MODSEC: Difference between revisions
m 8 revisions |
|
(No difference)
| |
Latest revision as of 23:51, 23 October 2014
MODSEC
Modsec database is missing
When cpanel emails the customer an error similar to this follow this guide.
/etc/cron.hourly/modsecparse.pl:
DBI connect('modsec:localhost','modsec',...) failed: Access
denied for user 'modsec'@'localhost' (using password: YES) at
/etc/cron.hourly/modsecparse.pl line 19 Unable to connect to mysql database at
/etc/cron.hourly/modsecparse.pl line 19.
First check phpmyadmin to see if the modsec DB exists.
mysql -e "show databases;" | grep modsec
If it does exists just reset the modsec users password to what this displays. (assuming that it is the same script in question)
cat /etc/cron.hourly/modsecparse.pl | grep dbpassword\ =
If it does not please use the following to create it.
mysql create database modsec; use modsec; CREATE TABLE `modsec` ( `id` int(11) NOT NULL auto_increment, `ip` varchar(15) default NULL, `date` date default NULL, `time` time default NULL, `handler` varchar(254) default NULL, `get` text, `host` varchar(254) default NULL, `mod_security_message` text, `mod_security_action` text, PRIMARY KEY (`id`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8;
After that part has been complete verify that it exists with either phpmyadmin ot the following command.
describe modsec;
Now that we have verified everything please add the user and password for this database. replace PASSWORD with the password found in the file listed in the error, in this case /etc/cron.hourly/modsecparse.pl.
cat /etc/cron.hourly/modsecparse.pl | grep dbpassword\ =
Then run the following command.
grant all on modsec.* to 'modsec'@'localhost' identified by 'PASSWORD'; flush privileges;
Now the problem should be fixed, if the database still existed all you should have had to done is reset the password through phpmyadmin.
my whitelisting script
wget http://shooltz.net/modsec_whitelister.sh chmod +x modsec_whitelister.sh ./modsec_whitelister.sh
Remove specific uri protection from a rule.
### Ticket :: 2828983 :: mshooltz :: 07/22/2011 <LocationMatch "/administrator/index.php"> SecRuleRemoveById 300013 300014 300015 300016 300017 </LocationMatch> ### End 2828983
Remove specified directory from modsec
SecRule REQUEST_URI "URI goes here" phase:1,nolog,allow,ctl:ruleEngine=Off
Add to this file and restart
vi /usr/local/apache/conf/modsec2/whitelist.conf /etc/init.d/httpd restart /etc/init.d/apf restart
Remove a whole domain
SecRule SERVER_NAME "handymanreality.com" phase:1,nolog,allow,ctl:ruleEngine=Off
Common modsec uri's
/wp-admin/post.php /wp-admin/admin-ajax.php /wp-admin/page.php /wp-admin/async-upload.php /wp-admin/theme-editor.php /wp-admin/admin.php /wp-admin/nav-menus.php
Script to email Modsec logs
per day to the customer.
First make the script
touch /root/modseclog.sh touch /root/tmplog.txt touch /root/tmplog2.txt chmod +x /root/modseclog.sh vim /root/modseclog.sh
Paste the following into it.
#!/bin/bash
date=`date | awk '{print$2, $3}'`
echo "" > /root/tmplog.txt && echo "" > /root/tmplog2.txt
cat /usr/local/apache/logs/error_log | grep modsec > /root/tmplog.txt
cat /root/tmp.txt | grep "$date" > /root/tmplog2.txt
cat /root/tmplog2.txt | mail -s "Modsec Log for $date" (email goes here)
Save it and then add the following line into your crontab.
57 23 * * * /root/modseclog.sh
Now wait for 11:57 and then check your email. :P