Latest revision as of 23:51, 23 October 2014

MODSEC

Modsec database is missing

When cpanel emails the customer an error similar to this follow this guide.

/etc/cron.hourly/modsecparse.pl:
DBI connect('modsec:localhost','modsec',...) failed: Access
denied for user 'modsec'@'localhost' (using password: YES) at
/etc/cron.hourly/modsecparse.pl line 19 Unable to connect to mysql database at
/etc/cron.hourly/modsecparse.pl line 19.

First check phpmyadmin to see if the modsec DB exists.

mysql -e "show databases;" | grep modsec

If it does exists just reset the modsec users password to what this displays. (assuming that it is the same script in question)

cat /etc/cron.hourly/modsecparse.pl | grep dbpassword\ =

If it does not please use the following to create it.

mysql
create database modsec;
use modsec;
CREATE TABLE `modsec` ( `id` int(11) NOT NULL auto_increment, `ip` varchar(15) default NULL, `date` date default NULL, `time` time default NULL, `handler` varchar(254) default NULL, `get` text, `host` varchar(254) default NULL, `mod_security_message` text, `mod_security_action` text, PRIMARY KEY  (`id`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8;

After that part has been complete verify that it exists with either phpmyadmin ot the following command.

describe modsec;

Now that we have verified everything please add the user and password for this database. replace PASSWORD with the password found in the file listed in the error, in this case /etc/cron.hourly/modsecparse.pl.

cat /etc/cron.hourly/modsecparse.pl | grep dbpassword\ =

Then run the following command.

grant all on modsec.* to 'modsec'@'localhost' identified by 'PASSWORD';
flush privileges;

Now the problem should be fixed, if the database still existed all you should have had to done is reset the password through phpmyadmin.

my whitelisting script

wget http://shooltz.net/modsec_whitelister.sh
chmod +x modsec_whitelister.sh
./modsec_whitelister.sh

Remove specific uri protection from a rule.

### Ticket :: 2828983  :: mshooltz :: 07/22/2011
<LocationMatch "/administrator/index.php">
SecRuleRemoveById 300013 300014 300015 300016 300017
</LocationMatch>
### End 2828983

Remove specified directory from modsec

SecRule REQUEST_URI  "URI goes here" phase:1,nolog,allow,ctl:ruleEngine=Off

Add to this file and restart

vi /usr/local/apache/conf/modsec2/whitelist.conf
/etc/init.d/httpd restart
/etc/init.d/apf restart

Remove a whole domain

SecRule SERVER_NAME "handymanreality.com" phase:1,nolog,allow,ctl:ruleEngine=Off

Common modsec uri's

/wp-admin/post.php
/wp-admin/admin-ajax.php
/wp-admin/page.php
/wp-admin/async-upload.php
/wp-admin/theme-editor.php
/wp-admin/admin.php
/wp-admin/nav-menus.php

Script to email Modsec logs

per day to the customer.

First make the script

touch /root/modseclog.sh
touch /root/tmplog.txt
touch /root/tmplog2.txt
chmod +x /root/modseclog.sh
vim /root/modseclog.sh

Paste the following into it.

#!/bin/bash

date=`date | awk '{print$2, $3}'`
echo "" > /root/tmplog.txt && echo "" > /root/tmplog2.txt
cat /usr/local/apache/logs/error_log | grep modsec > /root/tmplog.txt
cat /root/tmp.txt | grep "$date" > /root/tmplog2.txt
cat /root/tmplog2.txt | mail -s "Modsec Log for $date" (email goes here)

Save it and then add the following line into your crontab.

57 23 * * * /root/modseclog.sh

Now wait for 11:57 and then check your email. :P

MODSEC: Difference between revisions

Latest revision as of 23:51, 23 October 2014

MODSEC

Modsec database is missing

Script to email Modsec logs

Navigation menu

MODSEC: Difference between revisions

Latest revision as of 23:51, 23 October 2014

MODSEC

Modsec database is missing

Script to email Modsec logs

Navigation menu

Search