Install GotRoot ModSecurity Rules On A cPanel Server

modesc stop

ModSecurity is a web application firewall that provides script request filtering to prevent poor or malicious coding from being executed or exploited on a Linux server. This module is easily installed when running a cPanel server by using the EasyApache application and is highly recommended to enhance your server’s security.¬†Install GotRoot ModSecurity rules on a cPanel server and you further enhance the effectiveness of this application, as the default rule set provide by Mode Security is pretty basic.

The GotRoot rules compiled by Atomicorp dramatically improve ModSecurity’s effectiveness while reducing false positives, and Atomicorp provide a free release of these rules(delayed by at least 90 days) which are relatively easy to install.

To install GotRoot ModSecurity rules on a cPanel server, login to your server via SSH as root and then perform the following steps

1. First create required directories

mkdir /etc/httpd/modsecurity.d
mkdir /var/asl
mkdir /var/asl/tmp
mkdir /var/asl/data
mkdir /var/asl/data/msa
mkdir /var/asl/data/audit
mkdir /var/asl/data/suspicious

2. Change permissions for folders(cPanel)

chown nobody.nobody /var/asl/data/msa
chown nobody.nobody /var/asl/data/audit
chown nobody.nobody /var/asl/data/suspicious
chmod o-rx -R /var/asl/data/*
chmod ug+rwx -R /var/asl/data/*

3. Upload rules to /etc/httpd/modsecurity.d – (include the .conf files listed below as well as .txt files)

Include /etc/httpd/modsecurity.d/05_asl_exclude.conf
Include /etc/httpd/modsecurity.d/10_asl_antimalware.conf
Include /etc/httpd/modsecurity.d/10_asl_rules.conf
Include /etc/httpd/modsecurity.d/11_asl_data_loss.conf
Include /etc/httpd/modsecurity.d/20_asl_useragents.conf
Include /etc/httpd/modsecurity.d/30_asl_antispam.conf
Include /etc/httpd/modsecurity.d/50_asl_rootkits.conf
Include /etc/httpd/modsecurity.d/60_asl_recons.conf
Include /etc/httpd/modsecurity.d/61_asl_recons_dlp.conf
Include /etc/httpd/modsecurity.d/99_asl_jitp.conf

4. Add the following lines to the user configuration file - (/usr/local/apache/conf/modsec2.user.conf)

SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecAuditLogRelevantStatus “^(?:5|4(?!04))”
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator “&”
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial
SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 5000
Include /etc/httpd/modsecurity.d/*.conf

Add the following to the php.ini file to avoid PCRE errors:

pcre.backtrack_limit = 50000
pcre.recursion_limit = 50000