Apache Status page fails after 64 update

[SweptSquash]

Hi,

I just updated our server to cpanel 64.0.11 and noticed a few issues.

In WHM accessing the Apache Status page returns "Failed to receive status information from Apache."

Accessing PhpMyAdmin via a users cPanel account will either hang on "Loading..." or display a 403/404 Security Token Missing. Works ok via WHM.

 

[fuzzylogic]

I had the same symptoms when mod-security rules blocked requests
GET /whm-server-status/
from 127.0.0.1

The Apache Status page uses the GET /whm-server-status/ to get the info.
This can be fixed with one new rule so as to turn off the offending rules for this request only from 127.0.0.1 only.

The rule you need depends on which ruleset you are using, the new one or the old one.
The rule to use for the new OWASP3 ruleset is...

 # Rule to allow cPanel whm-server-status requests with missing mandatory headers.
#
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" \
"msg:'Matched 127.0.0.1 and matched whm-server-status. Disabling rules 920280 and 920350',\
phase:1,\
id:8888777,\
t:none,\
pass,\
nolog,\
chain"
SecRule REQUEST_FILENAME "@rx ^/whm-server-status$" \
"t:none,\
ctl:ruleRemoveById=920280,\
ctl:ruleRemoveById=920350"

To add it go to WHM=>Security Center=>Tools=>Rules=>Add Rule

All the rule IDs have changed between the old CRS and the new CRS.
If you still are using the old ruleset the other rule is posted here to fix that.

The other PHPMyAdmin looks like it may be modsecurity related also.
Look in WHM=>Security Center=>Tools Hits for more info.

 

[cPanelMichael]

Hello,

I'm unable to reproduce the issues you have reported on a test system, but it seems similar to the issue reported on the following thread:

217220 COMODO WAF: Request Missing a Host Header

Could you verify if the solution referenced on that thread helps?

Thank you.

 

[fuzzylogic]

The cause and the resolution to this problem depend on the mod-security rule set you are using.
To determine your ruleset...
Go to WHM=>Security Center=>Modsecurity Vendors
then post the name of the active Vendor Rule set.

Then go to WHM=>Security Center=>Tools
and do a search for whm-server-status

Post the rule numbers that are being triggered.

 

[cuzzmunger]

Hi There, I have just upgraded to cPanel & WHM 64.0 (build 18) and implemented OWASP ModSecurity Core Rule Set V3.0
as well as the core OWASP ModSecurity Core Rule Set.

I added the rule above but still can get apache status via WHM. I can get the status via ssh. Did I need to change anything in the rule for my server?

Any help appreciated. build below.

/etc/redhat-release:CentOS release 6.9 (Final)
/usr/local/cpanel/version:11.64.0.18
/var/cpanel/envtype:standard
CPANEL=release
Server version: Apache/2.4.25 (cPanel)
Server built:   Apr  7 2017 15:35:22
ea-php-cli Copyright 2016 cPanel, Inc.
PHP 7.0.18 (cli) (built: Apr 17 2017 14:19:18) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
mysql  Ver 15.1 Distrib 10.0.30-MariaDB, for Linux (x86_64) using readline 5.1

Cheers
Cuzz

 

[fuzzylogic]

Quote.
"implemented OWASP ModSecurity Core Rule Set V3.0
as well as the core OWASP ModSecurity Core Rule Set"

It makes no sense to have both rule sets enabled simultaneously.
Try with only the Core Rule Set V3.0 enabled.


While logged into WHM try to view Server Status => Apache Status
Then view Security Center => Tools and look or search for hits from 127.0.0.1
You will see the rules that have been triggered. (or an absence of triggered rules)

With this setup, even without the exception rule I would expect you could view Server Status => Apache Status, but it will record a non blocking log entry for rule 920280.

 

[cuzzmunger]

Thanks fuzzylogic,
I thought that might be the case having both running.
I disabled the old rule set and enabled the above rule and now getting the results for Apache Status.

Below is the result of having both running with or without the above rule.

2017-04-29 13:30:35     127.0.0.1    CRITICAL    403 
 949110: Inbound Anomaly Score Exceeded (Total Score: 8)
Request:    GET /whm-server-status/
Action Description:    Access denied with code 403 (phase 2).
Justification:    Operator GE matched 5 at TX:anomaly_score.

I'm still getting a WARNING

2017-04-29 13:39:05    127.0.0.1    WARNING    200  
 920280: Request Missing a Host Header  Hide
Request:    GET /whm-server-status/
Action Description:    Warning.
Justification:    Operator EQ matched 0 at REQUEST_HEADERS.

Should I worry about the warning?

Thanks again.

 

[fuzzylogic]

This is a legitimate and safe request from your server to itself, so it is nothing to worry about.
My server makes similar requests for three separate reasons.
1. Loading Apache Status page as you reported
2. Every 5 minutes WHM makes request to /whm-server-status
3. Every 5 minutes WHM Plugin Munin makes 3 requests to /whm-server-status?auto
These requests score 4 incoming anomaly points each time. The Default max incoming anomaly points is 5. So triggering one of these rules per request does not block that request.

What does happen though is that your modsec hits logs get many events logged which are of little use for you.

The exclusion rule I posted above will (for these requests only) turn off the 2 rules that are triggered.
This in turn will stop the log entries for these requests.

 

[cuzzmunger]

Cheers, Thank you.

 

[cPanelMichael]

Hello,

Note that as mentioned in the thread linked earlier, internal case CPANEL-1070 is open to report the false positive that appears when accessing "WHM >> Server Status >> Apache Status" with the OWASP ruleset enabled. We'll update that thread with more information on the status of that case as it becomes available.

Thank you.

 

[Spork Schivago]

cPanelMichael,

Do you know if CPANEL-1070 will add a proper header to the request to whm-server-status or if it'll just add / modify a ModSec conf file to disable the rules that show up in the log file?

Thanks.

 

[cPanelMichael]

cPanelMichael,

Do you know if CPANEL-1070 will add a proper header to the request to whm-server-status or if it'll just add / modify a ModSec conf file to disable the rules that show up in the log file?

Thanks.

The case is still under review, so no determination on a change has been made at this time. However, the suggestion in the case is to add the necessary headers in the HTTP GET request for /whm-server-status.

Thank you.

 

[Spork Schivago]

The case is still under review, so no determination on a change has been made at this time. However, the suggestion in the case is to add the necessary headers in the HTTP GET request for /whm-server-status.

Thank you.

Thank you!!!!!