Portal Home > Knowledgebase > Articles Database > New FREE Mod_Sec from Comodo
New FREE Mod_Sec from Comodo
| Posted by Julien@Hostabulous, 12-28-2013, 10:05 PM |
| Not sure if it was posted, but Comodo CEO released free mod_sec rules. Anyone tried them?
http://www.melih.com/2013/12/28/free...ecurity-rules/
|
| Posted by media-hosts_com, 12-28-2013, 10:11 PM |
| Interesting timing... I remember getting an email from cPanel a week or so ago asking about Mod_Sec and one of the questions asked was "how much would you be willing to pay" if they offered it as a service. I guess this will make them think a little harder on that.
|
| Posted by HiveNode, 12-29-2013, 12:39 AM |
| Was just about to post this. Has anyone installed it yet? Do I need to remove mod security rules that were installed via easy apache and ConfigServer ModSecurity Control (cmc)?
|
| Posted by HiveNode, 12-29-2013, 01:04 AM |
| When I use the rules I get the follow error.
Rebuilding and restarting Apache:
Initial configuration generation failed with the following message:
Configuration problem detected on line 1 of file /waf/bl_domains: Invalid command '.katiechaophoto.com/', perhaps misspelled or defined by a module not included in the server configuration
--- /waf/bl_domains ---
1 ===> .katiechaophoto.com/ <===
2.turuzzonatale.it/
3.100nests.com/
4.12vorteil.de/
5.14-jitrenka.eu/
6.1dumb.com/
7.2u264.com/
--- /waf/bl_domains ---
Rebuilding configuration without any local modifications.
Failed to generate a syntactically correct Apache configuration.
Bad configuration file located at /usr/local/apache/conf/httpd.conf.work.FN92G3TFEXp90K2L
Error:
Configuration problem detected on line 1 of file /waf/bl_domains: Invalid command '.katiechaophoto.com/', perhaps misspelled or defined by a module not included in the server configuration
--- /waf/bl_domains ---
1 ===> .katiechaophoto.com/ <===
2.turuzzonatale.it/
3.100nests.com/
4.12vorteil.de/
5.14-jitrenka.eu/
6.1dumb.com/
7.2u264.com/
--- /waf/bl_domains ---
AH00526: Syntax error on line 1 of /comodo/waf/bl_domains:
Invalid command '.katiechaophoto.com/', perhaps misspelled or defined by a module not included in the server configuration
|
| Posted by HiveNode, 12-29-2013, 01:20 AM |
| Edit above, had a config issues. I have the rules working with http://configserver.com/cp/cmc.html. I had an issue once before when I installed atomic security suite so I was not sure how these rules worked.
|
| Posted by Steven, 12-29-2013, 01:44 AM |
| We are currently testing these.
|
| Posted by NyteRunner, 12-29-2013, 02:34 AM |
| Let us know your findings Very interested in seeing how these compare to Atomicorp's rule sets.
|
| Posted by George_Fusioned, 12-29-2013, 07:15 PM |
| Anyone else getting
for every WHMCS admin page they visit?
I already have
in my modsec2.user.conf file, and never had those with the Atomicorp Realtime rules.
|
| Posted by HiveNode, 12-29-2013, 07:21 PM |
| Yeah, I got them with whmcs as well. I just whitelisted for now until I have time to research the reason.
|
| Posted by George_Fusioned, 12-29-2013, 07:49 PM |
| Since ASL-Lite is no longer supported, Comodo's cPanel plugin which comes with an auto-updater sounded like a nice addition.
Unfortunately it's a very premature release and needs a lot of code editing in order to get it to work.
Perl shebang lines had to be changed here and there, additional Perl modules where required in order to even get the installer working, and finally a custom path had to be added to @INC.
Also, there is no AppConfig configuration file in order to get it registered, so one has to write one of his own.
In the end, the updater would overwrite my v0.30 rules with the v0.25 rules when I would use the "Update Rules" button
Has potential but still very buggy.
|
| Posted by Julien@Hostabulous, 12-29-2013, 09:31 PM |
| Not sure about your config, but we installed in on 2 servers. We had to install JSON/XS, and 1 server somehow needed a symlink to perl install dir, but everything else is working as intended.
|
| Posted by George_Fusioned, 12-29-2013, 09:46 PM |
| Just a fresh cPanel installation.
So you didn't even need to manually register it with AppConfig?
The Updater worked out of the box? (I had to change the Perl shebang line first).
Does the updater indeed update your rules? For me it just randomly downloads rule packages, sometimes v0.16, sometimes v0.25 etc and overwrites the newer rules (v0.30). Additionally after using the updater there's an ownership issue with /var/cpanel/cwaf/rules (folder + files), it's owner by 1011:user
In the "Configuration" tab, try moving the Debug slider to the right, say to "6". Then Save settings. Then go to WHM Home and back to the Comodo WAF plugin. Is the "Debug log" value gone?
Does the Exclude rule functionality work for you?
|
| Posted by Julien@Hostabulous, 12-29-2013, 09:59 PM |
| Didnt had to register with AppConfig.
Updater worked out of the box, minus the problems i posted earlier.
The updater did update the rules properly but yes we do have the files owner issue.
Exlude doesnt work for us. Just tried to change debug lvl, and it looks like its working. Im unable to properly change the log file name tho.
Thanks for sharing
|
| Posted by George_Fusioned, 12-29-2013, 10:34 PM |
| Thanks for letting me know.
I have posted a more complete list of the issues/bugs I encountered at the Comodo forums: http://forums.comodo.com/general-dis...9274#msg729274
|
| Posted by Patrick, 12-29-2013, 10:54 PM |
| Thanks for that!
Nothing makes me crankier than developers WHO DON'T TEST THEIR OWN SOFTWARE.... argh.
Whoever wrote that installation script needs to be slapped upside the head.
|
| Posted by Steven, 12-29-2013, 11:53 PM |
| It seriously is a joke.
|
| Posted by NetworkPanda, 12-30-2013, 12:21 AM |
| Indeed, the cPanel installer and plugin had so many issues, that we finally decided to use it without the plugin and install and configure the rule files manually.
The rules appear to be working fine though, Apache logs (/usr/local/apache/logs/error_log) have already recorded some blocked attacks (against WordPress and Joomla sites mainly).
|
| Posted by Melih, 12-30-2013, 01:00 AM |
| Hey guys,
we are here to help. we truly would welcome the feedback. The more feedback, the better the product becomes. We are here and willing to make the investment.
Any problems/wishes pls let us know so that we can start the process. We want to give you the best possible modsecurity rules!
thanks
Melih
|
| Posted by nixtree, 12-30-2013, 03:52 AM |
| perl -MCPAN -e'install Template'
perl -MCPAN -e'install Net::LibIDN'
perl -MCPAN -e'install XML:imple'
perl -MCPAN -e'install IO:calar'
perl -MCPAN -e'install YAML:yck'
Had to install above to recover various errors to get the front-end working...now getting following error
Can't locate Comodo/CWAF/Cpanel.pm in @INC (@INC contains: /usr/local/cpanel /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /usr/local/cpanel/whostmgr/docroot/cgi/addon_cwaf.cgi line 23.
BEGIN failed--compilation aborted at /usr/local/cpanel/whostmgr/docroot/cgi/addon_cwaf.cgi line 23.
It is good to resolve all the perl dependensies along with the install script. Also it'll be nice if the script can be registered with AppConfig.
|
| Posted by nixtree, 12-30-2013, 04:42 AM |
| Was able to fix it after following
perl -MCPAN -e'install Comodo::CWAF::Cpanel'
cp -pvr /usr/local/lib/perl5/site_perl/5.8.8/Comodo /usr/local/lib64/perl5/
Definitely needs proper scripting to correct these issues. Otherwise people will be little afraid to use the buggy scripts...
|
| Posted by nixtree, 12-30-2013, 05:21 AM |
| Syntax error on line 349 of /var/cpanel/cwaf/rules/cwaf_05.conf:
Invalid command 'SecRule"setvarESSION.TIMEOUT=3600,', perhaps misspelled or defined by a module not included in the server configuration
|
| Posted by nibb, 12-30-2013, 05:41 AM |
| Last time I tried Mod Security it caused a very decent increase in CPU load and latency to websites.
Im not sure if its wise to have this on every web server unless you have a centralized one that process it for all servers like a proxy, you are putting an extra load on Apache and a very huge one unless you want to use it with just a few rules, and then its not really doing what it should.
Loaded with tons of rules its a resource pig as it needs to process them on every request. It also causes more problems than benefits unless you know exactly what each rule does. I know Mod Security is very popular but im not a big fan of it.
It also tends to cause more problems with websites and apps for the benefits it brings. Still its very popular.
I just don´t like how it performs in terms of speeds and resources. I noticed a huge drop in load when it was turned off vs on on some cPanel servers.
Just my 2 cents.
Last edited by nibb; 12-30-2013 at 05:44 AM.
|
| Posted by zacharooni, 12-30-2013, 06:03 AM |
| nixtree: check that you have LoadModule before your modsec includes in httpd.conf, and that Apache was built with it enabled
@nibb: This will depend on what features you enable.. SecResponseBodyAccess, SecUploadScript etc, bad regex filtering, things that use SecCollection, SecRule with non-lua exec calls.
On a side note, I use owasp-modsecurity-crs currently, but might check this out on a dev instance.
|
| Posted by nixtree, 12-30-2013, 06:15 AM |
| Checked already and its properly configured..also the rest of the rule sets are working fine. owasp rules are good as well and we used it on many production systems
|
| Posted by TDmitry, 12-30-2013, 07:18 AM |
| Which version of rules are you using?
|
| Posted by nixtree, 12-30-2013, 01:16 PM |
| I tested .30
|
| Posted by Steven, 12-30-2013, 01:30 PM |
| If you use cpanels perl none of that is required. That is pretty hackish.
Cpanel stopped installing all of those by default on the system perl since they now package their own perl.
|
| Posted by Steven, 12-30-2013, 01:31 PM |
| Are you using the latest version of mod_security provided by easyapache?
|
| Posted by nixtree, 12-30-2013, 01:34 PM |
| Thats something the script provider should consider...anyway thanks for the suggestion and I will check with cPanel perl..hopefully they will make it AppConfig compatible as well
Yes, I am using the latest provided by EA3
|
| Posted by TDmitry, 12-30-2013, 02:13 PM |
| Please, send me your cwaf_05.conf in PM.
That string shouldn't be on line 349.
|
| Posted by nixtree, 12-30-2013, 02:38 PM |
| Unfortunately I removed it and did a fresh install. that issues isn't persists in new installation.
|
| Posted by TDmitry, 12-30-2013, 07:10 PM |
| Fine that issue had gone. Thanx for feedback.
|
| Posted by Melih, 12-31-2013, 12:12 PM |
| as an FYI, we are doing a new release next week hopefully should fix the problems reported.
thank you for your patience guys!
Melih
|
| Posted by Julien@Hostabulous, 12-31-2013, 01:08 PM |
| Nice waiting for it as it really needs an update , right now just using rules, looks good so far.
|
| Posted by Melih, 12-31-2013, 01:50 PM |
| oh great..yup the rules are pretty powerful and efficient in terms of resource usage. Of course we will continue to make these more efficient as we go along (have some nice ideas )...in the meanwhile we are fixing the cpanel plugin so that these rules can be used easily.
thanks
Melih
|
| Posted by HostMantis, 12-31-2013, 02:22 PM |
| I think if this can be fixed so it is easy enough to install by your average user, it will be a great product.
|
| Posted by Melih, 12-31-2013, 02:25 PM |
| no If...it will be fixed
next week..expect a new release.
we want a lot of feedback though please..we are eager to make this the best product that it can be for modsecurity.
thanks
Melih
|
| Posted by Julien@Hostabulous, 01-03-2014, 12:04 AM |
| Right now we are using your rules in conjunction with Config Server Modsec plugin for cPanel.
The ability of this plugin, to whitelist or disable any rule, per account or per directory is really nice. Maybe you could do something like this.
|
| Posted by Melih, 01-03-2014, 12:08 AM |
| we will most definitely put that as a requirement to our dev team.
please keep the requests coming in....we are building this for you guys...the more request for new features the better for everyone..keep our devs busy
|
| Posted by SAHostKing, 01-04-2014, 03:14 PM |
| Cant wait this is great news.
|
| Posted by HSN-Saman, 01-04-2014, 05:59 PM |
| I just installed the rules on three servers , no issue so far but the cPanel Plugin is not working on a server hopes that get fixed soon.
/subscribed
|
| Posted by Melih, 01-04-2014, 06:49 PM |
| yep...the guys have fixed the cpanel plugin (the plugin was for the previous version of cpanel...its been updated now...) they are testing it now, as soon as its got the green light from QA, it will be over to you guys
Rules should work nicely though...
Also, if you guys need specific rules please let us know, more than happy to add it.
|
| Posted by Vex76, 01-04-2014, 06:55 PM |
| Still a lot of issues with it on my testing box.
Let's see if they'll manage to fix them.
|
| Posted by Melih, 01-04-2014, 06:59 PM |
| with the plugin or rules?
|
| Posted by Julien@Hostabulous, 01-04-2014, 08:08 PM |
| Melih, I didnt go thru all your rules yet, but you could add some CMS/Billing software brute force login attempts rules.
We run inhouse rules for those, but if we can get them all in one package that would be great.
Also thanks you for being active with us on this project, we rarely see big corporation CEO on forums.
|
| Posted by Melih, 01-04-2014, 08:30 PM |
| hi Julien,
yes great idea.
I just PMed you.
thank you.
Last edited by Melih; 01-04-2014 at 08:39 PM.
|
| Posted by Atlanical-Mike, 01-04-2014, 09:28 PM |
| Thanks yeah I had the cPanel email too, and I've signed up and saved it for future use if needed got to love Comodo.
|
| Posted by HostMantis, 01-07-2014, 11:21 AM |
| Any updates on the cPanel plugin?
|
| Posted by Melih, 01-07-2014, 02:02 PM |
| yes..its done..being tested..
hope to release it around 9th (fingers crossed ).
Melih
|
| Posted by HostMantis, 01-07-2014, 03:49 PM |
| Nice!
Looking forward to testing it with a working cPanel plugin.
|
| Posted by MH-Stefan, 01-07-2014, 05:07 PM |
| Is anyone running this on Apache 2.4? The installation script requires Apache 2.2, but it can be easily edited to install on 2.4 anyway. Just wanted to check if anyone did this already.
|
| Posted by Julien@Hostabulous, 01-07-2014, 08:01 PM |
| Dunno running it on LSWS 4.2.6
|
| Posted by Melih, 01-10-2014, 02:53 PM |
| Guys
Good news! new CPanel plug in seems to be working nicely (hurray )...
We hope to share it with you guys early next week..
watch this space
Melih
|
| Posted by nixtree, 01-10-2014, 03:00 PM |
| Great News
|
| Posted by Julien@Hostabulous, 01-10-2014, 07:44 PM |
| Good news! Btw 0.32 works perfectly so far, ill post on Comodo
|
| Posted by whmcsservices, 01-10-2014, 10:39 PM |
| Great News
|
| Posted by Melih, 01-10-2014, 11:50 PM |
| excellent thank you!.
Yep, the rules are humming along nicely now...just need to release the cpanel plugin...
we are also going to be doing some more stuff to make sure the rules we have are the fastest rules in the market...we want best security and best performance!
|
| Posted by HiveNode, 01-11-2014, 10:44 PM |
| Just checking to make sure I have everything setup right.
I haven't been using the plugin to update the rules and I've been running them manually via modsec2.conf. For the files cwaf_01.conf, 02, 03, 04, 05 am I suppose to pick one and rename it cwaf.conf or do I need to list each one in my config? I've been renaming the biggest one and running it as my config.
|
| Posted by Julien@Hostabulous, 01-12-2014, 12:01 AM |
| put them in a directory, and point your modsec conf to load any files in that directory.
|
| Posted by Melih, 01-13-2014, 01:57 PM |
| The latest version is now released.
Cpanel plugin supports the latest cpanel version and all seems to be working nicely (fingers crossed).
you can now install free modsecurity rules using our Comodo cpanel plugin at waf.comodo.com
please let us know if we can help in any way.
thanks
Melih
|
| Posted by HostXNow_Chris, 01-14-2014, 08:08 AM |
| The plugin works fine now.
Thanks!
|
| Posted by Melih, 01-17-2014, 04:38 PM |
| Thanks to you guys...we fixed a lot of bugs and released a new ruleset v 0.33 today.
please let us know how it works for you.
thanks
Melih
|
| Posted by HostXNow_Chris, 01-20-2014, 07:44 AM |
| I noticed after updating to the latest rules the custom rules added to exclude list are no longer there...
PS the exclude list section does not appear as it does in the pdf guide on website. We just get
with SecRuleRemoveById # being the custom rules we add. Where as pdf guide on website shows you can whitelist IDs using add button...
PPS it'd be good to allow automatic rule updates, but only if existing custom rules are not removed after updates...
Thanks
|
| Posted by MH-Stefan, 01-20-2014, 07:47 AM |
| Is Apache 2.4 going to be supported anytime soon? Tried to install the plugin, but it fails because our Apache 2.4 is "too old".
|
| Posted by HostXNow_Chris, 01-20-2014, 08:17 AM |
| Seems to work fine on 2.4.7
|
| Posted by Michaelz, 01-20-2014, 08:57 AM |
| No problems here either.
|
| Posted by HostXNow_Chris, 01-20-2014, 09:04 AM |
| What about the things I mentioned above?
|
| Posted by uRDeSIRE, 01-20-2014, 09:07 AM |
| cant wait for litespeed support!
|
| Posted by HostXNow_Chris, 01-20-2014, 09:16 AM |
| Seems to work fine with LSWS 4.2.6
|
| Posted by Michaelz, 01-20-2014, 09:17 AM |
| I was referring to Apache 2.4. Where do you define custom rules?
|
| Posted by HostXNow_Chris, 01-20-2014, 10:25 AM |
| If using the cPanel Comodo WAF plugin you can find it under Exclude List tab.
|
| Posted by MH-Stefan, 01-20-2014, 12:53 PM |
| Indeed, the latest installer works with Apache 2.4 now. Sorry for the confusion.
|
| Posted by idemi, 01-20-2014, 12:56 PM |
| Yes, unfortunately it's known issue.
It will be fixed in new version of plugin, release eta is Thursday.
Thank you for reporting.
|
| Posted by kpmedia, 01-20-2014, 01:17 PM |
| This thread was moved: http://www.webhostingtalk.com/showth...1339275&page=2
But it had some important questions.
I had this one too: "I am using nginxcp.com so can anybody please confirm whether this thing still work?"
|
| Posted by HostXNow_Chris, 01-21-2014, 05:51 AM |
| It seems to be giving a lot of false positives for popular web scripts such as Joomla & OpenCart. I hope these are fixed soon.
Thanks
|
| Posted by HostXNow_Chris, 01-21-2014, 06:26 AM |
| These rules seem to cause issues
#####
SecRuleRemoveById 1234123446
SecRuleRemoveById 1234123439
SecRuleRemoveById 20020
SecRuleRemoveById 11000
SecRuleRemoveById 11085
SecRuleRemoveById 11097
SecRuleRemoveById 1234123404
SecRuleRemoveById 12242
SecRuleRemoveById 11182
SecRuleRemoveById 20042
SecRuleRemoveById 20041
SecRuleRemoveById 211085
SecRuleRemoveById 220042
SecRuleRemoveById 220041
SecRuleRemoveById 220020
SecRuleRemoveById 211005
SecRuleRemoveById 211182
SecRuleRemoveById 211184
SecRuleRemoveById 211194
SecRuleRemoveById 11528
SecRuleRemoveById 11529
SecRuleRemoveById 11089
#####
|
| Posted by azharimad, 01-22-2014, 11:32 AM |
| using cpanel + litespeed always restart
|
| Posted by idemi, 01-22-2014, 11:44 AM |
| Hello HostXNow.
Would you check please rules with ids 1234123404, 1234123439, 1234123446 on your side, because we have no rules with such ids in our set.
Thank you.
Igor.
COMODO.
|
| Posted by idemi, 01-22-2014, 11:48 AM |
| Unfortunately litespeed is not supported at this moment due to limited compatibility with original modsecurity.
We are working on it and will provide support for litespeed soon.
|
| Posted by HostXNow_Chris, 01-23-2014, 08:36 AM |
| I removed those IDs and they haven't been blocked since.
The latest rules causing issues are
#####
SecRuleRemoveById 20020
SecRuleRemoveById 11000
SecRuleRemoveById 11085
SecRuleRemoveById 11097
SecRuleRemoveById 12242
SecRuleRemoveById 11182
SecRuleRemoveById 20042
SecRuleRemoveById 20041
SecRuleRemoveById 211085
SecRuleRemoveById 220042
SecRuleRemoveById 220041
SecRuleRemoveById 220020
SecRuleRemoveById 211005
SecRuleRemoveById 211182
SecRuleRemoveById 211184
SecRuleRemoveById 211194
SecRuleRemoveById 11528
SecRuleRemoveById 11529
SecRuleRemoveById 11089
SecRuleRemoveById 11064
SecRuleRemoveById 12100
#####
Looking forward to update which will resolve issue with false positives.
Thanks
|
| Posted by idemi, 01-23-2014, 11:43 AM |
| Thank you very much!
I am sorry, any luck with logs?
I understand it's not easy, but it would be great help for us.
Thank you.
Igor.
COMODO.
|
| Posted by Melih, 01-23-2014, 01:20 PM |
| we just launched the latest version of the cpanel plugin today.
more bugs fixed
please let us know if you face any issues with the latest one..
we are working on this 24/7 and we will protect you!
|
| Posted by HostXNow_Chris, 01-23-2014, 01:32 PM |
| A lot of errors are related to Execution error - PCRE limits exceeded already reported in threads such as this one http://forums.comodo.com/free-modsec...t100731.0.html
I'll wait until the next version has been released and go from there.
Thanks.
|
| Posted by Melih, 01-23-2014, 01:34 PM |
| we just released a version...
should be fixed now..
|
| Posted by HostXNow_Chris, 01-23-2014, 01:39 PM |
| I just refreshed WHM but still see
The update button is not available at the moment. I will test it after has been updated.
Thanks.
|
| Posted by HostMantis, 01-23-2014, 01:48 PM |
| A new version of the cPanel plugin itself was released, not the rules.
However, it is not very clear what to do in the case of installing a new version of the plugin.
@Melih
To upgrade the cPanel plugin, do we just run the installer script again?
|
| Posted by HostXNow_Chris, 01-23-2014, 01:50 PM |
| I see now...
Yes, not sure how we update it...
Guess we just reinstall it...
Last edited by HostXNow_Chris; 01-23-2014 at 01:53 PM.
|
| Posted by HostXNow_Chris, 01-23-2014, 01:56 PM |
| Trying a reinstall ...
|
| Posted by idemi, 01-23-2014, 02:21 PM |
| Hello.
Please uninstall existing plugin:
"/var/cpanel/cwaf/scripts/uninstall_cwaf.sh"
Go to waf.comodo.com and download latest version:
https://waf.comodo.com/cpanel/cwaf_client_install.sh
Install it.
|
| Posted by idemi, 01-23-2014, 02:25 PM |
| I am sorry, are you sure it was latest version, i got:
Found mod_security version 2.7.7, good [OK]
|
| Posted by HostMantis, 01-23-2014, 02:41 PM |
| So with each new release of the plugin, a manual uninstall/reinstall is going to be required?
|
| Posted by idemi, 01-23-2014, 03:04 PM |
| Yes, very good point, we will implement updater soon.
Unfortunately, at this point you have to uninstall and install.
|
| Posted by HostXNow_Chris, 01-23-2014, 05:25 PM |
| On a few dedicated servers I tested it on (different OS version etc) it shows
on a few VPSs I tested it on it shows
The Execution error - PCRE limits messages and many false positives have stopped since using update.
Thanks.
|
| Posted by WireNine, 01-23-2014, 07:22 PM |
| Doesn't the cPanel plugin have an auto updater?
|
| Posted by Melih, 01-23-2014, 08:38 PM |
| great to hear that PCRE limit problem is resolved..
whatever problem anyone encounters, please tell us, we will fix it very quickly and release a new version.
thank you again guys, it really is a pleasure to protect you! You are making it so easy for us by giving us valuable feedback. In return the whole hosting industry is benefiting from this great partnership!
thank you again!
Melih
|
| Posted by Max Buglakov, 01-24-2014, 05:44 AM |
| Would you please provide distros names on those VPS that give mod_security version warnings? Or possibly some more info for us to hunt the bug down faster?
Thanx!
|
| Posted by bettinz, 01-25-2014, 03:52 AM |
| Thank you Comodo for the rules . Just few questions:
1) I use CSF Firewall on cPanel, and I block the ip if a mod_sec rule fail so:
Thank you again
|
| Posted by HostXNow_Chris, 01-25-2014, 08:49 AM |
| Another Joomla rule that needs correcting
And adding SecRuleRemoveById 211528 does not seem to work...
|
| Posted by HostXNow_Chris, 01-25-2014, 09:12 AM |
| Another PHPLD rule that needs correcting
SecRuleRemoveById 211085
SecRuleRemoveById 211097
|
| Posted by HostXNow_Chris, 01-25-2014, 09:20 AM |
| For VPS (shows BAD - mod security 2.7.5)
2.6.18-348.4.1.el5
CENTOS 5.10 i686 / WHM 11.40.1 (build 9)
For Dedicated (shows GOOD - mod security 2.7.7)
2.6.18-371.3.1.el5
CENTOS 5.10 x86_64 / WHM 11.38.1 (build 13)
|
| Posted by JamesMartin122, 01-25-2014, 09:27 AM |
| Well post.How i can use Mod_Sec?
|
| Posted by HostXNow_Chris, 01-25-2014, 10:11 AM |
| Exclude list is not working for particular IDs of vBulletin and Joomla and so have no option but to completely disable comodo waf on some servers until exclude list works properly.
PS you can of course update the rule files til comodo fix it just some changes may be lost after the rules have updated.
Last edited by HostXNow_Chris; 01-25-2014 at 10:19 AM.
|
| Posted by Max Buglakov, 01-27-2014, 11:49 AM |
| Thanx a lot, the bug was found and eliminated
|
| Posted by Melih, 01-29-2014, 05:11 PM |
| New rules released
Version 0.35 - 2014.01.28
- CVE-2013-7187
- False positives fixed:
Joomla
WHMCS
Silverstripe CMS
Wordpress
IP Board
and others
|
| Posted by HostXNow_Chris, 01-29-2014, 06:25 PM |
| Comodo WAF is working much better now (even lower loads thus saving server resources etc). Big thanks to you and your team! Keep up the great work!
I found some other false positives for some other CMSs with e107 being one of them but I'll submit feedback via the plugin.
Thanks
|
| Posted by khanbaba, 01-29-2014, 10:23 PM |
| Yeah, its working great...
|
| Posted by Melih, 01-30-2014, 12:52 PM |
| great to hear!
we have some more funky stuff coming soon, like categorisation etc so that you can run the most optimized rules for your setup rather than have all the rules run.
We will give you the best security at best performance for free!
|
| Posted by JLHC, 01-31-2014, 05:10 AM |
| I am sorry to be skeptical but may I know what is the catch here?
How do you plan to monetize this down the road? By offering support contracts, a premium or pro version, etc?
|
| Posted by markhard, 01-31-2014, 05:38 AM |
| i'm asking about this too, since atomic was also give free rules but now they drop it. it even not possible to download the old free rules (it may be old but at least it give some basic protection)
|
| Posted by bdx33, 01-31-2014, 06:34 AM |
| Think "Brand Equity" and "Users' contacts" guys
|
| Posted by markhard, 01-31-2014, 06:45 AM |
| reading from the administrator guide PDF: https://waf.comodo.com/doc/Comodo_We...dmin_Guide.pdf
on page 4, seems they will have paid version.
|
| Posted by Melih, 01-31-2014, 09:19 AM |
| This product will be free, period!
We already make money from webhosting market by providing them SSL certificates, PCI scanning (hackerguardian), webinspector for checking to see if your site is infected or not etc.
Just like we give full blown internet security for free for the consumer market, we want to do the same for the webhosting market.
In return we ask you to trust us! thats all.
You should know we will always be there for you and when you need other stuff like SSL etc, you will hopefully choose us.
Because we are not a company with one product income, we can afford to give particular products for free.
So We will secure you for free, in return we ask you to trust us!
Hope this explains.
|
| Posted by Melih, 01-31-2014, 09:21 AM |
| We will have a version with support etc for enterprises that might include appliances.
webhosting world will have modsec rules for free from Comodo, this will not change.
|
| Posted by markhard, 01-31-2014, 09:27 AM |
| reasonable, i already use Comodo SSL so.. i guess i'm trusting you guys
|
| Posted by Melih, 01-31-2014, 09:56 AM |
| Thank you for trusting us!
We will do everything possible to protect you and your business!
|
| Posted by PascM, 02-01-2014, 09:47 AM |
| Sounds really good, i am just testing the waters for now but i already trust COMODDO SSLs
|
| Posted by Melih, 02-02-2014, 05:21 PM |
| please let us know if you need any improvement to what we have. We are here for you.
|
| Posted by Melih, 02-20-2014, 08:16 AM |
| Client Agent 1.2 has been released:
Rules Catalog - flexible exclude list management:
List of all Comodo rules divided by groups.
Exclude rules and groups of rules.
Management of global excludes lists and excludes for virtual hosts.
Improvements and bug fixes.
Now you may update your client from cPanel plugin: "Main" -> "New client is available" -> "Update Plugin"
Or download and install new script, available by link: https://waf.comodo.com/cpanel/cwaf_client_install.sh
All your current exclude rules will be stored during update procedure. You may find backup of your exclude list by the path:
for cPanel:
/var/cpanel/cwaf/etc/httpd/global/zzz_exclude_global.conf.backup
for stand-alone mode:
/CWAF_INSTALL_DIR/etc/httpd/global/zzz_exclude_global.conf.backup
|
| Posted by BeZazz, 02-20-2014, 08:36 AM |
| So is it ok to still use ConfigServer ModSecurity Control or will it conflict?
|
| Posted by fadak7abyby, 02-20-2014, 12:10 PM |
| We will have a version with support etc for enterprises that might include appliances.
webhosting world will have modsec rules for free from Comodo, this will not change.
|
| Posted by BeZazz, 02-20-2014, 12:25 PM |
| Do you work for Comodo?
|
| Posted by DragosMagus, 02-20-2014, 10:55 PM |
| What is really needed is being able to view the caught attacks.
|
| Posted by HostMantis, 02-20-2014, 11:05 PM |
| The ability the view the mod_security audit log from the plugin would be a nice feature.
|
| Posted by DragosMagus, 02-20-2014, 11:07 PM |
| View Audit log, with quick links to disable triggered monitors and links to the full description of the venerability.
|
| Posted by AndyB78, 03-01-2014, 11:54 AM |
| Any news on LiteSpeed compatibility?
Thanks.
|
| Posted by Q20PP, 03-04-2014, 01:07 AM |
| this plugin looks nice, so we just download
https://waf.comodo.com/cpanel/cwaf_client_install.sh
and run it on cpanel 's ssh?
|
| Posted by page-zone, 03-04-2014, 01:13 AM |
| Spent the day installing it on all servers and have had few problems. The basic thing to do is make sure the latest mod security is installed, which entails making sure the server is running the latest software. What I did was update apache so that 2.7.7 mod security was installed. The whole process is outlined here - a couple of problems I had were all resolved by making sure cpanel was the latest version and easyapche was updated to the latest. Although I still went with php 5.3 to avoid problems with 5.4
|
| Posted by Q20PP, 03-04-2014, 01:42 AM |
| page-znoe, your article is nice
thanks~
|
| Posted by forumtalk, 03-08-2014, 04:02 PM |
| I did used https://waf.comodo.com/cpanel/cwaf_client_install.sh but not work me, how to unstaill this please
|
| Posted by Michaelz, 03-08-2014, 04:45 PM |
| Try http://help.comodo.com/topic-212-1-514-5939-.html and you should be fine.
|
| Posted by forumtalk, 03-08-2014, 04:52 PM |
| Thank You
|
| Posted by azharimad, 03-30-2014, 07:02 PM |
| i got Forbidden when trying download from https://waf.comodo.com/cpanel/cwaf_client_install.sh
|
| Posted by page-zone, 03-31-2014, 01:03 PM |
| That looks like a problem with their website because the same error appears when trying to download it from a link on their site. https://forums.comodo.com/free-modse...101235.15.html
|
| Posted by SPaReK, 04-02-2014, 11:08 AM |
| Perhaps somewhat unrelated to the discussion on this thread, but would it be possible to send an email notice or a blog announcement RSS feed that announces when a new version of these rules are available?
|
| Posted by vps_noob, 04-05-2014, 02:55 AM |
| Setup a daily Cron:
/var/cpanel/cwaf/scripts/updater.pl
That should update the rules. I think.
|
| Posted by WireNine, 04-06-2014, 05:08 PM |
| How are the rules working out for shared hosting applications? Better than what is offered by Gotroot Modsecurity Rules?
|
| Posted by Michaelz, 04-06-2014, 05:40 PM |
| Can't really compare but after some initial quirks they seem to do the job well enough.
|
| Posted by HostMantis, 04-06-2014, 07:37 PM |
| For the most part they work pretty well, but you will find the occasional app/plugin that doesn't want to function properly with a particular rule, so you do end up disabling a few.
All in all, they do a good job and the plugin seems to be steadily improving.
|
| Posted by page-zone, 04-06-2014, 11:36 PM |
| I had to get rid of a rule that didn't play well with live chat support but the disable process is easy.
|
| Posted by Melih, 04-08-2014, 09:29 AM |
| Client Agent 1.6 has been released:
Batch installation mode.
Disabling a rule for domain with/without www.
Improvements and bug fixes.
Now you may install CWAF client using batch mode. This can be useful for installation on multiple machines.
Batch install for system with cPanel and Apache web-server:
./setup.sh --batch --login=login --password=password
Batch install for system with cPanel and LiteSpeed web-server:
./setup.sh --batch --login=login --password=password --platform=LiteSpeed
Batch install in the standalone mode:
./setup.sh --batch --login=login --password=password --mode=standalone --platform=Apache --path=/opt/cwaf
./setup.sh --batch --login=login --password=password --mode=standalone --platform=LiteSpeed --path=/opt/cwaf
You may update your client from cPanel plugin: "Main" -> "New client is available" or download and install new script, available by link: https://waf.comodo.com/cpanel/cwaf_client_install.sh
|
| Posted by itmonitor, 04-14-2014, 05:13 PM |
| Hello Melih,
Thank you for the great WHM plugin, it is working flawlessly in my CPanel. I would suggest adding a feature to the IPs blocked by Comodo WAF would be automatically blacklisted at CSF Firewall and-or CPHulk. This feature could be optional, by means of a check box in Comodo WAF inside WHM.
rgs
IM
|
| Posted by vps_noob, 04-14-2014, 06:01 PM |
| Mr Malieh Sir.
I got a Noob question for you.
I set up the following Cron:
/var/cpanel/cwaf/scripts/updater.pl
Does it update to your current rules and does it also update the CWAF Client.
If not, what do you suggest?
Thanks for your time.
|
| Posted by HostMantis, 04-14-2014, 06:57 PM |
| You can configure CSF to block IP's after a set amount of mod_security failures. In CSF, see the setting "LF_MODSEC".
|
| Posted by itmonitor, 04-15-2014, 07:45 AM |
| Thank you HostMantis, just configured my CSF.
It seems the mod_security incompatibility with mod_ruid2 was not solved. The CPanel people informs that this incompatibility was solved on EasyApache 3.24.12, but I have EA 3.24.15 installed and tried activating ruid2 and it will give me those Failed to lock global mutex: Permission denied in the log.Perhaps ComodoWAF new rules could solve this incompatibility?
|
| Posted by danami, 04-19-2014, 07:28 AM |
| New rules aren't going to fix this. This is something that has to be fixed in modsecurity.
|
| Posted by danami, 04-19-2014, 08:04 AM |
| I've looked at these Comodo rules. They seem like an OK set of rules for shared hosts. They have a lot of exceptions for specific web apps.
If you are on a dedicated server and only hosting a few web apps then I think its better to use the OWASP ModSecurity Core rule set as they seem much better and have actually gone through smoke tests.
For Plesk 12 users just a note that with the new modsecurity extension you have the option of choosing any of the following rulesets:
OWASP ModSecurity Core Rule Set (CRS)
Atomic ModSecurity Rule Set
Comodo ModSecurity Rule Set
Custom rule set
|
| Posted by Steven, 04-19-2014, 12:19 PM |
| Melih,
It is not wise to have installation processes such as this. While the impact is minimal, pushing login details into the process list is poor security form.
A user could do:
and obtain the login if its done while you install.
|
| Posted by danami, 04-22-2014, 07:47 AM |
| One thing to note though is that Comodo is using these rules as a way to get your information so that they can try sell you other Comodo services. Shortly after signing up for these rules I recieved a sales call from them trying to get me to use Comodo for ssl certificates. I guess its a small price to pay for free modsecurity rules.
|
| Posted by HostXNow_Chris, 05-06-2014, 01:24 PM |
| There seems to be some "Other" folder in latest rules with version 1.0.8 which appears with Apache but not LiteSpeed...
Plus previous rule IDs do not work in new version. Says rules are not found...
|
| Posted by HostXNow_Chris, 05-11-2014, 06:35 AM |
| Strange, so I build a list of rule IDs that were causing issues and whitelist them, then Comodo release new rules which overwrite old rules but with different IDs, so we have to manually find/whitelist the same rules, but that is not before we work out what the new IDs are!
If you were completely removing IDs that were not needed then no problem, but keeping them and only changing the ID # of the rule just causes a lot of unnecessary work for us. If I got this wrong then please explain @Melih ?
Thanks.
|
| Posted by Q20PP, 06-04-2014, 02:01 AM |
| just install this on our cpanel server (centos 6.5 with apache 2.4)
installation warne us that mod_Security 2.8 might not be working with CWAF plugin version 1.6 (Latest version), will this be fixed soon?
Also, there is no where to view mod_security logs in real time ilke ConfigServer ModSecurity Control , so we have to install ConfigServer ModSecurity Control too, will this cause any issue?
|
| Posted by itmonitor, 07-07-2014, 04:36 AM |
| Hello Melih,
Though automatic updates in complex server setups are not advisable, in my and many other cases as my server has a simple setup, it will help us a lot.
I suggest you add an option to activate automatic update of rules. A ticker box in the Comodo WAF dashboard would do.
IM
|
| Posted by MH-Stefan, 07-07-2014, 04:42 AM |
| The automatic update feature should be released with v1.8: http://forums.comodo.com/free-modsec...6300#msg766300
|
| Posted by itmonitor, 07-07-2014, 04:50 AM |
| Thank you for the blazing fast reply and good news about the automatic update.
IM
|
| Posted by raidfanatic, 07-07-2014, 06:27 AM |
| Hmmm .. We will give this a try on a test node...
|
| Posted by itmonitor, 07-08-2014, 06:55 AM |
| Hello,
I just noticed a bizarre behaviour from the plugin Comodo WAF, by chance, when I had to change my WHM CPanel root password.
Once the old password is changed into a new password, when I click on the Comodo WAF link at the WHM right menu, it will display all the Comodo WAF settings, including my email and other data. It should not display anything, but open the WHM login page and ask me to input again WHM userid and the new password, and only after that I can access and see my Comodo WAF settings. I wonder if there is any data leak from Comodo WAF that would affect WHM security?
To reproduce this bug:
1. Change WHM root password
2. Go quickly to WHM>Plugins>Comodo WAF. Instead of displaying the WHM login form, it will display the Comodo WAF settings.
Hope to have helped, so you can release a fix for this.
|
| Posted by ExecHoodRoll, 07-08-2014, 10:03 PM |
| Can anyone comment on compatibility with Litespeed?
|
| Posted by MH-Stefan, 07-08-2014, 10:59 PM |
| Works fine, absolutely no issues so far.
|
| Posted by HostXNow_Chris, 01-07-2015, 02:00 PM |
| I've been getting Current rules version 0 (Connection error: Auth failed) on and off lately.
I login at https://accounts.comodo.com/cwaf/cwaf_subscriptions and it says subscription has expired (EXPIRED AT: 2015-01-04) ... anyone else having the same issues?
|
| Posted by BeZazz, 01-07-2015, 02:04 PM |
| No but mine is set to expire at 2015-01-20
|
| Posted by BeZazz, 01-07-2015, 02:06 PM |
| https://forums.comodo.com/free-modse...t109090.0.html
|
| Posted by HostXNow_Chris, 01-07-2015, 02:10 PM |
| Seems strange that renewal is not automatic or why it even needs to be renewed at all if the product is meant to be free! As they have renewal in place I am guessing they are going to start charging for the product soon. Some news about this from Comodo would be good...
|
| Posted by HostMantis, 01-07-2015, 02:30 PM |
| I think this is inevitable and was most likely their plan from the get go.
|
| Posted by victormeldrew, 01-07-2015, 02:40 PM |
| I knew from the start they would start charging once they had loads of subs, no one does anything for free.
|
| Posted by HostXNow_Chris, 01-07-2015, 03:07 PM |
| Same but I thought they would send reminder so we know to ask for licence to be renewed. I actually forgot the license was only valid for 12months. I thought it would just remain free until they setup paid plans. I just found original email
|
| Posted by victormeldrew, 01-07-2015, 03:41 PM |
| Yes an email letting you know it was due to expire would of been nice.
|
| Posted by Ed-Freethought, 01-07-2015, 03:47 PM |
| That's certainly not what a Comdo representative claimed in this very thread around this time last year: http://www.webhostingtalk.com/showpo...&postcount=112
I wouldn't be surprised if they started offering a commercial version which comes with support etc. though.
|
| Posted by oldgrunt, 01-07-2015, 03:52 PM |
| Been using them a while. Had only on error show, reloaded apache and have had no problems since, on 2 VPSs.
|
| Posted by JackAllTrades, 01-07-2015, 04:20 PM |
| If they did, I honestly wouldn't even be interested based on the lousy support received on the product as it is. You may argue that it's free, so that's to be expected, but I would argue that if they intend to push a commercial product then the support is what would also drive sales and migrations to a commercial product.
CWAF needs a lot more testing, the number of false positives needs to be massively decreased, and they need more communication and involvement with users when it comes to updates.
|
| Posted by MH-Stefan, 01-07-2015, 05:42 PM |
| I opened a support ticket at https://support.comodo.com and they have simply renewed the license. Not sure why this was necessary, considering that the product is free, but since I'd only have to do this once a year, it doesn't really matter.
|
| Posted by kpmedia, 01-07-2015, 06:20 PM |
| From the rumors I've heard, cPanel 11.48 will make 3rd party rules a thing of the past. So I'm just waiting for that. I've already seen huge stridese on the cPanel handling of mod_sec, and hopefully it will get better this year.
http://forums.cpanel.net/f185/defaul...ed-436311.html
I'm not enthused about Comodo or OWASP, and Atomic is somewhat pricy if you have more than 1 server.
Comodo software has always felt somewhat amateurish.
|
| Posted by MH-Stefan, 01-07-2015, 06:45 PM |
| According to this feature request, 3rd party rule-sets will indeed continue to be supported, and even allow auto-updating and reporting via the API.
I just wish that either Comodo or cPanel will introduce a feature where end-users can view the ModSecurity logs for their account, report false positives and disable specific rules. It really wasn't a wise decision from cPanel to offer the option for end-users to disable ModSecurity. Many people have no idea of the risks involved by disabling ModSecurity, especially since many hosts deal with negligent clients who never update their scripts. I'd rather deal with false positives than with hacked websites.
Last edited by MH-Stefan; 01-07-2015 at 06:49 PM.
|
| Posted by oldgrunt, 01-07-2015, 07:13 PM |
| Logs are located at;
/usr/local/apache/logs
The Comodo app has the enable/disable rules option there.
Hope that helps.
My error log looks fine to me, just checked.
|
| Posted by HostXNow_Chris, 01-07-2015, 07:17 PM |
| I did that hours ago and they have not renewed mine yet.
|
| Posted by MH-Stefan, 01-07-2015, 07:29 PM |
| Of course, but I was actually referring to these features for end-users. Basically the same features that we have in WHM, but ported to cPanel and limited to the account/domain owned by the end-user.
|
| Posted by HostXNow_Chris, 01-08-2015, 08:23 AM |
| Anyone else found they are not able to enable rule
|
| Posted by HostMantis, 01-08-2015, 02:39 PM |
| This seems to be the case with Apache 2.2.27 or lower.
On 2.2.29+ that rule enables with no issues for me.
|
| Posted by HostXNow_Chris, 01-08-2015, 02:46 PM |
| Were using 2.4.10 so must be issue with 2.4.xx
|
Add to Favourites 
Print this Article
Also Read
