Install/Add GotRoot ModSecurity Rules On Whm/Cpanel Server


ModSecurity is a web application firewall that provides script request filtering to prevent poor or malicious coding from being executed or exploited on a Linux server.

This module is easily installed when running a cPanel server by using the EasyApache application and is highly recommended to enhance your server’s security.

However, the default rules supplied by the application are not only quite basic, but can also result in a high level of false positives, which when managing a shared hosting environment can become a major pain to have to deal with.
The GotRoot rules compiled by Atomicorp are a fantastic alternative and dramatically improve ModSecurity’s effectiveness while reducing false positives. Atomicorp provide a free release of these rules(delayed by at least 90 days) which are relatively easy to install on your cPanel Server.

Login to your server via SSH as root and then perform the following steps

1. First create required directories

mkdir /etc/httpd/modsecurity.d
mkdir /var/asl
mkdir /var/asl/tmp
mkdir /var/asl/data
mkdir /var/asl/data/msa
mkdir /var/asl/data/audit
mkdir /var/asl/data/suspicious

2. Change permissions for folders(cPanel)

chown nobody.nobody /var/asl/data/msa
chown nobody.nobody /var/asl/data/audit
chown nobody.nobody /var/asl/data/suspicious
chmod o-rx -R /var/asl/data/*
chmod ug+rwx -R /var/asl/data/*

3. Upload rules to /etc/httpd/modsecurity.d – (include the .conf files listed below as well as .txt files)

 pico /etc/httpd/modsecurity.d
Include /etc/httpd/modsecurity.d/05_asl_exclude.conf
Include /etc/httpd/modsecurity.d/10_asl_antimalware.conf
Include /etc/httpd/modsecurity.d/10_asl_rules.conf
Include /etc/httpd/modsecurity.d/11_asl_data_loss.conf
Include /etc/httpd/modsecurity.d/20_asl_useragents.conf
Include /etc/httpd/modsecurity.d/30_asl_antispam.conf
Include /etc/httpd/modsecurity.d/50_asl_rootkits.conf
Include /etc/httpd/modsecurity.d/60_asl_recons.conf
Include /etc/httpd/modsecurity.d/61_asl_recons_dlp.conf
Include /etc/httpd/modsecurity.d/99_asl_jitp.conf

4. Add the following lines to the user configuration file – (/usr/local/apache/conf/modsec2.user.conf)

 pico /usr/local/apache/conf/modsec2.user.conf

Add this Rules :

SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecAuditLogRelevantStatus “^(?:5|4(?!04))”
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator “&”
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial
SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 5000
Include /etc/httpd/modsecurity.d/*.conf

Add the following to the php.ini file to avoid PCRE errors:

pico /usr/local/lib/php.ini

Add this in the end of php.ini :

pcre.backtrack_limit = 50000
pcre.recursion_limit = 50000