Kryptronic Software Support Forum

You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.

#1 04-18-2019 08:00:41

sdn
Member
From: UK
Registered: 05-29-2007
Posts: 882

OWASP ModSecurity Core Rule Set V3.0

We have ModSecurity installed on our cPanel server but OWASP is also available but currently uninstalled.

Does anyone know if this is worth adding and if it might impact proper functioning of K9?


Simon

Offline

 

#2 04-19-2019 07:20:23

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19798
Website

Re: OWASP ModSecurity Core Rule Set V3.0

I think it's worth adding.  We've run into a few issues with mod_security and/or OWASP rulesets in the past, and if I recall, mainly the admin.php script.  There may be a whilelist rule or two you'll need to add to get things working 100%.  However, the last time any sort of issue was reported with mod_security and/or OWASP rulesets was years ago, so there may be no issues at all with current configurations.  I recommend running it, and whatever issues you run into would be easily solved with a whitelist entry.


Nick Hendler

Offline

 

#3 04-19-2019 07:20:50

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19798
Website

Re: OWASP ModSecurity Core Rule Set V3.0

If you pursue this, we're here to help and would like to know how your final setup ends up.


Nick Hendler

Offline

 

#4 04-24-2019 14:55:16

sdn
Member
From: UK
Registered: 05-29-2007
Posts: 882

Re: OWASP ModSecurity Core Rule Set V3.0

We installed OWASP and can see quite a few entries under ModSecurity™ Tools »Hits List.

Unfortunately, the information provided about the hits is meaningless to me. We see things like

2019-04-24 20:12:18     ourdomain.com     138.68.29.165         301    
Request:
GET /magmi/web/download_file.php?file=../../app/etc/local.xml
Action Description:
Warning.
Justification:
Operator GE matched 5 at TX:inbound_anomaly_score.

What should I be looking for to know if it is the relevant to the operation of K9? Will I see "admin.php" mentioned?


Simon

Offline

 

#5 04-25-2019 07:11:06

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19798
Website

Re: OWASP ModSecurity Core Rule Set V3.0

Anything that gets actual K9 URLs - like /admin.php, /index.php. /html-page-id, /Item/item-id, /Category/category-id, etc. would be concerning.  I'd recommend you try using admin to submit a few select statements in Raw DB Admin, perhaps update a product or category description with PHP tags in it - things that you would expect would cause trouble if a regular browser submitted requests containing data that looked questionable.  You may not have any issues at all - it's been years since we saw any issues reported with this.  When you get it all worked out, I'd appreciate you sharing your configuration/setup as we'd like to document it.


Nick Hendler

Offline

 

#6 04-30-2019 03:00:01

sdn
Member
From: UK
Registered: 05-29-2007
Posts: 882

Re: OWASP ModSecurity Core Rule Set V3.0

I am testing using OWASP default rules. So far we have not seen any K9 related URLs. There are now in excess of 24,400 hits of which 24,000 were generated by one IP address (54.235.163.229). We originally blacklisted it until we realised it relates to scanmyserver.com who we use to run free security tests. So not much to report at present.


Simon

Offline

 

#7 04-30-2019 06:57:13

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19798
Website

Re: OWASP ModSecurity Core Rule Set V3.0

Thanks for the update.  Good news.


Nick Hendler

Offline

 

Board footer