Addon Module: mod_security

[cPanelBilly]

Hello.

Isn't mod_security configured to deny the following type of accesses?

"SEARCH /\x90\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\

Currently it doesn't.
Or is it that implementing a rule for this would break something else??

TIA
Anup

You have to put in a rule to block that. While cPanel includes a decault configuration it is not turned on. You need to click on Mod Security and then on Edit Confoig. When you click on Default it loads the default config.
Here is one in a log on our test server:

/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

[anup123]

Hi

Actually that was already on as i had copied over the modsec.user.conf.default to modsec.user.conf on the last installation. Anything else that i need to do ?

Thanks
Anup

[cPanelBilly]

you may want to look at modsecurity.org for help on creating new rule sets.

[anup123]

The Reseller WHM gets this Module added to their interface and there is no way that root can disable this. The RESELLER CAN FIDDLE WITH THIS and bring down httpd by purposefully introducing syntax errors.

Is this a BUG???

Anup

[jrehmer]

The Reseller WHM gets this Module added to their interface and there is no way that root can disable this. The RESELLER CAN FIDDLE WITH THIS and bring down httpd by purposefully introducing syntax errors.

Is this a BUG???

Anup

Yeah this does NOT look good at all. Serious problems on many levels could arise from this!

Jesse
www.blueworldhosting.com
jrehmer@blueworldhosting.com

[chirpy]

But they can do that anyway through other means, e.g. the DNS configuration. You should be able to disable it from Resellers you don't what to have the feature, but if you give them the option to use it, you have to trust them.

[anup123]

I couldn't find a feature where i could disable this. Actually reseller gets this Link which is the Link right at the bottom of left frame.

Anup

[cpanelben]

Make sure your addon module is up to date. If it's not limited in the latest version, then it soon will be. I know that Billy is/was working on this.

[anand]

The Reseller WHM gets this Module added to their interface and there is no way that root can disable this. The RESELLER CAN FIDDLE WITH THIS and bring down httpd by purposefully introducing syntax errors.

Is this a BUG???

Anup

I already reported this and Billy said he will look in the code why this is happening. Haven't heard from him after that.

[anand]

This is happening because they don't test on Reseller WHM panel since 2004-04-29.

Adding new things is great, But Please add options to "Reseller Center >> Edit Privileges/Nameservers"

Yup as root one should be able to allow / disallow resellers with these options. Its not always that one would want resellers to have them.

[cPanelBilly]

Yup as root one should be able to allow / disallow resellers with these options. Its not always that one would want resellers to have them.

IT actually has nothing to do with any of the speculation that is beig put out. It was fixed last week. The issue is caused because there is currently no wa to limit resellers from seeing the installed Addon Modules. It has bee changed however and now if a reseller is to click on the lin it just says "Mod_Security is installed". Please check on thinkgs before insisting they are still an issue, as in this cause, that was not true.

[anup123]

IT actually has nothing to do with any of the speculation that is beig put out. It was fixed last week. The issue is caused because there is currently no wa to limit resellers from seeing the installed Addon Modules. It has bee changed however and now if a reseller is to click on the lin it just says "Mod_Security is installed". Please check on thinkgs before insisting they are still an issue, as in this cause, that was not true.

Hmmm. It's only when one of our reseller's intimated us that i had posted this. I know he is a good technical reseller so he did not play with it.

Yes indeed, after yesterday's upgrade to current_20, this issue is resolved.
By and Large, with additions coming in to Add On Modules, i think it becomes necessary to have the same be defineable in Reseller Center in Reseller's ACL's...

Thanks
Anup

[LucasVanzin]

I had already installed on my box mod_security manually and is working perfectly... should i re-install using addon of WHM so it would update by itself?

Does it use that kind of filters:

SecFilter /root/
SecFilter ..\/\/\

Should i uninstall before install it on addon?

Does it have web based configuration by WHM or i should pico httpd.conf?

[cpanelben]

If you want to install mod_security through AddOn Modules, then I recommend uninstalling your installation completely before proceeding. It may not make much difference, but its always a good idea to err on the side of caution. You can save your rules, and add them to the cPanel default ruleset after you've completed.

[damainman]

I am not sure if anyone has noticed same thing happening wrt

Alias /bandwidth/ /usr/local/bandmin/htdocs/

being placed as many times as you rebuild apache.

Hope someone is listening ...
This is more of a results of things done in a Hurry.

Anup

Same thing on my RHE server. I was going to have my management staff go in httpd.conf and clean out all the duplicate lines.

I haven't really had a chance to look deep into my conf file to see if anything else is duplicating, but Alias /bandwidth/ /usr/local/bandmin/htdocs/ is listed multiple times... both commented and uncommented.

note: This has been an issue for awhile. Also i've never installed mod_security, nor do i have it installed now