Knowledgebase

Portal Home > Knowledgebase > Articles Database > Suphp & Mod_security how to??


Suphp & Mod_security how to??




Posted by anastasia0181, 11-26-2009, 11:05 AM
Hi there, According to CSF security check, I have compiled php to run with suphp and mod-security from WHM->EASY APACHE UPDATE. Is this enough or I should add rules? Can I haVe some example of rules and How to add them? See when I check Main >> Mod Security I see an empty config file and table. Thank you.
Posted by madaboutlinux, 11-27-2009, 06:16 AM
When you compile suPHP and Mod_Security using easyapache, you need to enable suPHP and add rules to mod security. 1. suPHP: Two ways to enable suPHP a) from WHM >> Service Configuration >> Apache Configuration >> PHP and SuExec Configuration >> select 'suphp' from the drop down list in front of the php version >> click "Save New Configuration". b) You can enable suPHP from Command line. 2. Mod Security once installed, provides some default rules. The file with the rules resides under /usr/local/apache/conf/ The file modsec2.user.conf.default contains the rules which should be copied over to modsec2.user.conf. cp -p modsec2.user.conf.default modsec2.user.conf Restart the httpd service once.
Posted by anastasia0181, 12-03-2009, 08:26 AM
Hi there, I copied modsec2.user.conf.default rules to modsec2.user.conf. I get these alert from the firewall, but I do not understand it, Can you please explain it to me, thank you. ------------------------------------------------------------------ Failures: 5 (mod_security) Interval: 300 seconds Blocked: Permanent Block Log entries: [Thu Dec 03 11:50:58 2009] [error] [client 196.12.243.178] ModSecurity: Access denied with code 406 (phase 2). Invalid UTF-8 encoding: invalid byte value in character at REQUEST_FILENAME. [offset "22"] [file "/usr/local/apache/conf/modsec2.user.conf"] [line "23"] [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.domain.com"] [uri "/location de voitures \\xe0 mydivecar/divecar001002.gif"] [unique_id "SxemIkjo4foAACnFfhgAAAAP"] [Thu Dec 03 11:50:59 2009] [error] [client 196.12.243.178] ModSecurity: Access denied with code 406 (phase 2). Invalid UTF-8 encoding: invalid byte value in character at REQUEST_FILENAME. [offset "22"] [file "/usr/local/apache/conf/modsec2.user.conf"] [line "23"] [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www. domain.com"] [uri "/location de voitures \\xe0 mydivecar/divecar001006.jpg"] [unique_id "SxemI0jo4foAACZ7O6AAAAAb"] [Thu Dec 03 11:50:59 2009] [error] [client 196.12.243.178] ModSecurity: Access denied with code 406 (phase 2). Invalid UTF-8 encoding: invalid byte value in character at REQUEST_FILENAME. [offset "22"] [file "/usr/local/apache/conf/modsec2.user.conf"] [line "23"] [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www. domain.com"] [uri "/location de voitures \\xe0 mydivecar/divecar001001.jpg"] [unique_id "SxemI0jo4foAACqgBOUAAAAC"] [Thu Dec 03 11:50:59 2009] [error] [client 196.12.243.178] ModSecurity: Access denied with code 406 (phase 2). Invalid UTF-8 encoding: invalid byte value in character at REQUEST_FILENAME. [offset "22"] [file "/usr/local/apache/conf/modsec2.user.conf"] [line "23"] [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www. domain.com"] [uri "/location de voitures \\xe0 mydivecar/divecar001009.jpg"] [unique_id "SxemI0jo4foAACnFfhkAAAAP"] [Thu Dec 03 11:50:59 2009] [error] [client 196.12.243.178] ModSecurity: Access denied with code 406 (phase 2). Invalid UTF-8 encoding: invalid byte value in character at REQUEST_FILENAME. [offset "22"] [file "/usr/local/apache/conf/modsec2.user.conf"] [line "23"] [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www. domain.com"] [uri "/location de voitures \\xe0 mydivecar/divecar001008.jpg"] [unique_id "SxemI0jo4foAACoxABoAAAAS"] ------------------------------------------------------------------------ Thank you for your help.
Posted by madaboutlinux, 12-03-2009, 08:58 AM
Mod security do generate lots of false positives so you will have to exclude some rules for some files as per the alert messages Also the default settings of the CS firewall generate lots of false alarms so I would have hired an admin to configure things properly in order to minimize the false alarms.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
which lightbox is right for me (Views: 550)
E6600 is slower than P4 2.8G?? (Views: 606)
Urgent help needed! (Views: 572)
Forum gets a lot of spam users and messages... (Views: 604)
Any feedback on Webkore? (Views: 636)