[Tutorial] How To Manually Update Comodo ModSecurity Rules For CyberPanel

I originally posted this in the Facebook group but Owen asked me to post it here also, so here we are. As you may not know even fresh installs of CyberPanel come with ModSecurity rules that are over 2 years old so you may not be as protected as you think. the below tutorial assumes you already have ModSecurity Comodo rules installed via CyberPanel admin area…


Step 1

go to https://waf.comodo.com/ and download the latest rules. It is important that you select NGINX rules as OpenLitespeed is not compatible with ModSecurity 2 rules.


Step 2

using sftp go to /usr/local/lsws/conf/modsec/comodo where you will see the old rules.


Step 3

check ownership on rules by opening any of the files and seeing who they are running as. it will either be cyberpanel:cyberpanel or lsadm:nobody. (I’m not sure which is correct but i’ve observed both on different servers)


Step 4

delete all files in /usr/local/lsws/conf/modsec/comodo except for modsecurity.conf and then upload all the updated files you downloaded from comodo.


Step 5

change owner for the files you uploaded according to what they were prior by using either of these commands depending on which is correct for your setup:

chown -R lsadm:nobody /usr/local/lsws/conf/modsec/comodo

chown -R cyberpanel:cyberpanel /usr/local/lsws/conf/modsec/comodo


Step 6

edit the following file: /usr/local/lsws/conf/httpd_config.conf

find the line beginning modsecurity_rules_file

keep these 2 lines:

modsecurity_rules_file /usr/local/lsws/conf/modsec/rules.conf

modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/modsecurity.conf

remove the lines from:

modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/00_Init_Initialization.conf

until

modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/28_Apps_OtherApps.conf

replace with new lines:

modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/00_Init_Initialization.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/01_Init_AppsInitialization.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/02_Global_Generic.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/03_Global_Agents.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/04_Global_Domains.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/05_Global_Incoming.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/06_Global_Backdoor.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/07_XSS_XSS.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/08_Global_Other.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/09_Bruteforce_Bruteforce.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/10_HTTP_HTTP.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/11_HTTP_HTTPDoS.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/12_HTTP_Protocol.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/13_HTTP_Request.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/14_Outgoing_FilterGen.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/15_Outgoing_FilterASP.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/16_Outgoing_FilterPHP.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/17_Outgoing_FilterSQL.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/18_Outgoing_FilterOther.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/19_Outgoing_FilterInFrame.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/20_Outgoing_FiltersEnd.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/21_PHP_PHPGen.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/22_SQL_SQLi.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/23_ROR_RORGen.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/24_Apps_Joomla.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/25_Apps_JComponent.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/26_Apps_WordPress.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/27_Apps_WPPlugin.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/28_Apps_WHMCS.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/29_Apps_Drupal.conf
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/30_Apps_OtherApps.conf


Step 7

Restart litespeed and you’re good to go


Step 8 (optional)

In Cyberpanel go to: ModSecurity Rules Pack and click configure next to Comodo Modsecurity 3.0

you can then turn off any rule sets you don’t need. eg if all the sites on your server are wordpress then you can safely turn off drupal and joomla rules for very marginal improvement in efficiency.

1 Like

Thank You, worked right away !

Did it a second time today.

ls -l gave me surprisingly: lsadm nogroup

So i did: chown -R lsadm:nogroup /usr/local/lsws/conf/modsec/comodo

Hope that’s right…please correct me if that’s not right

chown -R cyberpanel:cyberpanel /usr/local/lsws/conf/modsec/comodo this worked for my installation.

Thank you. It works for me but i use owasp instead comodo.

Unable to download OWASP ModSecurity Core Rules and COMODO ModSecurity 3.0 mod security rules section.

After a fresh installation, when I am configuring the Mod security on the cyber panel I got an error for both OWASP and MODDECURITY 3.0.

I also checked both URLs .they are throwing 404 errors

for comodo =https://cyberpanel.net/modsec/comodo.tar.gz
for OWSAP =https://cyberpanel.net/modsec/owasp.tar.gz

Even at /usr/local/lsws/conf/modsec/ there is neither comodo folder nor owasp.

==============================================================

The installation i did today only.

Could you anyome please assist me.

thanks

@subh

you can edit the file

/usr/local/CyberCP/plogical/modSec.py and change the mirrorpath from “cyberpanel.net” to “cyberpanel.sh”

mirrorPath = “cyberpanel.sh”

and try install and it will be ok

I’m seeing the following error - any ideas?

/usr/local/lsws/bin/openlitespeed -t
t:none,t:urlDecode2021-11-30 16:51:44.514921 [ERROR] [26709] [Module:mod_security]setSecRule(type 1)
secdebugloglevel 0
secdebuglog /usr/local/lsws/logs/modsec.log
secauditengine on
secauditlogrelevantstatus "^(?:5|4(?!04))"
secauditlogparts AFH
secauditlogtype Serial
secauditlog /usr/local/lsws/logs/auditmodsec.log
secruleengine On
secresponseaccess off
  failed, ret -1, reason: 'Rules error. File: <<reference missing or not informed>>. Line: 10. Column: 22. Invalid input:  secresponseaccess off'.
2021-11-30 16:51:44.515899 [ERROR] [26709] [Module:mod_security]setSecRule(type 2) /usr/local/lsws/conf/modsec/comodo/modsecurity.conf failed, ret -1, reason: 'Rules error. File: <<reference missing or not informed>>. Line: 10. Column: 22. Invalid input:  secresponseaccess offRules error. File: /usr/local/lsws/conf/modsec/comodo/modsecurity.conf. Line: 195. Column: 17

I can’t seem to find secresponseaccess in the modsecurity.conf file.

This was caused by me when trying to fix very slow page loading with WordPress/Divi theme. Based on the following:

Please disregard. Hopefully the new Comodo rules will do the trick.

Thanks!

I was also getting a unicode.mapping error but I think I fixed it.

Failed to locate the unicode map file from: unicode.mapping Looking at: 'unicode.mapping', 'unicode.mapping', '/usr/local/lsws/conf/modsec/comodo/unicode.mapping', '/usr/local/lsws/conf/modsec/comodo/unicode.mapping'. '.

I downloaded https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/unicode.mapping to the comodo directory and set the owner/group and file permissions to match the others.

Can I still use this tutorial to use commodo rules on Cyberpanel?

It seems COMMODO is banned from Admins backend?!?

Comodo is removed because they are now subscription based model and not open.

And how should I add COMODO if I pay for the subscription?
You have other tools in CyberPanel that needs payments (like Imunify360).
Think it´s not the very best good idea to delete former included services …

Additionally:

STILL SAYS THE COMODO RULEZ ARE FREE TO USE

I just tried to register again for the FREE RULESSET of Comodo. And it worked as exspected!

I was able to register and I was able to download the needed NGIX gulez.

I got eMail with VALID serial key.

So question again: How can I add these rulez to my cyberpanel after you kicked it out of the menue?

Thanks for help

It is free but it requires subscription. The inclusion of these rules was by just pulling it from their servers. Now that its restricted with subscription model, the direct download to cyberpanel installation (user side), doesn’t work. It needs to be mirrored somewhere with direct pull access which needs maintenance and the team currently is unable to maintain additional segment with the current limited developers behind cyberpanel project.

As cyberpanel is an open-source project, any developer who wish to contribute to the comodo ruleset, can be a part.

Thanks for your answer. I took the subscription.

Is there a chanceoto insert it in the panel?

I cinfigured it via config files, but missing the options to acticate/deactivate single rules by cyberpanel gui

Not possible by simple method. But if you require, you can check the github branch of cyberpanel and see what files were changed in removing the comodo rules from cyberpanel… Redo those codes back in your cyberpanel setup and it will be back.

Ok, thank you for your adivice. It´s not possible for me to do this, because I will run in trouble each time I run updates. It´s a productive system for a customer running Cyberpanel Enterprise. So no chance to “experiment” lthis way

You can use OWASP rules. Why you going after comodo itself? ModSecurity Performance: Apache, nginx, and LiteSpeed ⋆ LiteSpeed Blog

The reason for deleting Comodo from cyberpanel project: ModSecurity rules outdated · Issue #653 · usmannasir/cyberpanel · GitHub

If you or any developer who can maintain this comodo branch can help contribute it.