Which mod_security OWASP rules should i enable?

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Jemar
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Fri Jul 17, 2015 2:34 pm

Which mod_security OWASP rules should i enable?

Postby Jemar » Tue Jul 21, 2015 3:13 pm

Hello,

I have joomla up and running on ubuntu 14.04 with apache 2.4.7 and joomla 3.4.3. I've been following along with the checklist at https://docs.joomla.org/Security_Checkl ... d_security I've now installed mod_security and discovered the OWASP rules. I see that there are joomla specific rules which seem to not cause any problems. But I tried to enable some other rules (sql injection ruleset for example) and it seemed to trigger a bunch of false positives in the joomla admin panel. Tried to disable the offending rules within the the enabled .conf but there seem to be multiple conflicts and i'm not sure which rules are essential for security. Which rules from the modsecurity core rule set it is recommended i enable with joomla 3.4?

Thank you.

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Which mod_security OWASP rules should i enable?

Postby Bernard T » Tue Jul 21, 2015 8:58 pm

Hi Jemar,

the OWASP rules are the best free starting point, but as you've already experienced, they're generic and can cause sideffects in many webapps, Joomla too.

Since I use Atomicorp commercial ruleset I can't tell you right now which specific rules to en/disable, I don't implement OWASP ones directly. But I would surely like to help, since one of my plans is to contribute some of my own rules back to OWASP. We could also put up a list of rules to Docs website when we have compiled it.

What's important to keep in mind is that mod_security is a resource intensive process, and it would be ideal to keep the ruleset compact, only with specific rules that cover the used app and some important base rules.

For example, you can see that the existing Joomla specific rules are almost 2 years old:
https://github.com/SpiderLabs/owasp-mod ... tacks.conf
so they are surely due for update and rework.

So, to check which rules are causing you problems please take a look at your Apache logs, you'll find link that triggered the problem and the affecting rule ID. When you have some results be free to come back, so we can work through them and adopt them if needed.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 18793
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Which mod_security OWASP rules should i enable?

Postby leolam » Tue Jul 28, 2015 3:44 pm

Security rules for mod_security: strt reading here http://www.configserver.com/cp/cmc.html and follow the links to the rules of Atomic http://www.atomicorp.com/wiki/index.php ... rity_Rules

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
Member Joomla Bug Squad & Joomla CMS Release Team

User avatar
reggaebkk
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 112
Joined: Mon Jul 14, 2008 1:39 pm

Re: Which mod_security OWASP rules should i enable?

Postby reggaebkk » Tue May 02, 2017 10:54 am

Hi,
I've recently noticed that my modsecurity was blocking quite much traffic on my server across several joomla websites.
This seems to be the only thread related to the issue of what rules should be disabled in OSWAD rulesets.
I don't really see a list of on/off recommendations in the replies provided, but what worries me more is that there doesn't seem to be many people having that issue and asking about it... What am I missing? Can anybody recommend the proper settings for OSWAD rules for Joomla websites?

Steve_Moate
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Sun Dec 18, 2016 9:44 pm

Re: Which mod_security OWASP rules should i enable?

Postby Steve_Moate » Wed May 03, 2017 3:15 am

I can't throw any light on your mod_security question but if I understand your post correctly you are using Joomla version 3.4 if so you may wish to consider a more recent version along with your other security steps.

User avatar
reggaebkk
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 112
Joined: Mon Jul 14, 2008 1:39 pm

Re: Which mod_security OWASP rules should i enable?

Postby reggaebkk » Wed May 03, 2017 5:05 am

Actually not, I'm always keeping Joomla at its latest version.
I had 3 modsec rulesets installed, strangely 2 versions of OSWAD and a COMODO.
I have disabled 2 rulesets to keep only CPANEL OSWAD V3, then I disabled rules 981138 which was giving most problems and was mentioned on a cpanel forum for giving problems with Joomla.
I also noticed that I was myself triggering rule 920280, so I disabled it because I consider my working environment clean...
Now it seems smoother now.
Can somebody tell me if this is a good enough setup?
Also is disabling rule 920280 a security risk? (actually modsec doesn't seem to be blocking much anymore... nearly zero warnings per hour with over 15 active joomla websites on server...)
#
# Missing/Empty Host Header
#
# -=[ Rule Logic ]=-
# These rules will first check to see if a Host header is present.
# The second check is to see if a Host header exists but is empty.
#
SecRule &REQUEST_HEADERS:Host "@eq 0" "msg:'Request Missing a Host Header', severity:'WARNING', phase:request, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'9', accuracy:'9', t:none, pass, id:920280, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST', tag:'WASCTC/WASC-21', tag:'OWASP_TOP_10/A7', tag:'PCI/6.5.10', setvar:'tx.msg=%{rule.msg}', setvar:tx.anomaly_score=+%{tx.warning_anomaly_score}, setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}, skipAfter:END_HOST_CHECK"

User avatar
reggaebkk
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 112
Joined: Mon Jul 14, 2008 1:39 pm

Re: Which mod_security OWASP rules should i enable?

Postby reggaebkk » Thu May 11, 2017 1:56 pm

Hi again,
I'm confused as why this ticket and other related get so little attention because it seems to me like a very critical subject, and very hard to see through.

Right now I'm fixing issues with modsecurity and it is clear that Joomla makes the gizmo jump left and right all the time.

I came across this list of exceptions (that is actually not exclusively destined to Joomla users, but I found that some rules triggered by Joomla were listed under other systems).

Maybe it will help some, but I ask here because I'd like to know what the most advanced of you think about it.

1- Will disabling some or all these rules be a big security risk?

2- Can disabling be avoided by some better tuning of the server? Any advise on that?

3- Are there other rules that deserve to be whitelisted?
for instance I read in the cpanel forum that some joomla users disabled rule 981138 to get their joomla to work fully, I see that rule called up regularly as well yet it's not in the list. I'm unsure if I should disable it because I don't even know if the user who triggered that rule could still see the website or not...


Now the list:
## Rules for the CWP ##
SecRuleRemoveById 910006
SecRuleRemoveById 950000
SecRuleRemoveById 950001
SecRuleRemoveById 950005
SecRuleRemoveById 950006
SecRuleRemoveById 950117
SecRuleRemoveById 950907
SecRuleRemoveById 958039
SecRuleRemoveById 958051
SecRuleRemoveById 958291
SecRuleRemoveById 959006
SecRuleRemoveById 959151
SecRuleRemoveById 960008
SecRuleRemoveById 960010
SecRuleRemoveById 960011
SecRuleRemoveById 960012
SecRuleRemoveById 960035
SecRuleRemoveById 960335
SecRuleRemoveById 960904
SecRuleRemoveById 960915
SecRuleRemoveById 970003
SecRuleRemoveById 970015
SecRuleRemoveById 970903
SecRuleRemoveById 973301
SecRuleRemoveById 973302
SecRuleRemoveById 973306
SecRuleRemoveById 973316
SecRuleRemoveById 973330
SecRuleRemoveById 973331
SecRuleRemoveById 973332
SecRuleRemoveById 973334
SecRuleRemoveById 973335
SecRuleRemoveById 973336
SecRuleRemoveById 973344
SecRuleRemoveById 973347
SecRuleRemoveById 981172
SecRuleRemoveById 981240
SecRuleRemoveById 981241
SecRuleRemoveById 981244
SecRuleRemoveById 981248
SecRuleRemoveById 981249
SecRuleRemoveById 981255
SecRuleRemoveById 981256
SecRuleRemoveById 981260
SecRuleRemoveById 981317
SecRuleRemoveById 981318
SecRuleRemoveById 981319
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
## Rules for the CWP ##
SecRuleRemoveById 960017
SecRuleRemoveById 960015
SecRuleRemoveById 960009
########################################
## Removed Rules for Joomla, WordPress and Drupal CMSs ## ########################################
## Joomla ##
SecRuleRemoveById 950120
SecRuleRemoveById 950901
SecRuleRemoveById 960024
SecRuleRemoveById 973300
SecRuleRemoveById 973304
SecRuleRemoveById 973333
SecRuleRemoveById 973338
SecRuleRemoveById 981173
SecRuleRemoveById 981245
SecRuleRemoveById 981257
## Wordpress ##
SecRuleRemoveById 950007
SecRuleRemoveById 950010
SecRuleRemoveById 950911
SecRuleRemoveById 958005
SecRuleRemoveById 958006
SecRuleRemoveById 958030
SecRuleRemoveById 958049
SecRuleRemoveById 958056
SecRuleRemoveById 958057
SecRuleRemoveById 959070
SecRuleRemoveById 959073
SecRuleRemoveById 960020
SecRuleRemoveById 973308
SecRuleRemoveById 973309
SecRuleRemoveById 973314
SecRuleRemoveById 973327
SecRuleRemoveById 959071
SecRuleRemoveById 959072
SecRuleRemoveById 981004
SecRuleRemoveById 981242
SecRuleRemoveById 981243
SecRuleRemoveById 981246
SecRuleRemoveById 981320
## Drupal ##
SecRuleRemoveById 981231
## Removed rules for the webftp_simple ##
SecRuleRemoveById 950109
SecRuleRemoveById 950922
SecRuleRemoveById 981000
## phpMyAdmin ##
SecRuleRemoveById 981205
SecRuleRemoveById 970901

User avatar
reggaebkk
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 112
Joined: Mon Jul 14, 2008 1:39 pm

Re: Which mod_security OWASP rules should i enable?

Postby reggaebkk » Fri May 12, 2017 4:47 am

Additionally I've had to whitelist the following rules because after I installed CXS that has its own ruleset, all websites couldn't save articles anymore.
941100
949110
980130
941160
I don't see anywhere discussing these rules for Joomla, is whitelisting them a security risk?

Plus I'm getting modsecurity hits at the 1st second of every 5mn exactly like clockwork with rule
920280
not sure if I should whitelist it, I have no clue what triggers it.

Another rule that may need to be discussed is rule
981138
it comes up pretty regularly and seems to be a false positive, but not sure yet if it really prevents Joomla from working properly. That rule is also discussed here: https://forums.cpanel.net/threads/rule- ... st-2425031 but with no definite conclusion on the concequences on security when disabling it.

User avatar
changlee
Joomla! Explorer
Joomla! Explorer
Posts: 359
Joined: Tue Nov 20, 2007 11:05 am
Location: Greece
Contact:

Re: Which mod_security OWASP rules should i enable?

Postby changlee » Wed Feb 14, 2018 10:10 am

Hello,
I need to know the proccess in order to find WHICH rule to exclude. I found Eg from the apache/modsecurity-owasp-old/global_disabled_rules.conf that

[id "973306"]

Is causing Joomla NOT to save modules, and I receive 404.

Is that safe to put

SecRuleRemoveById 973306

At apache/modsecurity-owasp-old/global_disabled_rules.conf ?
If you do not programm your life, someone else will do it for you.
Free and low cost Templates at: https://www.b2b-templates.com


Return to “Security in Joomla! 3.x”

Who is online

Users browsing this forum: Google Feedfetcher and 8 guests