fbpx

Starting version 1.6.2 stable you can now enable OWASP and Comodo Mod Security rules via one click.

Navigate to → https://<IP Address>:8090/firewall/modSecRulesPacks

 

Click the switch and it will turn on OWASP Rules, to verify if OWASP rules are installed successfully, open:

http://example.com/?a=b AND 1=1

You should get 403 Forbidden error, you can also see your ModSecurity Audit logs:

ModSecurity: Warning. detected SQLi using libinjection. [file "/usr/local/lsws/conf/modsec/owasp/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "17"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data:  found within ARGS:a: b AND 1=1"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "dev.cyberpanel.net"] [uri "/"] [unique_id "152317238285.808317"] [ref "v8,9t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:removeComments"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/lsws/conf/modsec/owasp/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "dev.cyberpanel.net"] [uri "/"] [unique_id "152317238285.808317"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/lsws/conf/modsec/owasp/rules/RESPONSE-980-CORRELATION.conf"] [line "61"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack Detected via libinjection'"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "dev.cyberpanel.net"] [uri "/"] [unique_id "152317238285.808317"] [ref ""]

You can notice that rule from REQUEST-949-BLOCKING-EVALUATION.conf is triggered if you disable this file, you will not be getting 403 error.


Disable Rule Files

Once OWASP or Comodo rules are enabled you can also enable or disable individual rule files.

 

Later we will be having auto installation of Comodo and Owasp rules.


Add Rules

To add individual rules, you can navigate to: https://<IP Address>:8090/firewall/modSecRules

By default there is one rule defined:

SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access' ,log,auditlog,deny"

To test the functionality of this rule add folloing to end of your URL '?abc=../../ you should get 403 Forbidden, which means your ModSecurity installation went successfull.

You can add further rules to this file and save to apply changes.

Once you open: https://<IP Address>:8090/firewall/modSecurity

You will see something like:

There are seven options, lets discuss them.

ModSecurity Status

This is the only option controlled by OpenLiteSpeed web server, once you turn this off nothing related to ModSecurity will work, this should be turned On for ModSecurity to function.

SecAuditEngine

ModSecurity can generate extensive logs for HTTP requests in the Audit log file, this option states weather you need extensive logging or not. You can read more details here.

SecRuleEngine

Weather to process rules you have defined in the rules files or not, if ModSecurity Status is turned off this option does not make any effects.

SecDebugLogLevel

Levels of debug logs you need, 9 being the highest level of logging. More details here.

SecAuditLogParts

If `SecAuditEngine` is turned on you can decide here which parts of HTTP trasaction you want to be logged into audit log file, more details here.

SecAuditLogRelevantStatus

Related to Audit logging more details here.

SecAuditLogType

How Audit logging should be done, more details here.

By default, ModSecurity is not installed, but once you first try to configure ModSecurity CyberPanel prompt for ModSecurity installation.

Open → https://<IP Address>:8090/firewall/modSecurity

 

Clicking 'Install Now' will start the installation, if installation is successful it will refresh your page and let you configure ModSecurity settings, which looks something like:

Securing SSH is one of the most important task of a system administrator. CyberPanel allows you to change SSH port, disable root login and save your SSH keys.


Basic Security

Server > Security > Secure SSH

 

 

On this page you can control two settings:

  • Change Default SSH Port.
  • Allow/Disallow Root Login.

SSH Keys

To add your SSH keys, you first need to generate a pair of a public/private key.

On your local machine

cd ~/.ssh
ssh-keygen -t rsa -f cyberpanel -C root

This will generate two files cyberpanel and cyberpanel.pub.

You need to copy contents of cyberpanel.pub and paste in the following box:

 

 

Now on your local machine you can login without needing a root password using:

ssh -i ~/.ssh/cyberpanel.pub [email protected]<IP Address>

CyberPanel follows deny all rules except for the ports opened by default, you can see default opened ports at: Server > Security > Firewall


Available Functions


Add Firewall Rule

As I've mentioned above, CyberPanel follows deny all rules, so if you want to allow any port you can add from Server > Security > Firewall.

 

 

  1. Give this rule a name.
  2. Select protocol from dropdown either tcp or udp.
  3. Enter which port to open for specified protocol.
  4. Click 'ADD'.

This will add rule and reload firewall.


Delete Firewall Rule

Just click on the cross on right side of the rule, this will delete the rule and reload firewall.

chevron-down