Control Web Panel
Security => Mod_Security => Topic started by: venty on June 16, 2025, 06:17:43 PM
-
Hi,
The OWASP CRS ruleset 4.15.0 was just released .... how to install them???
Thanks in advance!
BR
Venty
-
You can use this guide, just change the version number.
https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/owasp-crs-ruleset-update-to-4-12-0-running-cwp-and-apache-on-almalinux-8-9/ (https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/owasp-crs-ruleset-update-to-4-12-0-running-cwp-and-apache-on-almalinux-8-9/)
-
You can use this guide, just change the version number.
https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/owasp-crs-ruleset-update-to-4-12-0-running-cwp-and-apache-on-almalinux-8-9/ (https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/owasp-crs-ruleset-update-to-4-12-0-running-cwp-and-apache-on-almalinux-8-9/)
Hi,
https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/owasp-crs-ruleset-update-to-4-12-0-running-cwp-and-apache-on-almalinux-8-9
step 5 - Is it okay?
BR
Venty
-
Hi,
Ok, I've done everything for version OWASP CRS v4.15.0, as in these instructions for version OWASP CRS v4.12.0...
https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/owasp-crs-ruleset-update-to-4-12-0-running-cwp-and-apache-on-almalinux-8-9
Please take a look:
https://prnt.sc/wNgzhHlIyj25
https://prnt.sc/6XE5ZHQpmNXU
How can I be sure that the security mod works with version OWASP CRS v4.15.0 of the rules?
Thanks in advance!
BR
Venty
-
Did you follow the initial link at the top of the article and update ModSecurity to 2.9.8?
https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/update-modsecurity-2-9-8-running-cwp-and-apache-on-almalinux-8-9/ (https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/update-modsecurity-2-9-8-running-cwp-and-apache-on-almalinux-8-9/)
From your screen shot, it looks like you stopped somewhere before Step 8.
In your owasp.conf, you want it to have those only those 3 lines listed:
Include /usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-4.12.0/crs-setup.conf
Include /usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-4.12.0/rules/*.conf
Include /usr/local/apache/modsecurity-rules/custom-rules/global_disabled_rules.conf
I can login and do this real quick if you want.
-
Did you follow the initial link at the top of the article and update ModSecurity to 2.9.8?
https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/update-modsecurity-2-9-8-running-cwp-and-apache-on-almalinux-8-9/ (https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/update-modsecurity-2-9-8-running-cwp-and-apache-on-almalinux-8-9/)
From your screen shot, it looks like you stopped somewhere before Step 8.
In your owasp.conf, you want it to have those only those 3 lines listed:
Include /usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-4.12.0/crs-setup.conf
Include /usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-4.12.0/rules/*.conf
Include /usr/local/apache/modsecurity-rules/custom-rules/global_disabled_rules.conf
I can login and do this real quick if you want.
Hi,
To perform the update to 2.9.8, but after installation of mod security and updating to 2.9.8, everything is OK, I have the entry "ModSecurity for Apache/2.9.8 (http://www.modsecurity.org/) configured.", but I also have the entry "ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On."... To perform the update to 2.9.8, but after installation of mod security and updating to 2.9.8, everything is OK, I have the entry "ModSecurity for Apache/2.9.8 (http://www.modsecurity.org/) configured.", but I also have the entry "ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On."... What should I do..?
And then perform all the steps, not only up to step 8, please see:
https://prnt.sc/KeSRfdW2nphb
https://prnt.sc/eXDRn9GCDBlx
https://prnt.sc/FN0twkI-TC-A
https://prnt.sc/dyXLr7rwtqK7
https://prnt.sc/-9TIbLitg9ie
I'm sure you'll do it quickly, but let me struggle, someone figure it out, please ...
BR
Venty
-
I am using Comodo WAF as CWP alerts "We recommend using Comodo WAF rules as they are much simpler and easier for beginners."
Can you please highlight the difference and which option is better?
-
It used to be the better option, but Comodo is in an identity crisis and hasn't updated its definitions since Jan 2024, so it is now effectively dead. Best to go with the OWASP-old which is current. Follow Starburst's guide to update to Mod Security 2.9.8 and then get the latest 4.15 OWASP definitions.
-
Did you follow the initial link at the top of the article and update ModSecurity to 2.9.8?
https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/update-modsecurity-2-9-8-running-cwp-and-apache-on-almalinux-8-9/ (https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/update-modsecurity-2-9-8-running-cwp-and-apache-on-almalinux-8-9/)
From your screen shot, it looks like you stopped somewhere before Step 8.
In your owasp.conf, you want it to have those only those 3 lines listed:
Include /usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-4.12.0/crs-setup.conf
Include /usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-4.12.0/rules/*.conf
Include /usr/local/apache/modsecurity-rules/custom-rules/global_disabled_rules.conf
I can login and do this real quick if you want.
Hi,
To perform the update to 2.9.8, but after installation of mod security and updating to 2.9.8, everything is OK, I have the entry "ModSecurity for Apache/2.9.8 (http://www.modsecurity.org/) configured.", but I also have the entry "ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On."... To perform the update to 2.9.8, but after installation of mod security and updating to 2.9.8, everything is OK, I have the entry "ModSecurity for Apache/2.9.8 (http://www.modsecurity.org/) configured.", but I also have the entry "ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On."... What should I do..?
And then perform all the steps, not only up to step 8, please see:
https://prnt.sc/KeSRfdW2nphb
https://prnt.sc/eXDRn9GCDBlx
https://prnt.sc/FN0twkI-TC-A
https://prnt.sc/dyXLr7rwtqK7
https://prnt.sc/-9TIbLitg9ie
I'm sure you'll do it quickly, but let me struggle, someone figure it out, please ...
BR
Venty
-
Why do you quote your posts that are directly above with nothing new to add?
-
What happened to the configuration I did on your server on 2025-06-27?
Everything was working fine.
ModSecurity 2.9.8 was installed, and so was the OWASP CRS 4.15.0 ruleset.
Your configuration paths aren't showing how they where set.
Include /usr/local/apache/modsecurity-rules/custom-rules/startup/*.conf
Include /usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-4.15.0/crs-setup.conf
Include /usr/local/apache/modsecurity-rules/custom-rules/before/*.conf
Include /usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-4.15.0/rules/*.conf
Include /usr/local/apache/modsecurity-rules/custom-rules/after/*.conf
/modsecurity-rules/custom-rules/before/global_disabled_rules.conf
has rules needed by CWP.
Unless you moved them to the path you are showing now.
Your welcome to tweak things if you want, but just note it's easy to break things in ModSecurity.
-
@venty
I apologize, I'm getting you mixed up with someone else.
-
.............
Your configuration paths aren't showing how they where set.
Include /usr/local/apache/modsecurity-rules/custom-rules/startup/*.conf
Include /usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-4.15.0/crs-setup.conf
Include /usr/local/apache/modsecurity-rules/custom-rules/before/*.conf
Include /usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-4.15.0/rules/*.conf
Include /usr/local/apache/modsecurity-rules/custom-rules/after/*.conf
/modsecurity-rules/custom-rules/before/global_disabled_rules.conf
has rules needed by CWP.
........................
Hi,
Тhank you very much, I understood everything, just one last thing to clarify:
1. The permanent deactivation or bypass of rules happens again in the file global_disabled_rules.conf, which is in /usr/local/apache/modsecurity-rules/custom-rules/before/?
Thanks in advance!
BR
Venty
-
Yes, when you installed Mod_Security under CWP before the modifications, there would have been a file in there called global_disabled_rules.conf.
Just copy that over to /modsecurity-rules/custom-rules/before/
-
@starburst
Installed OWASP CRS Ruleset 4.16.0 as per your guide.
Working fine.
Thank you
-
In order to support an e-commerce site and a service industry site, here's a couple more rules I had to add to the WordPress section of the disabled rules files:
/usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf
SecRuleRemoveById 981172
SecRuleRemoveById 981319
-
That's very helpful because I plan to update the OWASP rules to the latest version and we are hosting various websites.
Thanks.
-
Hi,
Many thanks to Starburst...., but should I merge the two in the rbl.conf file
https://prnt.sc/9Tp9vbYKVfdk
BR
Venty
-
You can do it anyway you like your system setup.
As long as ModSecurity reads the .conf
-
Someone has to include 2 very critical details on these guides:
1) the CWP admin dashboard "Global Disabled Rules" file is NOT the same with the one that our customized mod_security is currently using.
No edit on that file will work. The user has to add/remove rules on the new global_disabled.conf under the newly created folder.
2) the mod_security.conf file is getting overwritten occasionally by the CWP Security daemon - replacing the custom OWASP ruleset path with the default path causing chaos on the server.
My solution was to make it immutable with sudo chattr -i /usr/local/apache/conf.d/mod_security.conf but then the user MUST remember to remove this flag for any future update/edit.
I hope this helps.
Feel free to let me know if I missed something or share this with AlphaGNU and Starburst.
-
1) the CWP admin dashboard "Global Disabled Rules" file is NOT the same with the one that our customized mod_security is currently using.
No edit on that file will work. The user has to add/remove rules on the new global_disabled.conf under the newly created folder.
My solution to that was to also strictly enumerate the file the GUI calls for in /usr/local/apache/modsecurity-owasp-old/owasp.conf:
Include /usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf
-
You should have any customized .conf for OWASP in one of their respected folders, so there is a very low change of them being overwritten:
/usr/local/apache/modsecurity-rules/custom-rules/startup/*.conf
/usr/local/apache/modsecurity-rules/custom-rules/before/*.conf
/usr/local/apache/modsecurity-rules/custom-rules/after/*.conf
-
Someone has to include 2 very critical details on these guides:
1) the CWP admin dashboard "Global Disabled Rules" file is NOT the same with the one that our customized mod_security is currently using.
No edit on that file will work. The user has to add/remove rules on the new global_disabled.conf under the newly created folder.
--------------------------------------------------------------------------
I hope this helps.
Hi,
for me the file global_disabled_rules.conf is in the folder:
usr/local/apache/ modsecurity-rules/custom-rules/before
and it also doesn't work?
-
If you're calling it with an "Include" line as with Starburst's configuration, it will be utilized by Mod Security. But the GUI in CWP will be editing a different file:
/usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf
So you may want to Include that one specifically/additionally as well.
-
If you're calling it with an "Include" line as with Starburst's configuration, it will be utilized by Mod Security. But the GUI in CWP will be editing a different file:
/usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf
So you may want to Include that one specifically/additionally as well.
I didn't understand it... "Include" - in which file?
-
The main conf file.
Usually - /usr/local/apache/conf.d/mod_security.conf
This will have the .conf that contains all the paths - /usr/local/apache/modsecurity-rules/modsec.conf
But the .conf can be called anything.
In that .conf file it will have the Includes, below is just an Example.
Include /usr/local/apache/modsecurity-rules/custom-rules/startup/*.conf
Include /usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-1.23.4/crs-setup.conf
Include /usr/local/apache/modsecurity-rules/custom-rules/before/*.conf
Include /usr/local/apache/modsecurity-rules/owasp-crs/coreruleset-1.23.4/rules/*.conf
Include /usr/local/apache/modsecurity-rules/custom-rules/after/*.conf
-
Hi, Overseer
My solution to that was to also strictly enumerate the file the GUI calls for in /usr/local/apache/modsecurity-owasp-old/owasp.conf:
Include /usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf
How are you achieving this?
Thank you
-
Hi, Starburst
You should have any customized .conf for OWASP in one of their respected folders, so there is a very low change of them being overwritten:
/usr/local/apache/modsecurity-rules/custom-rules/startup/*.conf
/usr/local/apache/modsecurity-rules/custom-rules/before/*.conf
/usr/local/apache/modsecurity-rules/custom-rules/after/*.conf
Of course I have those files under the /custom/ path however I'm referring to the "Include" file path inside the mod_security.conf file which points to the new OWASP ruleset.
This is the file that is getting overwritten by the CWP security daemon.
/usr/local/apache/conf.d/mod_security.conf
I hope this helps.
-
Mod_Security should not overwrite anything, it only does that when you change a setting like ModSec Rules Profile or Rules ENgine.
When using the new OWASP CRS database, you can't really use the GUI anymore.
But once you have everything setup, it won't change.
There are articles on how to update your ModSecurity first before updating to the latest OWASP CRS ruleset.
These can be found at:
https://starburst.help/category/control-web-panel-cwp/modsecurity-running-with-control-web-panel/ (https://starburst.help/category/control-web-panel-cwp/modsecurity-running-with-control-web-panel/)
-
Mod_Security should not overwrite anything, it only does that when you change a setting like ModSec Rules Profile or Rules ENgine.
It is not mod_security
I mentioned before, it is the CWP Security Daemon that is checking the integrity of the files and overwrites known system files that have unknown edits.
My host (InMotion Hosting) confirmed that to me. Maybe it's their custom security module. I don't know.
The only thing I know is that on a regular basis, my mod_security.conf file would get overwritten with the default "Include:" path creating a chaos on my websites.
I hope this helps.
-
Mod_Security should not overwrite anything, it only does that when you change a setting like ModSec Rules Profile or Rules ENgine.
It is not mod_security
I mentioned before, it is the CWP Security Daemon that is checking the integrity of the files and overwrites known system files that have unknown edits.
My host (InMotion Hosting) confirmed that to me. Maybe it's their custom security module. I don't know.
The only thing I know is that on a regular basis, my mod_security.conf file would get overwritten with the default "Include:" path creating a chaos on my websites.
I hope this helps.
Yea, CWP doesn't do that... It doesn't even have a 'security daemon'. Only thing CWP does automatically is SSL generation/renewals, and update to the control panel itself.
So the info from InMotion is inaccurate, or is their security module, that I would disable, if it causing problems.
Otherwise we would be having problem with all of our servers. And we are not, and others are not reporting that problem either.