D 2020-11-19T19:25:57.371
L modseccfg
N text/x-markdown
P 30303fa2ea1c9a0c708a8a13a324d69c5a1a762fd5ed66df12af4f97d308c79c
U mario
W 3237
<blockquote style="background:#fdc; padding: 20pt; border-radius: 10pt; border: 5pt solid #eba;">
 <b>WARNING: THIS IS ALPHA STAGE QUALITY AND WILL MOST CERTAINLY DELETE YOUR APACHE CONFIGURATION</b> - It doesn't, but: no warranty and such. - Also, hasn't many features yet.
</blockquote>

## mod_security config

 * Simple GUI editor for SecRuleRemoveById settings
 * Tries to suggest false positives from error and audit logs
 * Can configure mod_security directives and CoreRuleSet variables.
 * Runs locally, via `ssh -X` forwarding, or per `modseccfg vps5:/`
   automount.

<img src="/raw/59f5daf65f51e0642d0925d43aa6a6b262bb54aefd026cb342bcdecda01459c0?m=image/gif" width=640 height=480 style="margin:10pt">


## Installation

 * You can install this package locally or on a server:

        pip3 install modseccfg

 * Requires a full Python 3.x installation:

        sudo apt install python3-tk ttf-unifont libapache2-mod-security2

## Start options

 * To run the GUI locally / on test setups:

        modseccfg

 * To start it on a server per X11 forwarding (terribly slow over SSH):

        ssh -X vps5 modseccfg

 * Alternatively use [xpra](https://xpra.org/):

        xpra --start ssh:vps5 --start=modseccfg

 * **Best:** use an automatic filesystem mount (with ssh shortcut/pubkey auth
   already configured). That's a bit slow on startup, but pays off when
   browsing for details.
    
        modseccfg vps5:/
    
   > **WARNING**: This will bind the remote `/` server root. Take care to
   configure the mount point (File → Settings → Utils → Remote binding),
   and no backup or cleanup job is running whilst modseccfg is active.  
   This doesn't strictly require the root user for ssh, but permissions
   for logs and individual `*.conf` files when changed (`chown` the ones
   that shall be editable). 
   The sshfs/fuse mount will be terminated with the GUI, though.


## Usage

You obviously should have Apache(2.x) + mod_security(2.9) + CRS(3.x) set up
and running already (in DetectionOnly mode initially), to allow for log
inspection and adapting rules.

 1. Start modseccfg (`python3 -m modseccfg`)
 2. Select a configuration/vhost file to inspect + work on.
 3. Pick the according error.log
 4. Inspect the rules with a high error count.
 5. [Disable] offending rules
     * **Don't just go by the error count however!**
     * Make sure you don't disable essential or heuristic rules.
     * Compare error with access log details.
     * Else craft an exception rule ([Modify] or →Recipes).
 6. Thenceforth restart Apache after testing changes (`apache2ctl -t`).

### Notes

 * Preferrably do not edit default `/etc/apache*` files
 * Work on separated `/srv/web/conf.d/*` configuration, if available
 * And keep vhost settings in e.g. `vhost.*.dir` files, rather than
   multiple `<VirtualHost>` in one `*.conf` (else only the first section
   will be augmented).
 * Use the editor (F4) to verify more complex settings.

### Missing features

 * Doesn't process any audit.log yet.
 * Can't classify wrapped (`<Location>` or other directives) rules yet.
 * Recipes are not worth using yet.
 * No sudo usage.


Z 0a89cd0908ff5de5f640bd7ca45b9b8c