How to install GotRoot ModSecurity Rules

By | 23 January 2012

Make sure you have at least version 2.6.1 of modsecurity installed. Cpanel includes its own modsecurity configuration files and its own modsecurity module. To install gotroot modsecurity rules for the first time you will need to do the following:

  1. Download the Free Delayed/Unsupported feed here. Keep in mind the Delayed feed is released 90 days after the realtime feed (that includes any fixes).
  2. Unpack the rules in /usr/local/apache/conf/
  3. Create the following directories and chmod them accordingly:

    mkdir /var/asl
    mkdir /var/asl/data/
    mkdir /var/asl/data/msa
    mkdir /var/asl/data/audit
    mkdir /var/asl/data/suspicious
    chown nobody.nobody /var/asl/data/msa
    chown nobody.nobody /var/asl/data/audit
    chown nobody.nobody /var/asl/data/suspicious
    chmod o-rx -R /var/asl/data/*
    chmod ug+rwx -R /var/asl/data/*

    you will never need to use these directories but they have to be present for the rules to work.

  4. Modify your user configuration file /usr/local/apache/conf/modsec2.user.conf to have the following commands:

    SecPcreMatchLimit 50000
    SecPcreMatchLimitRecursion 50000
    SecRequestBodyAccess On
    SecResponseBodyAccess On
    SecResponseBodyMimeType (null) text/html text/plain text/xml
    SecResponseBodyLimit 20621440
    SecServerSignature Apache
    SecUploadDir /var/asl/data/suspicious
    SecUploadKeepFiles Off
    SecAuditLogParts ABIFHZ
    SecArgumentSeparator “&”
    SecCookieFormat 0
    SecRequestBodyLimit 20621440
    SecRequestBodyInMemoryLimit 2062144
    SecDataDir /var/asl/data/msa
    SecTmpDir /tmp
    SecAuditLogStorageDir /var/asl/data/audit
    SecResponseBodyLimitAction ProcessPartial
    # ASL/GOTROOT Rules
    Include /usr/local/apache/conf/modsec/*asl*.conf

    The recommended minimum ruleset to load is:

    Include /usr/local/apache/conf/modsec/00_asl_z_antievasion.conf
    Include /usr/local/apache/conf/modsec/09_asl_rules.conf
    Include /usr/local/apache/conf/modsec/10_asl_antimalware.conf
    Include /usr/local/apache/conf/modsec/10_asl_rules.conf
    Include /usr/local/apache/conf/modsec/11_asl_adv_rules.conf
    Include /usr/local/apache/conf/modsec/20_asl_useragents.conf
    Include /usr/local/apache/conf/modsec/30_asl_antispam.conf
    Include /usr/local/apache/conf/modsec/50_asl_rootkits.conf
    Include /usr/local/apache/conf/modsec/60_asl_recons.conf
    Include /usr/local/apache/conf/modsec/61_asl_recons_dlp.conf
    Include /usr/local/apache/conf/modsec/99_asl_jitp.conf

  5. Before restarting apache we recommend you test your configuration by running apache with the “configtest” command.

    service httpd configtest

  6. Restart apache, enjoy your new secure web server!