Starting version 1.6.2 stable you can now enable OWASP and Comodo Mod Security rules via one click.
Navigate to → https://<IP Address>:8090/firewall/modSecRulesPacks
Click the switch and it will turn on OWASP Rules, to verify if OWASP rules are installed successfully, open:
http://example.com/?a=b AND 1=1
You should get 403 Forbidden error, you can also see your ModSecurity Audit logs:
ModSecurity: Warning. detected SQLi using libinjection. [file "/usr/local/lsws/conf/modsec/owasp/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "17"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: found within ARGS:a: b AND 1=1"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "dev.cyberpanel.net"] [uri "/"] [unique_id "152317238285.808317"] [ref "v8,9t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:removeComments"] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/lsws/conf/modsec/owasp/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "dev.cyberpanel.net"] [uri "/"] [unique_id "152317238285.808317"] [ref ""] ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/lsws/conf/modsec/owasp/rules/RESPONSE-980-CORRELATION.conf"] [line "61"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack Detected via libinjection'"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "dev.cyberpanel.net"] [uri "/"] [unique_id "152317238285.808317"] [ref ""]
You can notice that rule from REQUEST-949-BLOCKING-EVALUATION.conf is triggered if you disable this file, you will not be getting 403 error.
Once OWASP or Comodo rules are enabled you can also enable or disable individual rule files.
Later we will be having auto installation of Comodo and Owasp rules.
To add individual rules, you can navigate to: https://<IP Address>:8090/firewall/modSecRules
By default there is one rule defined:
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access' ,log,auditlog,deny"
To test the functionality of this rule add folloing to end of your URL '?abc=../../ you should get 403 Forbidden, which means your ModSecurity installation went successfull.
You can add further rules to this file and save to apply changes.
Once you open: https://<IP Address>:8090/firewall/modSecurity
You will see something like:
There are seven options, lets discuss them.
ModSecurity Status
This is the only option controlled by OpenLiteSpeed web server, once you turn this off nothing related to ModSecurity will work, this should be turned On for ModSecurity to function.
SecAuditEngine
ModSecurity can generate extensive logs for HTTP requests in the Audit log file, this option states weather you need extensive logging or not. You can read more details here.
SecRuleEngine
Weather to process rules you have defined in the rules files or not, if ModSecurity Status is turned off this option does not make any effects.
SecDebugLogLevel
Levels of debug logs you need, 9 being the highest level of logging. More details here.
SecAuditLogParts
If `SecAuditEngine` is turned on you can decide here which parts of HTTP trasaction you want to be logged into audit log file, more details here.
SecAuditLogRelevantStatus
Related to Audit logging more details here.
SecAuditLogType
How Audit logging should be done, more details here.
By default, ModSecurity is not installed, but once you first try to configure ModSecurity CyberPanel prompt for ModSecurity installation.
Open → https://<IP Address>:8090/firewall/modSecurity
Clicking 'Install Now' will start the installation, if installation is successful it will refresh your page and let you configure ModSecurity settings, which looks something like:
Securing SSH is one of the most important task of a system administrator. CyberPanel allows you to change SSH port, disable root login and save your SSH keys.
Server > Security > Secure SSH
On this page you can control two settings:
To add your SSH keys, you first need to generate a pair of a public/private key.
On your local machine
cd ~/.ssh ssh-keygen -t rsa -f cyberpanel -C root
This will generate two files cyberpanel and cyberpanel.pub.
You need to copy contents of cyberpanel.pub and paste in the following box:
Now on your local machine you can login without needing a root password using:
ssh -i ~/.ssh/cyberpanel.pub root@<IP Address>
CyberPanel follows deny all rules except for the ports opened by default, you can see default opened ports at: Server > Security > Firewall
As I've mentioned above, CyberPanel follows deny all rules, so if you want to allow any port you can add from Server > Security > Firewall.
This will add rule and reload firewall.
Just click on the cross on right side of the rule, this will delete the rule and reload firewall.