ModSecurity is a web application firewall that provides script request filtering to prevent poor or malicious coding from being executed or exploited on a Linux server.
This module is easily installed when running a cPanel server by using the EasyApache application and is highly recommended to enhance your server’s security.
However, the default rules supplied by the application are not only quite basic, but can also result in a high level of false positives, which when managing a shared hosting environment can become a major pain to have to deal with.
The GotRoot rules compiled by Atomicorp are a fantastic alternative and dramatically improve ModSecurity’s effectiveness while reducing false positives. Atomicorp provide a free release of these rules(delayed by at least 90 days) which are relatively easy to install on your cPanel Server.
Login to your server via SSH as root and then perform the following steps
1. First create required directories
mkdir /etc/httpd/modsecurity.d mkdir /var/asl mkdir /var/asl/tmp mkdir /var/asl/data mkdir /var/asl/data/msa mkdir /var/asl/data/audit mkdir /var/asl/data/suspicious
2. Change permissions for folders(cPanel)
chown nobody.nobody /var/asl/data/msa chown nobody.nobody /var/asl/data/audit chown nobody.nobody /var/asl/data/suspicious chmod o-rx -R /var/asl/data/* chmod ug+rwx -R /var/asl/data/*
3. Upload rules to /etc/httpd/modsecurity.d – (include the .conf files listed below as well as .txt files)
pico /etc/httpd/modsecurity.d
Include /etc/httpd/modsecurity.d/05_asl_exclude.conf Include /etc/httpd/modsecurity.d/10_asl_antimalware.conf Include /etc/httpd/modsecurity.d/10_asl_rules.conf Include /etc/httpd/modsecurity.d/11_asl_data_loss.conf Include /etc/httpd/modsecurity.d/20_asl_useragents.conf Include /etc/httpd/modsecurity.d/30_asl_antispam.conf Include /etc/httpd/modsecurity.d/50_asl_rootkits.conf Include /etc/httpd/modsecurity.d/60_asl_recons.conf Include /etc/httpd/modsecurity.d/61_asl_recons_dlp.conf Include /etc/httpd/modsecurity.d/99_asl_jitp.conf
4. Add the following lines to the user configuration file – (/usr/local/apache/conf/modsec2.user.conf)
pico /usr/local/apache/conf/modsec2.user.conf
Add this Rules :
SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 2621440 SecAuditLogRelevantStatus “^(?:5|4(?!04))” SecServerSignature Apache SecUploadDir /var/asl/data/suspicious SecUploadKeepFiles Off SecAuditLogParts ABIFHZ SecArgumentSeparator “&” SecCookieFormat 0 SecRequestBodyInMemoryLimit 131072 SecDataDir /var/asl/data/msa SecTmpDir /tmp SecAuditLogStorageDir /var/asl/data/audit SecResponseBodyLimitAction ProcessPartial SecPcreMatchLimit 50000 SecPcreMatchLimitRecursion 5000 Include /etc/httpd/modsecurity.d/*.conf
Add the following to the php.ini file to avoid PCRE errors:
pico /usr/local/lib/php.ini
Add this in the end of php.ini :
pcre.backtrack_limit = 50000 pcre.recursion_limit = 50000