########################
Remote Rule Installation
########################

**Requirements:**

* Apache/IIS mod_security 2.9.5 or higher
* Nginx Libmodsecurity 3.0.6 or higher



This method simplifies the WAF configuration by loading all the rule policies over a network connection. By default, the base policy includes anti-evation, strict content checking, Denial of service, Anti-malware, general attack, brute force detection, XSS, rootkit, DLP, and JITP rule classes.


Additional Rule Classes
=======================

- antispam - Anti-spam rule policy, covering UCE, Gambling, Search Engine spoofing, etc. 
- proxy - Open Proxy blocking
- recon - reconnaissance detection
- redactor - Malicious content redactor
- search - Search Engine automatic accesslisting 




Apache
======


Step 1) Edit/Add your the ModSecurity configuration file:


RHEL/Rocky/Centos

  .. code-block::

    /etc/httpd/modsecurity.d/tortix_waf.conf

Ubuntu/Debian

  .. code-block::

   /etc/modsecurity/tortix_waf.conf


Step 2) Add the following to your mod_security tortix_waf.conf file, replacing <API Key> with the value in your license signup email:

  .. code-block::

     SecRemoteRulesFailAction Warn
     SecRemoteRules <API Key> https://waf.atomicorp.com/rules/srr.php
    

Step 3) (Optional) Additional rule classes can be specified as follows

  .. code-block::

     SecRemoteRules <API Key> https://waf.atomicorp.com/rules/srr.php?antispam,recons

Step 4) Configure Apache to load the rules
  .. code-block::

    Include conf.d/*.conf

Step 5) Verify the Modsecurity Core Rules Set and Local Configuration

  .. code-block::

        # ModSecurity Core Rules Set and Local configuration
        IncludeOptional modsecurity.d/*.conf
        IncludeOptional modsecurity.d/activated_rules/*.conf
        IncludeOptional modsecurity.d/local_rules/*.conf

Nginx
=====

Step 1) Configure nginx to load the modsecurity module in /etc/nginx/nginx.conf


  .. code-block::

     load_module modules/ngx_http_modsecurity_module.so;

Step 2) Add the base ModSecurity configuration to nginx at /etc/nginx/conf.d/00_modsecurity.conf

  .. code-block::

    modsecurity on;
    modsecurity_rules_file /etc/httpd/modsecurity.d/tortix_waf.conf;


Step 3) Add the following to your mod_security tortix_waf.conf file, replacing <API Key> with the value in your license signup email:

  .. code-block::

     SecRemoteRulesFailAction Warn
     SecRemoteRules <API Key> https://waf.atomicorp.com/rules/srr.php

Step 4) (Optional) Additional rule classes can be specified as follows

  .. code-block::

     SecRemoteRules <API Key> https://waf.atomicorp.com/rules/srr.php?antispam,recons


IIS
===

Step 1) Add the following to your mod_security configuration C:\Program Files\Modsecurity IIS\modsecurity.conf, replacing <API Key> with the value in your license signup email:


  .. code-block::

     SecRemoteRulesFailAction Warn
     SecRemoteRules <API Key> https://waf.atomicorp.com/rules/srr.php

Step 2) (Optional) Additional rule classes can be specified as follows

  .. code-block::

     SecRemoteRules <API Key> https://waf.atomicorp.com/rules/srr.php?antispam,recons


cPanel
======

Step 1) Configure directory Permissions

cPanel does not run apache as a standard user (such as "apache") but as the older, non-privileged user “nobody”. You will need to ensure that the work directories that modsecurity uses are owned by the user that cPanel uses to run apache. To find this out you can run the following command as root
  
  .. code-block::
  
     ps auxwww| grep http

You should see output similar to the following:

  .. code-block::

     root     20594 86.8  3.1 255148 181232 ?       Ss   11:39   0:04 /usr/local/apache/bin/httpd -k restart 
     root     20611  0.0  3.1 255060 179596 ?       S    11:39   0:00 /usr/local/apache/bin/httpd -k restart
     nobody   20612  0.0  3.1 255148 180224 ?       S    11:39   0:00 /usr/local/apache/bin/httpd -k restart
     nobody   20613  0.0  3.1 255148 180224 ?       S    11:39   0:00 /usr/local/apache/bin/httpd -k restart
     nobody   20614  0.0  3.1 255148 180224 ?       S    11:39   0:00 /usr/local/apache/bin/httpd -k restart
     nobody   20615  0.0  3.1 255148 180224 ?       S    11:39   0:00 /usr/local/apache/bin/httpd -k restart
     nobody   20616  0.0  3.1 255148 180224 ?       S    11:39   0:00 /usr/local/apache/bin/httpd -k restart

In this example from a Centos system running Cpanel the user is “nobody”, so you would want to use these commands to configure the modsecurity work directories for a system where apache is running as “nobody”:

  .. code-block::

      mkdir /var/asl
      mkdir /var/asl/data/
      mkdir /var/asl/data/msa
      mkdir /var/asl/data/audit
      mkdir /var/asl/data/suspicious
      chown nobody.nobody /var/asl/data/msa
      chown nobody.nobody /var/asl/data/audit
      chown nobody.nobody /var/asl/data/suspicious
      chmod o-rx -R /var/asl/data/*
      chmod ug+rwx -R /var/asl/data/*

Step 2) Install ModSecurity


Step 3) Make a change to the cPanel ModSec configuration. A typical modsec2.conf file looks like the following:
  .. code-block::
    LoadFile /opt/xml2/lib/libxml2.so
    LoadFile /opt/lua/lib/liblua.so
    LoadModule security2_module  modules/mod_security2.so
    <IfModule mod_security2.c>
    SecRuleEngine On
    # See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf
    #  "Add the rules that will do exactly the same as the directives"
    # SecFilterCheckURLEncoding On
    # SecFilterForceByteRange 0 255
    SecAuditEngine RelevantOnly
    SecAuditLog logs/modsec_audit.log
    SecDebugLog logs/modsec_debug_log
    SecDebugLogLevel 0
    SecDefaultAction "phase:2,deny,log,status:403"
    Include "/usr/local/apache/conf/modsec2.user.conf"
    </IfModule>

cPanel will overwrite this configuration therefore you need to modify the user config file (/usr/local/apache/conf/modsec2.user.conf) as indicated below:

  .. code-block::

   SecRequestBodyAccess On
   SecAuditLogType Concurrent
   SecResponseBodyAccess On
   SecResponseBodyMimeType (null) text/html text/plain text/xml
   SecResponseBodyLimit 2621440
   SecAuditLogRelevantStatus "^(?:5|4(?!04))"
   SecServerSignature Apache
   SecUploadDir /var/asl/data/suspicious
   SecUploadKeepFiles Off
   SecAuditLogParts ABIFHZ
   SecArgumentSeparator "&"
   SecCookieFormat 0
   SecRequestBodyInMemoryLimit 131072
   SecDataDir /var/asl/data/msa
   SecTmpDir /tmp
   SecAuditLogStorageDir /var/asl/data/audit
   SecResponseBodyLimitAction ProcessPartial

Add the following to your mod_security tortix_waf.conf file, replacing <API Key> with the value in your license signup email:

  .. code-block::

    SecRemoteRulesFailAction Warn
    SecRemoteRules <API Key> https://waf.atomicorp.com/rules/srr.php

(Optional) Additional rule classes can be specified as follows
SecRemoteRules <API Key> https://waf.atomicorp.com/rules/srr.php?antispam,recons

If you want to load just some of the rules, make sure you specify only those rule files. The default list above is the recommended and supported rulesets with cpanel. Do not use the other asl rulesets with cpanel, those other rules either use other apache modules (such as mod_sed) or Atomic Protector specific features that require Atomic Protector.

Make sure you have all of the settings on this page to use modsecurity with cpanel correctly, failing to do that will make it impossible for us to support you and modsecurity will not as quickly or correctly exposing your system to attack and slowing it down.

Step 4) Install mod_uniqueid: 
Cpanel users will need to manually verify that the mod_unique_id module is loaded by cpanel’s apache. It should be loaded by default, but check your cpanel configuration to be sure.


Step 5) Restart Apache by running the following command:
   ..code-block::
    
     service httpd restart










