SweptSquash

Member
Apr 16, 2016
6
0
76
UK
cPanel Access Level
Root Administrator
Hi,

I just updated our server to cpanel 64.0.11 and noticed a few issues.

In WHM accessing the Apache Status page returns "Failed to receive status information from Apache."

Accessing PhpMyAdmin via a users cPanel account will either hang on "Loading..." or display a 403/404 Security Token Missing. Works ok via WHM.
 

fuzzylogic

Well-Known Member
Nov 8, 2014
149
90
78
cPanel Access Level
Root Administrator
I had the same symptoms when mod-security rules blocked requests
GET /whm-server-status/
from 127.0.0.1

The Apache Status page uses the GET /whm-server-status/ to get the info.
This can be fixed with one new rule so as to turn off the offending rules for this request only from 127.0.0.1 only.

The rule you need depends on which ruleset you are using, the new one or the old one.
The rule to use for the new OWASP3 ruleset is...
Code:
 # Rule to allow cPanel whm-server-status requests with missing mandatory headers.
#
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" \
"msg:'Matched 127.0.0.1 and matched whm-server-status. Disabling rules 920280 and 920350',\
phase:1,\
id:8888777,\
t:none,\
pass,\
nolog,\
chain"
SecRule REQUEST_FILENAME "@rx ^/whm-server-status$" \
"t:none,\
ctl:ruleRemoveById=920280,\
ctl:ruleRemoveById=920350"
To add it go to WHM=>Security Center=>Tools=>Rules=>Add Rule

All the rule IDs have changed between the old CRS and the new CRS.
If you still are using the old ruleset the other rule is posted here to fix that.

The other PHPMyAdmin looks like it may be modsecurity related also.
Look in WHM=>Security Center=>Tools Hits for more info.
 
Last edited:

fuzzylogic

Well-Known Member
Nov 8, 2014
149
90
78
cPanel Access Level
Root Administrator
The cause and the resolution to this problem depend on the mod-security rule set you are using.
To determine your ruleset...
Go to WHM=>Security Center=>Modsecurity Vendors
then post the name of the active Vendor Rule set.

Then go to WHM=>Security Center=>Tools
and do a search for whm-server-status

Post the rule numbers that are being triggered.
 

cuzzmunger

Member
Apr 28, 2017
14
1
1
Sydney
cPanel Access Level
Root Administrator
Hi There, I have just upgraded to cPanel & WHM 64.0 (build 18) and implemented OWASP ModSecurity Core Rule Set V3.0
as well as the core OWASP ModSecurity Core Rule Set.

I added the rule above but still can get apache status via WHM. I can get the status via ssh. Did I need to change anything in the rule for my server?

Any help appreciated. build below.

Code:
/etc/redhat-release:CentOS release 6.9 (Final)
/usr/local/cpanel/version:11.64.0.18
/var/cpanel/envtype:standard
CPANEL=release
Server version: Apache/2.4.25 (cPanel)
Server built:   Apr  7 2017 15:35:22
ea-php-cli Copyright 2016 cPanel, Inc.
PHP 7.0.18 (cli) (built: Apr 17 2017 14:19:18) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
mysql  Ver 15.1 Distrib 10.0.30-MariaDB, for Linux (x86_64) using readline 5.1
Cheers
Cuzz
 
Last edited by a moderator:

fuzzylogic

Well-Known Member
Nov 8, 2014
149
90
78
cPanel Access Level
Root Administrator
Quote.
"implemented OWASP ModSecurity Core Rule Set V3.0
as well as the core OWASP ModSecurity Core Rule Set"

It makes no sense to have both rule sets enabled simultaneously.
Try with only the Core Rule Set V3.0 enabled.


While logged into WHM try to view Server Status => Apache Status
Then view Security Center => Tools and look or search for hits from 127.0.0.1
You will see the rules that have been triggered. (or an absence of triggered rules)

With this setup, even without the exception rule I would expect you could view Server Status => Apache Status, but it will record a non blocking log entry for rule 920280.
 

cuzzmunger

Member
Apr 28, 2017
14
1
1
Sydney
cPanel Access Level
Root Administrator
Thanks fuzzylogic,
I thought that might be the case having both running.
I disabled the old rule set and enabled the above rule and now getting the results for Apache Status.

Below is the result of having both running with or without the above rule.
Code:
2017-04-29 13:30:35     127.0.0.1    CRITICAL    403 
 949110: Inbound Anomaly Score Exceeded (Total Score: 8)
Request:    GET /whm-server-status/
Action Description:    Access denied with code 403 (phase 2).
Justification:    Operator GE matched 5 at TX:anomaly_score.
I'm still getting a WARNING
Code:
2017-04-29 13:39:05    127.0.0.1    WARNING    200  
 920280: Request Missing a Host Header  Hide
Request:    GET /whm-server-status/
Action Description:    Warning.
Justification:    Operator EQ matched 0 at REQUEST_HEADERS.
Should I worry about the warning?

Thanks again.
 
Last edited:

fuzzylogic

Well-Known Member
Nov 8, 2014
149
90
78
cPanel Access Level
Root Administrator
This is a legitimate and safe request from your server to itself, so it is nothing to worry about.
My server makes similar requests for three separate reasons.
1. Loading Apache Status page as you reported
2. Every 5 minutes WHM makes request to /whm-server-status
3. Every 5 minutes WHM Plugin Munin makes 3 requests to /whm-server-status?auto
These requests score 4 incoming anomaly points each time. The Default max incoming anomaly points is 5. So triggering one of these rules per request does not block that request.

What does happen though is that your modsec hits logs get many events logged which are of little use for you.

The exclusion rule I posted above will (for these requests only) turn off the 2 rules that are triggered.
This in turn will stop the log entries for these requests.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,216
463
Hello,

Note that as mentioned in the thread linked earlier, internal case CPANEL-1070 is open to report the false positive that appears when accessing "WHM >> Server Status >> Apache Status" with the OWASP ruleset enabled. We'll update that thread with more information on the status of that case as it becomes available.

Thank you.
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
cPanelMichael,

Do you know if CPANEL-1070 will add a proper header to the request to whm-server-status or if it'll just add / modify a ModSec conf file to disable the rules that show up in the log file?

Thanks.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,216
463
cPanelMichael,

Do you know if CPANEL-1070 will add a proper header to the request to whm-server-status or if it'll just add / modify a ModSec conf file to disable the rules that show up in the log file?

Thanks.
The case is still under review, so no determination on a change has been made at this time. However, the suggestion in the case is to add the necessary headers in the HTTP GET request for /whm-server-status.

Thank you.
 
  • Like
Reactions: Spork Schivago