modseccfg 0.4.1

Editor to tame mod_security rulesets

WARNING: THIS IS ALPHA STAGE QUALITY AND WILL MOST CERTAINLY DELETE YOUR APACHE CONFIGURATION

- It doesn’t, but: no warranty and such. - Also, hasn’t many features yet.

modseccfg

• Simple GUI editor for SecRuleRemoveById settings
• Tries to suggest false positives from error and audit logs
• And configure mod_security and CoreRuleSet variables.
• Runs locally, via ssh -X forwarding, or per modseccfg vps5:/ automount.

Installation

• You can install this package locally or on a server:

  pip3 install modseccfg
  

• And your distro must provide a full Python 3.x installaton:

  sudo apt install python3-tk ttf-unifont libapache2-mod-security2
  

Start options

• To run the GUI locally / on test setups:

  modseccfg
  

• To start it on a server per X11 forwarding (terribly slow over SSH):

  ssh -X vps5 modseccfg
  

• Alternatively use xpra:

  xpra --start ssh:vps5 --start=modseccfg
  

• Best: use an automatic filesystem mount (with ssh shortcut/pubkey auth already configured). That’s a bit slow on startup, but pays off when browsing for details.

  modseccfg vps5:/
  

  WARNING: This will bind the remote / server root. Take care to configure the mount point (File → Settings → Utils → Remote binding), and no backup or cleanup job is running whilst modseccfg is active.

  This doesn’t strictly require the root user for ssh, but permissions for logs and individual *.conf files when changed (chown the ones that shall be editable). The sshfs/fuse mount will be terminated with the GUI, though.

Usage

You obviously should have Apache(2.x) + mod_security(2.9) + CRS(3.x) set up and running already (in DetectionOnly mode initially), to allow for log inspection and adapting rules.

1. Start modseccfg (python3 -m modseccfg)
2. Select a configuration/vhost file to inspect + work on.
3. Pick the according error.log
4. Inspect the rules with a high error count (→[info] button to see docs).
5. [Disable] offending rules
   • Don’t just go by the error count however!
   • Make sure you don’t disable essential or heuristic rules.
   • Compare error with access log details.
   • Else craft an exception rule ([Modify] or →Recipes).
6. Thenceforth restart Apache after testing changes (apache2ctl -t).

Notes

• Preferrably do not edit default /etc/apache* files
• Work on separated /srv/web/conf.d/* configuration, if available
• And keep vhost settings in e.g. vhost.*.dir files, rather than multiple <VirtualHost> in one *.conf (else only the first section will be augmented).

Missing features

• File permission check on remote host is non-functional still.
• Doesn’t process any audit.log yet.
• Can’t classify wrapped (<Location>/<FilesMatch>) rules yet.
• [STRIKEOUT:No rule information dialog.]
• [STRIKEOUT:No SecOption editor yet.]
• [STRIKEOUT:No CRS settings (setvar:crs…) editor yet.]
• Recipes are not worth using yet.
• No sudo usage.