GUI editor to tame mod_security rules

βŒˆβŒ‹ βŽ‡ branch:  modseccfg


Update of "modseccfg"

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview

Artifact ID: 98fdfb58b77599ef83ca58ac67d446d2dde04c77166389266f44e21655f61807
Page Name:modseccfg
Date: 2020-12-09 22:41:43
Original User: mario
Mimetype:text/x-markdown
Parent: 88d764d8d6923b6c3ce43d39134793fe831a7dc2740be5f09d1348b38034ef7c (diff)
Next 5039698403362f2d9797f1d8d18ae14621590df41f671350b754ffaa073ddc4a
Content

mod_security config GUI

  • GUI to define SecRuleRemoveById settings on a vhost-basis
  • Tries to suggest false positives from error and audit logs
  • And configure mod_security and CoreRuleSet variables.
  • Runs locally, via ssh -X forwarding, or per modseccfg ssh:/ remoting.

WARNING: THIS IS ALPHA STAGE QUALITY AND WILL MOST CERTAINLY DELETE YOUR APACHE CONFIGURATION - It doesn't, but: no warranty and such. - Also, hasn't many features yet.

Installation

  • You can install this package locally or on a server:

    pip3 install -U modseccfg
    
  • And your distro must provide a full Python installaton and mod_security:

    sudo apt install python3-tk ttf-unifont libapache2-mod-security2
    

Start options

  • To run the GUI locally / on test setups:

    modseccfg
    
  • Or to connect to a remote server:

    modseccfg root@vps5:/
    

Tales a bit longer on startup, but is heaps better than X11 forwarding.

Usage

You obviously should have Apache + mod_security + CRS set up and running already (in DetectionOnly mode initially), to allow for log inspection and adapting rules.

  1. Start modseccfg (python3 -m modseccfg)
  2. Select a configuration/vhost file to inspect + work on.
  3. Pick the according error.log
  4. Inspect the rules with a high error count.
  5. [Disable] offending rules
    • Don't just go by the error count however!
    • Make sure you don't disable essential or heuristic rules.
    • Compare error with access log details.
    • Else craft an exception rule ([Modify] or β†’Recipes).
  6. Thenceforth restart Apache (after testing changes: apache2ctl -t).

See also:

Notes

  • Preferrably do not edit default /etc/apache* files
  • Work on separated /srv/web/conf.d/* configuration, if available
  • And keep vhost settings in e.g. vhost.*.dir files, rather than multiple <VirtualHost> in one *.conf (else only the first section will be augmented).
  • Use the editor (F4) to verify more complex settings.

Missing features

  • Rule [modify] is still unimplemented.
  • Recipes are not worth using yet.
  • No sudo usage.