cPanel LIVE! Get Started with ModSecurity featuring Adam Wien another broadcast of cpanel live i'm your host jason nickerson today we're joined by adam wein a cpanel product owner adam will be showing us how to get started with mod security he will be demoing a new user interface and features of mod security 2 and the all new experimental features of mod security 3 and cpanel we hope you enjoyed today's broadcast and stick around for the q a after adam's demo for your chance to win a 100 amazon gift card and now over to you adam good afternoon everyone my name is adam wein and i'll be speaking about cpanel's current mod security feature and where i see it going in the future for those that don't know me i'm the product owner for the easy apache team team zero cool if you'd like to contact me you can reach me via email adam cpanel.net cpanel has recently introduced a revamped version of their mod security integration as well as an experimental version of mod security 3. for those that aren't aware mod security is an open source threat detection and threat prevention layer for apache and nginx web servers it protects both your websites and web applications from malicious attacks this is commonly known as a waff or web application firewall in the following tutorial i'll show you how to get started with mod security on cpanel so you can protect you and your customers websites i'll be going over how to get started with our stable implementation of mod security 2 and our experimental implementation of mod security 3. the mod security 3 portion will mainly be for our integrators wanting to get a head start on our production release of mod security 3 coming sometime in the future the date of that release is very much dependent on when the upstream developers of mod security released a stable version of their apache connector so to get started we're going to do a quick demo of how to get started with mod security 2 on a cpanel machine using apache so the first thing we're going to do is we're going to log into whm um in order to get up and running with a website we need to create an account so we're going to go to the create account section of whm uh i have a domain already picked out for for this demo uh the password doesn't really matter we're not going to log in to the cpanel account we're going to remain in whm so we'll click create now that we have our account created we want to quickly get up and running with a website to do that i'm going to set up a wordpress site using wordpress toolkit so we'll come down to wordpress toolkit we'll install wordpress i'm going to choose wordpress as my path for installation and click install okay great now that that installation is complete our website should be up and running perfect okay so the the next thing we're going to do is we're going to launch a malicious uh attack against that wordpress site so to do that we're going to come over to our terminal i'm going to use the curl command to make what's called a patch reversal attack towards this wordpress installation i've just created this won't work on wordpress but if you have you know some bad php code on your server this could work um if you don't have any protection in place but this isn't an attack that will work on wordpress i'm just using it as an example so we'll launch our attack and as you can see the web server returned a 301 return code this is actually coming from the application this is not coming from the server so this malicious code actually made it to um it made it to the wordpress application of course it didn't work but it still made it through so to protect against this we're going to uh install a mod security rule set to to help prevent attacks such as these so to do that we're going to come over to easy apache 4. uh i'm currently running in the default profile a lot of our customers uh start with the default profile and they customize from there it's it's a good place to start if you're just getting started with cpanel and apache so i'm going to customize my profile i'm going to come down here to additional packages and here we see modsec 2 rules owasp so you might be wondering what this is uh owasp stands for open web application security project this is an open source project that uh builds and curates rule sets for use with apache and nginx web servers again this is community uh curated this is not something a cpanel creates it's just something we distribute to our customers to give them a good starting point to to work with mod security so to install that we'll just pick this box right here click next and we'll click provision so now is easy apache 4 is doing what you'd expect it's uh inspecting what's about to be installed it's working out all the dependencies ensuring there's no conflicts and it will install our mod security ruleset okay now that that's complete we can click done uh so that's it uh this server is up and running with mod security it has that rule set running so what i'm gonna do is i'm gonna go back to my terminal and i'm gonna rerun that attack code so we're gonna come over to terminal we're going to find our curl command and as you can see rather than a 301 we got a a 403 forbidden so this is not coming from the wordpress application this is actually coming from the apache server so it doesn't even make it down to the wordpress application this is the server inspecting that request seeing that it's malicious and blocking it at the server level so let's say you install mod security 2 on your server uh in in one of your customers who has an existing application that that application suddenly stops working uh that mod security is causing an issue for this customer so if mod security is generating what's called a false positive uh cpanel has a way of dealing with that so we can come down to the mod security tools section and right here we have a hit list uh so having done this demo a couple of times i know that the this past reversal attack and this inbound anomaly score are are what is actually uh being triggered by by my request so to to mitigate that false positive and get your customer back up and running all you have to do is click on the rule uncheck enable rule save that change we'll deploy and restart apache come back to our hit list and we'll mark the anomaly score as a bad rule as well click save and we can deploy and restart so just for sake of showing you what's going on uh i've sorted these these rules now by status and as you can see these two rules are are disabled so now i'm going to go back to my terminal and i'm going to rerun my attack so as you can see that did not work correctly sorry we had a small problem with fpm there i i think i uh i just triggered the apache restart too fast so uh as you can see um we're back to that 301 so that request is actually getting down to the server now um and and it's allowing that to go through so we probably shouldn't leave that that way because we don't want those um attacks to make it through so we'll come back to our mod security tools we can come to our rule list we will enable this rule deploy and restart and we'll enable this rule deploy and restart all right let's talk about back into our terminal we run our curl command and we're we're back to being protected so that's really a primer on how to get started with our stable implementation of of mod security to uh as you can see it's super easy to to get up and running with now we're going to talk a little bit about mod securities 3. to get started with mod security 3 you'll need to enable the easy apache 4 experimental repository luckily we're in our terminal already this is not something you can do from the ui our experimental repository is really for those customers that want to see what's something coming or or something uh things that they don't want to use in production but they'd like to get a head start on on testing with so while we don't uh suggest that you use this in production try and use this on a non-production machine and provide us feedback we we always love to hear from our customers and and get the type of feedback to make our product great so to get started i'm going to install ea4 experimental okay so once the experimental repository is installed you'll have access to new packages in the easy apache for so we'll come over to easy apache [Applause] i'll come down here and customize our default profile again okay uh now when we come to additional packages well things these things like mod security 3.0 with the coincide citing web server connectors and the oauth rule sets so what we're going to do is we're going to install the mod security 3 os rule set um and as you can see this conflicts with mod security 2. you can't have mod security 2 and mod security 3 running at the same time so yes i want to continue i want to install the apache connector and then i'm going to click next okay now where you'll see that mod security 2 and its rule sets will be uninstalled and mod security 3 will be installed and then we'll provision and that's it we're now upgraded to mod security 3. so we're going to come over to our mod security vendor section we're going to enable that vendor we just uh we just installed and enable all the rule sets we also want to enable the ability to updates uh to receive updates so what this will mean whenever there is an update to the oauth rule sets uh distributed by oauth i will distribute that update to you uh this works for both mod security 2 and mod security 3. i didn't really go over it during the mod security 2 portion because those things are automatically uh set to on when you install the monster ready security to oas rule set so we're going to come back to our terminal again [Applause] and we're going to run our attack again so now you'll see instead of a 301 or a 403 forbidden we're now receiving a 406 not acceptable this is one of the changes uh that came with mod security 3 rather than using a 403 forbidden they're now just returning 406 not acceptable not a big change but i think we we have it documented as part of our documentation so let's say we want to uh we're receiving a false positive again we're going to go through that workflow we're going to come back to our mod security tools section and as you can see our hit list is actually empty uh this is one of the things that's actually going to come along with our production release of mod security 3 that hasn't quite been implemented like i said the the the experimental implementations aren't perfect but don't worry when it comes to production it will be what you expect from cpanel so um so we're going to come back to our terminal while the hit list doesn't work you you can view the the uh the hits in the actual apache error log so to do that we'll we'll look at the uh apache error log and as you can see here are our uh our triggered um our trigger rules and you can see it's uh you can see my request um and and that i'm trying to do the past reversal attack uh i can still disable these rules it's just not as easy so i'm just going to run you through that security go to our tools section then we'll go to our rule list and i know because i've done this already we are triggering on this rule 920430 we're going to disable that rule we're going to deploy and restart and i know we're also triggering on this rule so we're going to disable all rules that match that search term and we're going to deploy and restart okay so we're going to come back to our terminal so i'm going to zero out our error log just so we're not confused by the previous hits to do that i'm going to copy dev null to my arrow log this this will just zero out the arrow lock so there's nothing in there so i'll relaunch my attack and as you can see we received a 406 again so let's go look at our log file and as you can see the log file is empty so uh in in our exploration of using this this alpha version of the mod security 3 apache connector when you actually disable a rule it doesn't actually disable the rule it really only disables the logging so uh as you can see this is not something we want we want to give to our customers it is still very much in alpha state but we really wanted to get this into people's hands quickly so they could start giving us feedback so that's really the primer to using mod security 2 and my security 3 on cpanel we're going to be doing a short q a after this so i look forward to taking your questions oh thanks so much adam that was a really informative and it's always great to see some new and exciting features that we can play with with cpanel and whm uh yeah this this kind of revamp in in changing the uh the rules distribution to do rpms while while implementing mod security three was it was really uh a great upgrade to to cpanel yeah it looks like it i can't wait to dig in and play around with that so um welcome everybody to our question and answer portion of our talk today uh we do have a chance to win a 100 amazon gift card if you want to fill out our survey and give us some more information about how you might want to use mod security and some information about how you use cpanel you can visit go.cpanel.net forward slash cpanel dash live mod security we'll paste that into the chat so you can link on it it is kind of long there and it is case sensitive so you'll have until next week friday to fill that out so please take the time to give us your feedback and if you'd like to ask adam some questions here we're going to start the q a session um adam i do have a couple questions uh we didn't we went over a little bit about what mod security is and how it works um but what type of security threats does mod security stop so mod security will protect you against a lot of web attacks um so like my example uh past reversal attacks uh really simple stuff like that real basic stuff um but any any attacks targeting your websites mod security can probably protect you from unfiltered fantastic and you use wordpress as an example and i know that wordpress is really the become the number one content management system out there right now and uh you know we've been doing a lot with wordpress and introducing new features and new parts of cpanel that embrace the community of wordpress and the actual product um so since my security is at the server level you know are there any plugins or any suggestions you have for somebody that has a wordpress site and wants to really lock down their security so the the way i like to describe it is is computer security is based on layers right uh in this talk we we really talked about the the mod security and in the apache server layer uh but my suggestion for your wordpress plugins as everybody knows is keep those plugins up to date i know things like wordpress toolkit really help you with that they automatically update those plugins so wordpress toolkit has those security features built into it fantastic and i guess my final question for you before we move into the people that are lining up here to chat with you is um so mod security 3 is an experimental release right now within cpanel and whm um how would a user go about testing it and who should they contact if they want to learn a little more or if they encounter an issue or maybe have a feature request so we we released it this way so we could get that community feedback we want users or customers to try it and let us know so if you'd like you can reach me directly my my email is and has been for the past 20 years adam cpanel.net so don't be afraid to reach out fantastic all right and let's get our first question here and um this question is so basic is the mod 3 versus mod 2 only mod 3 is rpm based uh no so this is the big change we made to mod security 2 in in version 92 the oas rules distribution is now rpm based in vermont security 2 and mod security 3. great and another question here from the same user is how is mod 3 versus tools like im 360 from cloud linux so uh as far as i'm aware cloud linux tools um have a rule set for mod security uh so right now they deploy with mod security too and the reason we released this as an experimental release is so integrators like cloud linux could get a start getting the rule sets ready for mod security 3. so it's my expectation that when mod security 3 and 3.1 are production ready uh cloud linux and unifi 360 and products like that will support it all right okay well it looks like we had a little problem today with a facebook i know that we've had to share the uh the youtube video um keeping up to date with um all the stuff that's going on with the social networks is sometimes confusing so it's a hit or miss on this so today we do have uh twitch and we have youtube that are streaming and we are doing the stream to facebook via the youtube so i'm not sure if i'm actually seeing any of the uh the questions that are coming across from the facebook um i'm right now speaking to the team see if we can get this resolved and get a few more questions in here if you do have any questions for us i would honestly suggest uh twitch would be the best place to find us and that's a twitch.tv forward slash see panel tv as well as cpanel tv on youtube and i guess i have another question for you while we wait for the questions to fill up here um when do you do we expect uh mod security 3 to be updated and stable inside of the product so that's really out of our control um we're really waiting for the the upstream mod security three to become stable uh the last i talked to them they expected a beta release early in 2021 so i'm i'm hoping that sometime in 2021 we'll we'll see a stable release and once we see a stable release then we'll we'll evaluate mod security 3 for mass deployment for our customers great fantastic so we have a question here from chris hemmings does this implementation of mod security version three work with red two and so that temporary files can be written specifically so as to track and block brute force login attempts by ip within a certain time frame that is a great question i know this is a bug in mod security too honestly i don't know if we have tested that but if you can email me off a list are off chat i'll see if i can track that down for you that is a great question and i want to take a moment here to remind everybody that we do have a survey that we're running right now where you can enter for a chance to win a 100 amazon gift card uh you should be able to see the link in the chats also if you don't see the link you can go to go.cpanel.net forward slash cpanel dash live mod security and it is case sensitive but you can see that right here on the bottom of your screen right now i'll give you a moment to pull that up it is for a chance for a 100 amazon gift card and this will help us to know how you're using mod security and if there's anything that we might do a little better or help you with in with your mod security implementations all right we have another question coming from youtube how can i tell if i have the mod security 2 rules installed via rpm rather than the old way through a vendor's page in whm so really that that's also a great question uh you you're going to have to see if the rpm is installed basically uh this is not something we did automatically but for version 92 we we added a feature showcase entry uh so when you logged into whm it would tell you the steps you had to take to install it uh we've gotten a pretty good uh uptake in people actually converting to using the rpm based distribution uh but we're waiting for the next lts to release before we um uh to evaluate how many customers have uh moved over themselves rather than you know us doing it automatically for them the reason we didn't automatically install these is because we were afraid it was going to be such a big change in the the rule sets that that it might break customers so so we didn't want to take that risk so our initial um plan was to inform customers on how to switch to the rpm base rules distribution and and then re-evaluate once our next lts comes out fantastic all right um we are waiting for a few more questions and uh i think it we've had some really good questions so far and just not a lot because i think you did a great job adam of explaining everything that was really thorough i really really enjoyed that to see what's upcoming in my security three i'm really excited about it too uh mod security 3 is a complete rewrite of mod security 2. um in talking with their developers they they 3.1 is is currently being developed as well uh and we're also planning on on working on 3.1 once that becomes stable um so we're we're going to keep along with upstream and try to get those new versions of software to use quickly as possible great okay we have another question here and when is the next lts coming that that's a great question um i'm not really sure when that's happening so you know we go through this process with our release tiers we ensure that the product is good enough to uh uh and for all you gamers out there is gold so we can we can give it to a large amount of our customers but from past uh releases probably february march somewhere around there i hope that answered your question out there and we're going to leave it open here for another minute or two if you have any last questions here before we close down the webinar [Music] and so adam what are you most excited about right now in what you're doing um so the the recent addition of uh ubuntu uh and in working towards supporting a debian or i'm sorry an ubuntu based operating system is is really um kind of exciting to me i i was i was around cpanel back when we used to support a lot of operating systems like freebsd and i don't know if anybody remembers supporting chaos but we're sporting chaos for a minute and then we went got away from that and supported mainly cenos so i'm excited to see what comes out of supporting these more modern operating systems like ubuntu fantastic that's good to know and we have a question from ryan here thanks and to follow up what might be an example the difference between rpm mod security tool rules and the non-rpm mod security ii rules so the non so okay so the non-rpm based uh rules uh we allowed third-party integrators to use this this fancy yaml file so they could you know uh implement their own rule sets um to to so third parties could easily integrate with cpanel so we found that to be a little difficult to work with at least for for cpanel distributing the oauth rule sets the difference is that with the rpm based rule sets you will get much quicker updates it's part of the regular easy apache 4 releases so we will push rule set updates more frequently great um tabby has a follow up here of which version is that going to be for the lts that you were just speaking about that will be version 94 94. and we have another question here can you talk a little more about adding support from ubuntu uh so that's kind of that's a little out of scope for this but um we're we're at the beginning of this journey uh and we we've made a little bit of progress and and things actually look pretty pretty exciting from this side uh i'm excited to see uh what customers think and and what what our adoptions look our adoption looks like fantastic well i think that's a good point for us to stop here before we get into what's coming in the future here and maybe that's for another cpanel live coming up and i want to thank everybody for joining us uh for this another cpanel live um this report recording is going to be available after this on facebook youtube cpanel live and on twitch don't forget to follow us on all the social networks and register today for our next cpanel live our next broadcast is going to be february 25th at 2 p.m cst and we'll feature product owner tj dan cliffs uh talking about wordpress toolkit deluxe version 5.4 again thank you and we look forward to seeing you next time