95102 – Better default config for mod_security

Bug 95102 - Better default config for mod_security

Summary: Better default config for mod_security

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Luca Longinotti (RETIRED)

URL:	http://www.gotroot.com/mod_security+r...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-06-05 02:31 UTC by Ed Wildgoose
Modified:	2007-09-08 08:12 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
update mod_security default config (99_mod_security.conf,1.48 KB, text/plain) 2005-06-05 02:32 UTC, Ed Wildgoose	Details
Download new mod_security rules (update_rules.sh,292 bytes, text/plain) 2005-06-05 02:33 UTC, Ed Wildgoose	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ed Wildgoose 2005-06-05 02:31:08 UTC

The default config for mod_security is not all that helpful.  It still requires
you to read quite a lot and understand quite a lot.  Not likely to encourage
wider adoption of this useful security tool

There is a very good basic example set of rules at:
http://www.gotroot.com/mod_security+rules
...which locks down quite a lot of issues, detects quite a few current security
issues in major applications, and seems to work quite well out of the box (well
I didn't need to tweak anything to keep my current www applications running)

Attached is a replacement for the current:
/usr/lib/apache2/conf/modules.d/99_mod_security.conf file, and also a tiny
script to download the latest set of rules from the above URL.

Please consider changing the current default config to use the scripts above,
possibly distributing the current scripts as of today + the updater script, so
that at least the user has a useful system even if the source website is
temporarily unavailable.  I haven't attached those configs as of today since one
can simply download them directly.

Grateful if someone would consider this and commit the changes (note that I put
my files into /etc/modsecurity - is this the best location?)

Thanks

Reproducible: Always
Steps to Reproduce:

Comment 1 Ed Wildgoose 2005-06-05 02:32:36 UTC

Created attachment 60626 [details]
update mod_security default config

Comment 2 Ed Wildgoose 2005-06-05 02:33:05 UTC

Created attachment 60627 [details]
Download new mod_security rules

Comment 3 Elfyn McBratney (beu) (RETIRED) gentoo-dev

2005-06-07 21:11:04 UTC

Hehe, thanks for this. :)  I'm no longer in the Apache herd, so I'm not sure 
if I can continue maintaining this - Cc'ing apache-bugs@g.o. :)

Comment 4 Michael Stewart (vericgar) (RETIRED) gentoo-dev

2006-06-04 20:42:04 UTC

I believe beu is retired, bringing this back to apache-bugs

chtekk: you recently did a version bump for mod_security, perhaps you want to look into this?

Comment 5 Luca Longinotti (RETIRED) gentoo-dev

2006-06-05 06:11:47 UTC

Yup, I'll take a look at this.
Best regards, CHTEKK.

Comment 6 Peter Abrahamsen 2006-10-31 13:31:21 UTC

While this would certainly be nice, the latest rules appear to depend on mod_security 2, which is not yet in portage (see #151826). It's not clear whether the default ruleset package versioning matches mod_security versions.

Comment 7 Benedikt Böhm (RETIRED) gentoo-dev

2007-09-08 08:12:42 UTC

since 2.1.1 mod_security includes the default ruleset, starting with 2.1.2 (in cvs now) this core ruleset also works ;)