Editor to tame mod_security rulesets
Project description
mod_security config GUI
GUI to define SecRuleRemoveById settings on a vhost-basis
Tries to suggest false positives from error and audit logs
And configure mod_security and CoreRuleSet variables.
Runs locally, via ssh -X forwarding, or per modseccfg ssh:/ remoting.
Installation
You can install this package locally or on a server:
pip3 install modseccfg
And your distro must provide a full Python installaton and mod_security:
sudo apt install python3-tk ttf-unifont libapache2-mod-security2
Start options
To run the GUI locally / on test setups:
modseccfg
Or with sshfs remoting directly to the servers filesystem:
modseccfg root@vps5:/
A little slower on startup, but allows live log inspection. Requires preconfigured ssh hosts and automatic pubkey authorization. Beware of the implicit ~/mnt/ point, if connecting as root.
Alternatively there’s also slow X11 forwarding (ssh -X vps modseccfg) or `xpra --start ssh:vps5 --start=modseccfg <https://xpra.org/>`__ to run it on on the server.
Usage
You obviously should have Apache + mod_security + CRS set up and running already (in DetectionOnly mode initially), to allow for log inspection and adapting rules.
Start modseccfg (python3 -m modseccfg)
Select a configuration/vhost file to inspect + work on.
Pick the according error.log
Inspect the rules with a high error count (→[info] button to see docs).
[Disable] offending rules
Don’t just go by the error count however!
Make sure you don’t disable essential or heuristic rules.
Compare error with access log details.
Else craft an exception rule ([Modify] or →Recipes).
Thenceforth restart Apache (after testing changes: apache2ctl -t).
See also: usage remoting, or preconf/recipe setup, or the “FAQ”.
Notes
Preferrably do not edit default /etc/apache* files
Work on separated /srv/web/conf.d/* configuration, if available
And keep vhost settings in e.g. vhost.*.dir files, rather than multiple <VirtualHost> in one *.conf (else only the first section will be augmented).
Requires some setup for the recipes (notably *.preconf includes for vhosts), but not for basic rule disabling/modifications.
File→Install packages are Debian-only
Reporting scripts also require Ruby
from project import meta
meta |
info |
---|---|
depends |
python:pysimplegui, python:pluginconf, python:tkinter, sys:mod-security, bin:sshfs _ |
compat |
Python ≥3.6, Apache 2.x, mod_security 2.9.x, CRS 3.x, BSD/Linux |
compliancy |
xdg, pluginspec, !pep8, logfmt, !desktop, !xdnd, !mallard, sshrc, !netrc, !http_proxy, !nobackup, !PKG_INFO, !releases.json, !doap, !packfile |
system usage |
opportune shell invokes (sshfs, find, cat, dpkg, xdg-open) |
paths |
~/mnt/, ~/backup-config/, ~/.config/modseccfg/ |
testing |
few data-driven assertions, only manual UI and usage tests |
docs |
minimal wiki, news, no man page |
activity |
burst, temporary |
state |
beta |
support |
None |
contrib |
mail, fossil DVCS (create an account or send bundles) |
announce |
freshcode.club, pypi.org |
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Hashes for modseccfg-0.7.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | eddd333291f482a1e711e9778b8a315cfa6a4d94c8acdd7218817a5e4e678195 |
|
MD5 | 27cf8070ba5e2fdf218bd9c0f456cade |
|
BLAKE2b-256 | 92059951ab634dce4f067c511e3c528510b4699ebad5724050c9f315095a6b3b |