ModSecurity rules outdated

[rallisf1]

It struck to me how the OWASP ruleset was missing the wordpress/drupal/etc exclude rules and many users seem to be facing problems when using modesecurity in cyberpanel.

I looked through the code and discovered you self-host an old version of the rules (v3.0.2) for some reason instead of cloning the official repo which is in version 3.4.0 (https://github.com/coreruleset/coreruleset), and I suspect the same goes for the Comodo ruleset as well.

I just want to know what's the point in providing a 4 year old WAF system at all, rules from 2017 will do absolutely nothing at this point.

Also what's the deal with writing the rule filenames manually to the config file? Just scan the directory for conf files!

[usmannasir]

Is it possible for you to create a pull request and fix this or you want me to do it?

[rallisf1]

Ok now I understand why you had to self-host it. Comodo is a jerk (lol) and requires authentication to download rules, so it has to be done manually. I noticed how there is an API for litespeed in code, which apparently works for IIS too but not for nginx rules...

What I suggest is create a reminder for like every 6 months to check for new releases and
Replace https://cyberpanel.net/comodo.tar.gz with latest from https://waf.comodo.com
Replace https://cyberpanel.net/owasp.tar.gz with latest from https://coreruleset.org/installation/

For Comodo as per owasp-modsecurity/ModSecurity#1849 you should use the nginx/modsecurity_3 version, not the nginx version as proposed in https://forums.cyberpanel.net/discussion/4678/tutorial-how-to-manually-update-comodo-modsecurity-rules-for-cyberpanel/

After that update plogical/modSec.py with the new rule file names or better concentrate the filenames *.conf from the extracted archive.

This should also fix the issue with those having litespeed crash on latest update when using modsecurity and close https://feedback.cyberpanel.net/b/requests/p/modsecurity-rules-packages-auto-update-option.

Please make this v2.1.3 so everyone upgrades. Thanks.

P.S. I am not sure how rulesets are handled during upgrade, for this to work it should re-install the active ruleset, if any.

P.S.2. I would suggest creating a cyberpanel_modsec_rules repo and using that instead of cyberpanel.net for better management and so others can update the rules when you can't, but I'm not sure how happy Comodo would be about anyone uploading them on github, they treat them as a (free) product and distribution is against their TOS. You already distribute them through your server but still it's not as bad as github would be.

[usmannasir]

P.S.2. I would suggest creating a cyberpanel_modsec_rules repo and using that instead of cyberpanel.net for better management and so others can update the rules when you can't, but I'm not sure how happy Comodo would be about anyone uploading them on github, they treat them as a (free) product and distribution is against their TOS. You already distribute them through your server but still it's not as bad as github would be.

I didn't knew about this, so if that is the case I don't want to run into any trouble, so we better remove them?

However if you can maintain a rules repo feel free, I can edit the code to clones the updates rules from there always.

[rallisf1]

I didn't knew about this, so if that is the case I don't want to run into any trouble, so we better remove them?

I can't be sure, probably there won't be any trouble at all as there are no special terms for cwaf, it's just that it is a subscription based product that costs $0 and falls into their general product TOS. They do provide free Api for other free panels (DirectAdmin and Webmin), my suggestion is to reach out to them for a similar deal.

However if you can maintain a rules repo feel free, I can edit the code to clones the updates rules from there always.

Firstly I can't promise I'll maintain it, and secondly if you can't take that risk why should I? In an ideal scenario cyberpanel should be in an organization repo (e.g. cyberpanel/cyberpanel or cyberpersons/cyberpanel), so that we can better maintain such 3rd party packages (e.g. cyberpanel/modsec_comodo in this case) and also have the Organization account be responsible for any TOS/license violations.

[usmannasir]

I am not asking you to take any risk of-course. Whatever route we go now will go after contacting them as I personally don't want to violate any rules.

Even though someone may maintain the repo, it will be through our team via pull requests.

Since you are not up for it, I will see what I can do.

thanks.

[rallisf1]

Just to clarify: maintaining a repo and providing pull requests (aka code updates) are 2 different things. I'd be more than happy to provide pull requests.

Hopefully Comodo will provide you with an API for Cyberpanel and this issue will close there.