original User: mario
Mimetype:text/x-markdown
Parent: 0f1eb171cf238aea3439e1f450fb84823d83c575a16fdcd9a35cea5cbc029420 (diff)
Next 88875acd7b66938a2ff6bfbd61e2cf87e0e9802ab0f07fd96acf61d14244a5d0
Content

WARNING: THIS IS ALPHA STAGE QUALITY AND WILL MOST CERTAINLY DELETE YOUR APACHE CONFIGURATION - It doesn't, but: no warranty and such. - Also, hasn't many features yet.

mod_security config

  • Simple GUI editor for SecRuleRemoveById settings
  • Tries to suggest false positives from error and audit logs
  • Can configure mod_security directives and CoreRuleSet variables.
  • Runs locally, via ssh -X forwarding, or per modseccfg vps5:/ automount.

Installation

  • You can install this package locally or on a server:

    pip3 install -U modseccfg

  • Requires a full Python 3.x installation:

    sudo apt install python3-tk ttf-unifont libapache2-mod-security2

Start options

  • To run the GUI locally / on test setups:

    modseccfg

  • To start it on a server per X11 forwarding (terribly slow over SSH):

    ssh -X vps5 modseccfg

  • Alternatively use xpra:

    xpra --start ssh:vps5 --start=modseccfg

  • Best: use an automatic filesystem mount (with ssh shortcut/pubkey auth already configured). That's a bit slow on startup, but pays off when browsing for details.

    modseccfg root@vps5:/

WARNING: This will bind the remote / server root. Take care to configure the mount point (File → Settings → Utils → Remote binding), and no backup or cleanup job is running whilst modseccfg is active.
This doesn't strictly require the root user for ssh, but permissions for logs and individual *.conf files when changed (chown the ones that shall be editable). The sshfs/fuse mount will be terminated with the GUI, though.

Usage

You obviously should have Apache(2.x) + mod_security(2.9) + CRS(3.x) set up and running already (in DetectionOnly mode initially), to allow for log inspection and adapting rules.

  1. Start modseccfg (python3 -m modseccfg)
  2. Select a configuration/vhost file to inspect + work on.
  3. Pick the according error.log
  4. Inspect the rules with a high error count.
  5. [Disable] offending rules
    • Don't just go by the error count however!
    • Make sure you don't disable essential or heuristic rules.
    • Compare error with access log details.
    • Else craft an exception rule ([Modify] or →Recipes).
  6. Thenceforth restart Apache after testing changes (apache2ctl -t).

Notes

  • Preferrably do not edit default /etc/apache* files
  • Work on separated /srv/web/conf.d/* configuration, if available
  • And keep vhost settings in e.g. vhost.*.dir files, rather than multiple <VirtualHost> in one *.conf (else only the first section will be augmented).
  • Use the editor (F4) to verify more complex settings.

Missing features

  • Rule [modify] is still unimplemented.
  • Recipes are not worth using yet.
  • No sudo usage.