Editor to tame mod_security rulesets
Project description
mod_security config GUI
GUI to define SecRuleRemoveById settings on a vhost-basis
Tries to suggest false positives from error and audit logs
And configure mod_security and CoreRuleSet variables.
Runs locally, via ssh -X forwarding, or per modseccfg ssh:/ remoting.
Installation
You can install this package locally or on a server:
pip3 install modseccfg
And your distro must provide a full Python installaton and mod_security:
sudo apt install python3-tk ttf-unifont libapache2-mod-security2
Start options
To run the GUI locally / on test setups:
modseccfg
Or with sshfs remoting directly to the servers filesystem:
modseccfg root@vps5:/
A little slower on startup, but allows live log inspection. Requires preconfigured ssh hosts and automatic pubkey authorization. Beware of the implicit ~/mnt/ point, if connecting as root.
Alternatively there’s also slow X11 forwarding (ssh -X vps modseccfg) or `xpra --start ssh:vps5 --start=modseccfg <https://xpra.org/>`__ to run it on on the server.
Usage
You obviously should have Apache + mod_security + CRS set up and running already (in DetectionOnly mode initially), to allow for log inspection and adapting rules.
Start modseccfg (python3 -m modseccfg)
Select a configuration/vhost file to inspect + work on.
Pick the according error.log
Inspect the rules with a high error count (→[info] button to see docs).
[Disable] offending rules
Don’t just go by the error count however!
Make sure you don’t disable essential or heuristic rules.
Compare error with access log details.
Else craft an exception rule ([Modify] or →Recipes).
Thenceforth restart Apache (after testing changes: apache2ctl -t).
See also: usage remoting, or preconf/recipe setup, or the “FAQ”.
Notes
Preferrably do not edit default /etc/apache* files
Work on separated /srv/web/conf.d/* configuration, if available
And keep vhost settings in e.g. vhost.*.dir files, rather than multiple <VirtualHost> in one *.conf (else only the first section will be augmented).
Requires some setup for the recipes (notably *.preconf includes for vhosts), but not for basic rule disabling/modifications.
File→Install packages are Debian-only
Reporting scripts also require Ruby
from project import meta
meta |
info |
|---|---|
depends |
python:pysimplegui, python:pluginconf, python:tkinter, sys:mod-security, bin:sshfs _ |
compat |
Python ≥3.6, Apache 2.x, mod_security 2.9.x, CRS 3.x, BSD/Linux |
compliancy |
xdg, pluginspec, !pep8, logfmt, !desktop, !xdnd, mallard, man, sshrc, !netrc, !http_proxy, !nobackup, !releases.json, !doap, !packfile |
system usage |
opportune shell invokes (sshfs, find, cat, dpkg, xdg-open) |
paths |
~/mnt/, ~/backup-config/, ~/.config/modseccfg/ |
testing |
few data-driven assertions, only manual UI and usage tests |
docs |
minimal wiki, yelp, news |
activity |
burst, temporary |
state |
beta |
support |
None |
contrib |
mail, fossil DVCS (create an account or send bundles) |
announce |
freshcode.club, pypi.org |
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
File details
Details for the file modseccfg-0.7.3-py3-none-any.whl.
File metadata
- Download URL: modseccfg-0.7.3-py3-none-any.whl
- Upload date:
- Size: 197.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: Python-urllib/3.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | f4e6dbcc276cc842c8938db256b387bc6b87deb3116674381e0900af99b74e32 |
|
| MD5 | 3d618ca2308c56f7ecc18bab5465e7c0 |
|
| BLAKE2b-256 | f51683ce3c977454c5e017de9eedbcc15ddb4b8598f182a9e8095361f5ab2484 |
