GUI editor to tame mod_security rules

βŒˆβŒ‹ βŽ‡ branch:  modseccfg

Shorten titles (rm modseccfg:)
mario authored 249 days ago last checkin c7b7b39b4
πŸ“‚ data Add data/ dir, and common_false_positives.log (for CRS 2.2 however, nβ€Ήβ€Ί 382 days ago
πŸ“‚ install Add basic plugin_load(), generilize `add_menu()` into `init()`β€Ήβ€Ί 342 days ago
πŸ“‚ scripts Add basic plugin_load(), generilize `add_menu()` into `init()`β€Ήβ€Ί 342 days ago
πŸ“„ __init__.py Remove remaining emoji Unicode occurences (info, modify, vhosts)β€Ήβ€Ί 282 days ago
πŸ“„ __main__.py Initial prototype (conf parser, log reader, mainwindow somewhat functβ€Ήβ€Ί 386 days ago
πŸ“„ advise.py hacky support for [menu]β†’[event] markupβ€Ήβ€Ί 366 days ago
πŸ“„ crsoptions.py Add tx.blocking_early CRS optionβ€Ήβ€Ί 273 days ago
πŸ“„ editor.py Use SPDX id in license:β€Ήβ€Ί 369 days ago
πŸ“„ icons.py Use crs icon.β€Ήβ€Ί 380 days ago
πŸ“„ logs.py change print() to log()β€Ήβ€Ί 346 days ago
πŸ“„ mainwindow.py Removed Wrap and Masquerade menu entries.β€Ήβ€Ί 282 days ago
πŸ“„ modify.py Remove remaining emoji Unicode occurences (info, modify, vhosts)β€Ήβ€Ί 282 days ago
πŸ“„ msc_pyrewrite.py Performance fix for pyrewrite in range() check.β€Ήβ€Ί 249 days ago
πŸ“„ recipe.py Add $msg placeholder for recipesβ€Ήβ€Ί 274 days ago
πŸ“„ ruleinfo.py Remove remaining emoji Unicode occurences (info, modify, vhosts)β€Ήβ€Ί 282 days ago
πŸ“„ secoptions.py Use SPDX id in license:β€Ήβ€Ί 369 days ago
πŸ“„ utils.py Add basic plugin_load(), generilize `add_menu()` into `init()`β€Ήβ€Ί 342 days ago
πŸ“„ vhosts.py Remove remaining emoji Unicode occurences (info, modify, vhosts)β€Ήβ€Ί 282 days ago
πŸ“„ writer.py Use prefix/whitespace prepending for whole block (some macros just goβ€Ήβ€Ί 353 days ago

modseccfg

mod_security config GUI

  • GUI to define SecRuleRemoveById settings on a vhost-basis
  • Tries to suggest false positives from error and audit logs
  • And configure mod_security and CoreRuleSet variables.
  • Runs locally, via ssh -X forwarding, or per modseccfg ssh:/ remoting.

WARNING: THIS IS ALPHA STAGE QUALITY AND WILL MOST CERTAINLY DELETE YOUR APACHE CONFIGURATION - It doesn't, but: no warranty and such. - Also, hasn't many features yet.

Installation

  • You can install this package locally or on a server:

    pip3 install -U modseccfg
    
  • And your distro must provide a full Python installaton and mod_security:

    sudo apt install python3-tk ttf-unifont libapache2-mod-security2
    

Start options

  • To run the GUI locally / on test setups:

    modseccfg
    
  • Or to connect to a remote server:

    modseccfg root@vps5:/
    

Takes a bit longer on startup, but is heaps better than X11 forwarding.

Usage

You obviously should have Apache + mod_security + CRS set up and running already (in DetectionOnly mode initially), to allow for log inspection and adapting rules.

  1. Start modseccfg (python3 -m modseccfg)
  2. Select a configuration/vhost file to inspect + work on.
  3. Pick the according error.log
  4. Inspect the rules with a high error count.
  5. [Disable] offending rules
    • Don't just go by the error count however!
    • Make sure you don't disable essential or heuristic rules.
    • Compare error with access log details.
    • Else craft an exception rule ([Modify] or β†’Recipes).
  6. Thenceforth restart Apache (after testing changes: apache2ctl -t).

See also:

Notes

  • Preferrably do not edit default /etc/apache* files
  • Work on separated /srv/web/conf.d/* configuration, if available
  • And keep vhost settings in e.g. vhost.*.dir files, rather than multiple <VirtualHost> in one *.conf (else only the first section will be augmented).
  • Use the editor (F4) to verify more complex settings.

Missing features

  • Rule [modify] is still unimplemented.
  • Recipes are not worth using yet.
  • No sudo usage.

Attachments:

  • overview.gif [download] added by mario on 2020-12-09 22:39:53. [details]