Editor to tame mod_security rulesets
Project description
modseccfg
GUI to define SecRuleRemoveById settings on a vhost-basis
Tries to suggest false positives from error and audit logs
And configure mod_security and CoreRuleSet variables.
Runs locally, via ssh -X forwarding, or per modseccfg ssh:/ remoting.
Installation
You can install this package locally or on a server:
pip3 install modseccfg
And your distro must provide a full Python installaton and mod_security:
sudo apt install python3-tk ttf-unifont libapache2-mod-security2
Start options
To run the GUI locally / on test setups:
modseccfg
Or with sshfs remoting directly to the servers filesystem:
modseccfg root@vps5:/
A little slower on startup, but allows live log inspection. Requires preconfigured ssh hosts and automatic pubkey authorization. Beware of the implicit ~/mnt/ point, if connecting as root.
Alternatively there’s also slow X11 forwarding (ssh -X vps modseccfg) or `xpra --start ssh:vps5 --start=modseccfg <https://xpra.org/>`__ to run it on on the server.
Usage
You obviously should have Apache + mod_security + CRS set up and running already (in DetectionOnly mode initially), to allow for log inspection and adapting rules.
Start modseccfg (python3 -m modseccfg)
Select a configuration/vhost file to inspect + work on.
Pick the according error.log
Inspect the rules with a high error count (→[info] button to see docs).
[Disable] offending rules
Don’t just go by the error count however!
Make sure you don’t disable essential or heuristic rules.
Compare error with access log details.
Else craft an exception rule ([Modify] or →Recipes).
Thenceforth restart Apache (after testing changes: apache2ctl -t).
See also: usage remoting, or preconf/recipe setup, or the “FAQ”.
Notes
Preferrably do not edit default /etc/apache* files
Work on separated /srv/web/conf.d/* configuration, if available
And keep vhost settings in e.g. vhost.*.dir files, rather than multiple <VirtualHost> in one *.conf (else only the first section will be augmented).
Requires some setup for the recipes (notably *.preconf includes for vhosts), but not for basic rule disabling/modifications.
File→Install packages are Debian-only
Reporting scripts also require Ruby
from project import meta
meta |
info |
---|---|
depends |
python:pysimplegui, python:pluginconf, python:tkinter, sys:mod-security, bin:sshfs _ |
compat |
Python ≥3.6, Apache 2.x, mod_security 2.9.x, CRS 3.x, BSD/Linux |
compliancy |
xdg, pluginspec, !pep8, !logfmt, !desktop, !xdnd, !mallard, sshrc, !netrc, !http_proxy, !nobackup, !PKG_INFO, !releases.json, !doap, !packfile |
system usage |
opportune shell invokes (sshfs, find, cat, dpkg, xdg-open) |
paths |
~/mnt/, ~/backup-config/, ~/.config/modseccfg/ |
testing |
few data-driven assertions, only manual UI and usage tests |
docs |
minimal wiki, news, no man page |
activity |
burst, temporary |
state |
beta |
support |
None |
contrib |
mail, fossil DVCS (create an account or send bundles) |
announce |
freshcode.club, pypi.org |
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Hashes for modseccfg-0.6.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 777feda6c618e71d87ffb6c293e053687df5265cb6e509f979378b0e5557beb1 |
|
MD5 | 8668e0ae059f12118c358edd16b71ce2 |
|
BLAKE2b-256 | 381611bf70f64287acf09d4bb5541508b5c191a810eb85978c2c2b9bea349eaa |