EasyApache mod_security Module

The mod_security website (http://www.modsecurity.org/) describes itself this way:

"ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis."

Apache 1.3 uses Mod security 1.x and Apache 2.x uses mod security 2.x

Please see http://www.modsecurity.org/ for many excellent resources like tips and rules and FAQs.

Some Important Things To Know When Changing Between Versions

• The mod security activity viewer in WHM works seamlessly between versions.
• The rule editor in WHM will automatically work with the installed version's rules.
• Rule syntax is completely different and in different locations.

That means your excellent collection of modsec 1 rules will need to be redone in modsec 2 format when going from 1 to 2 and vice versa from 2 to 1.

Unfortunately, there is no easy one-to-one relationship or translation ability. You can find resources to help with this at http://www.modsecurity.org/ including a "ModSecurity 1.x to 2.x Migration Matrix," "ModSecurity FAQ" (under Documentation) and an excellent community of users.

2.5.6 Transformation Caching Deprecated

With the release of ModSecurity 2.5.6, transformation caching is now deprecated. In all releases prior to 2.5.6, the underlying transformation caching subsystem is unstable and may crash the Apache server. You are advised to disable caching for all 2.5 versions of ModSecurity in your configuration using the following directive:

• SecCacheTransformations Off

For more information, please visit: http://blog.modsecurity.org/2008/08/transformation.html

Upgrading from ModSecurity 2.1 to 2.5

Using 2.1 Rules on 2.5

So far, it appears that 2.1 format rules work on 2.5. However, the ModSecurity team has made no official announcement of compatibility. You will need to verify that any custom rulesets work with 2.5 to ensure no interruption of service due to the upgrade. The rules included by cPanel for 2.1 will work on 2.5.

ModSecurity 2.5 Rule Scripting - Lua

ModSecurity version 2.5 adds support for rule scripting via lua. Lua is known to have difficulties building. Lua build failures will not cause an Apache build to halt, but will provide errors in the build log upon build failure, and lua support will not be enabled. If you wish to use lua in your custom ruleset, you should read carefully on the proper usage of lua and ensure that the lua build was a success.

Some things to watch out for when using lua:

• ModSecurity marks it as "Experimental," use at your own risk.
• Lua syntax or permission errors will result in Apache not being able to start.
• Apache must be able to read the lua file.
• Lua script changes require an Apache restart to take effect.

Where to store lua scripts

Lua scripts should be stored in /usr/local/apache/conf in a sub directory such as /usr/local/apache/conf/modsec-lua. Storing scripts in this location will ensure they are available whenever Apache configurations are tested or Apache is restarted. It will also keep them intact through EasyApache builds.

Warning: Failure to store lua scripts in /usr/local/apache/conf could result in a failed Apache build and/or a broken ModSecurity configuration.

More information on ModSecurity 2.5 can be found here.

Information about using lua scripts in your ModSecurity rules can be found here: http://www.modsecurity.org/documentation/modsecurity-apache/2.5.5/modsecurity2-apache-reference.html#N109A9.