Editor to tame mod_security rulesets
Project description
mod_security config GUI
- GUI to define SecRuleRemoveById settings on a vhost-basis
- Tries to suggest false positives from error and audit logs
- And configure mod_security and CoreRuleSet variables.
- Runs locally, via ssh -X forwarding, or per modseccfg ssh:/ remoting.
Installation
You can install this package locally or on a server:
pip3 install modseccfg
And your distro must provide a full Python installaton and mod_security:
sudo apt install python3-tk ttf-unifont libapache2-mod-security2
Start options
To run the GUI locally / on test setups:
modseccfg
Or with sshfs remoting directly to the servers filesystem:
modseccfg root@vps5:/
A little slower on startup, but allows live log inspection. Requires preconfigured ssh hosts and automatic pubkey authorization. Beware of the implicit ~/mnt/ point, if connecting as root.
Alternatively there’s also slow X11 forwarding (ssh -X vps modseccfg) or `xpra --start ssh:vps5 --start=modseccfg <https://xpra.org/>`__ to run it on on the server.
Usage
You obviously should have Apache + mod_security + CRS set up and running already (in DetectionOnly mode initially), to allow for log inspection and adapting rules.
- Start modseccfg (python3 -m modseccfg)
- Select a configuration/vhost file to inspect + work on.
- Pick the according error.log
- Inspect the rules with a high error count (→[info] button to see docs).
- [Disable] offending rules
- Don’t just go by the error count however!
- Make sure you don’t disable essential or heuristic rules.
- Compare error with access log details.
- Else craft an exception rule ([Modify] or →Recipes).
- Thenceforth restart Apache (after testing changes: apache2ctl -t).
See also: usage remoting, or preconf/recipe setup, or the “FAQ”.
Notes
- Preferrably do not edit default /etc/apache* files
- Work on separated /srv/web/conf.d/* configuration, if available
- And keep vhost settings in e.g. vhost.*.dir files, rather than multiple <VirtualHost> in one *.conf (else only the first section will be augmented).
- Requires some setup for the recipes (notably *.preconf includes for vhosts), but not for basic rule disabling/modifications.
- File→Install packages are Debian-only
- Reporting scripts also require Ruby
from project import meta
| meta | info |
|---|---|
| depends | python:pysimplegui, python:pluginconf, python:tkinter, sys:mod-security, bin:sshfs _ |
| compat | Python ≥3.6, Apache 2.x, mod_security 2.9.x, CRS 3.x, BSD/Linux |
| compliancy | xdg, pluginspec, !pep8, logfmt, !desktop, !xdnd, !mallard, sshrc, !netrc, !http_proxy, !nobackup, !PKG_INFO, !releases.json, !doap, !packfile |
| system usage | opportune shell invokes (sshfs, find, cat, dpkg, xdg-open) |
| paths | ~/mnt/, ~/backup-config/, ~/.config/modseccfg/ |
| testing | few data-driven assertions, only manual UI and usage tests |
| docs | minimal wiki, news, no man page |
| activity | burst, temporary |
| state | beta |
| support | None |
| contrib | mail, fossil DVCS (create an account or send bundles) |
| announce | freshcode.club, pypi.org |
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
| Filename, size | File type | Python version | Upload date | Hashes |
|---|---|---|---|---|
| Filename, size modseccfg-0.7.0-py3-none-any.whl (195.8 kB) | File type Wheel | Python version 3.7 | Upload date | Hashes View |
Hashes for modseccfg-0.7.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | eddd333291f482a1e711e9778b8a315cfa6a4d94c8acdd7218817a5e4e678195 |
|
| MD5 | 27cf8070ba5e2fdf218bd9c0f456cade |
|
| BLAKE2-256 | 92059951ab634dce4f067c511e3c528510b4699ebad5724050c9f315095a6b3b |
