MODSEC

From Cheatsheet
Revision as of 09:39, 13 December 2010 by Admin (talk | contribs) (Created page with ' <h1><center>MODSEC</center></h1> '''my whitelisting script''' <pre> wget http://shooltz.net/modsec_whitelister.sh chmod +x…')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

MODSEC

my whitelisting script 

wget http://shooltz.net/modsec_whitelister.sh
chmod +x modsec_whitelister.sh
./modsec_whitelister.sh

Remove specified directory from modsec 

SecRule REQUEST_URI  "URI goes here" phase:1,nolog,allow,ctl:ruleEngine=Off

Add to this file and restart 

vi /usr/local/apache/conf/modsec2/whitelist.conf
/etc/init.d/httpd restart
/etc/init.d/apf restart

Remove a whole domain 

SecRule SERVER_NAME "handymanreality.com" phase:1,nolog,allow,ctl:ruleEngine=Off

Common modsec uri's 

/wp-admin/post.php
/wp-admin/admin-ajax.php
/wp-admin/page.php

Script to email Modsec logs

per day to the customer.

First make the script 

touch /root/modseclog.sh
touch /root/tmplog.txt
touch /root/tmplog2.txt
chmod +x /root/modseclog.sh
vim /root/modseclog.sh

Paste the following into it. 

#!/bin/bash

date=`date | awk '{print$2, $3}'`
echo "" > /root/tmplog.txt && echo "" > /root/tmplog2.txt
cat /usr/local/apache/logs/error_log | grep modsec > /root/tmplog.txt
cat /root/tmp.txt | grep "$date" > /root/tmplog2.txt
cat /root/tmplog2.txt | mail -s "Modsec Log for $date" (email goes here)

Save it and then add the following line into your crontab. 

57 23 * * * /root/modseclog.sh

Now wait for 11:57 and then check your email. :P

Retrieved from "https://wiki.shooltz.net/w/index.php?title=MODSEC&oldid=918"