The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache Status page fails after 64 update

Discussion in 'General Discussion' started by SweptSquash, Apr 11, 2017.

  1. SweptSquash

    SweptSquash Member

    Joined:
    Apr 16, 2016
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    76
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi,

    I just updated our server to cpanel 64.0.11 and noticed a few issues.

    In WHM accessing the Apache Status page returns "Failed to receive status information from Apache."

    Accessing PhpMyAdmin via a users cPanel account will either hang on "Loading..." or display a 403/404 Security Token Missing. Works ok via WHM.
     
  2. fuzzylogic

    fuzzylogic Active Member

    Joined:
    Nov 8, 2014
    Messages:
    39
    Likes Received:
    13
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I had the same symptoms when mod-security rules blocked requests
    GET /whm-server-status/
    from 127.0.0.1

    The Apache Status page uses the GET /whm-server-status/ to get the info.
    This can be fixed with one new rule so as to turn off the offending rules for this request only from 127.0.0.1 only.

    The rule you need depends on which ruleset you are using, the new one or the old one.
    The rule to use for the new OWASP3 ruleset is...
    Code:
     # Rule to allow cPanel whm-server-status requests with missing mandatory headers.
    #
    SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" \
    "msg:'Matched 127.0.0.1 and matched whm-server-status. Disabling rules 920280 and 920350',\
    phase:1,\
    id:8888777,\
    t:none,\
    pass,\
    nolog,\
    chain"
    SecRule REQUEST_FILENAME "@rx ^/whm-server-status$" \
    "t:none,\
    ctl:ruleRemoveById=920280,\
    ctl:ruleRemoveById=920350" 
    To add it go to WHM=>Security Center=>Tools=>Rules=>Add Rule

    All the rule IDs have changed between the old CRS and the new CRS.
    If you still are using the old ruleset the other rule is posted here to fix that.

    The other PHPMyAdmin looks like it may be modsecurity related also.
    Look in WHM=>Security Center=>Tools Hits for more info.
     
    #2 fuzzylogic, Apr 12, 2017
    Last edited: Apr 12, 2017
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm unable to reproduce the issues you have reported on a test system, but it seems similar to the issue reported on the following thread:

    217220 COMODO WAF: Request Missing a Host Header

    Could you verify if the solution referenced on that thread helps?

    Thank you.
     
  4. fuzzylogic

    fuzzylogic Active Member

    Joined:
    Nov 8, 2014
    Messages:
    39
    Likes Received:
    13
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    The cause and the resolution to this problem depend on the mod-security rule set you are using.
    To determine your ruleset...
    Go to WHM=>Security Center=>Modsecurity Vendors
    then post the name of the active Vendor Rule set.

    Then go to WHM=>Security Center=>Tools
    and do a search for whm-server-status

    Post the rule numbers that are being triggered.
     
  5. cuzzmunger

    cuzzmunger Member

    Joined:
    Apr 28, 2017
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Sydney
    cPanel Access Level:
    Root Administrator
    Hi There, I have just upgraded to cPanel & WHM 64.0 (build 18) and implemented OWASP ModSecurity Core Rule Set V3.0
    as well as the core OWASP ModSecurity Core Rule Set.

    I added the rule above but still can get apache status via WHM. I can get the status via ssh. Did I need to change anything in the rule for my server?

    Any help appreciated. build below.

    Code:
    /etc/redhat-release:CentOS release 6.9 (Final)
    /usr/local/cpanel/version:11.64.0.18
    /var/cpanel/envtype:standard
    CPANEL=release
    Server version: Apache/2.4.25 (cPanel)
    Server built:   Apr  7 2017 15:35:22
    ea-php-cli Copyright 2016 cPanel, Inc.
    PHP 7.0.18 (cli) (built: Apr 17 2017 14:19:18) ( NTS )
    Copyright (c) 1997-2017 The PHP Group
    Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
    mysql  Ver 15.1 Distrib 10.0.30-MariaDB, for Linux (x86_64) using readline 5.1
    Cheers
    Cuzz
     
    #5 cuzzmunger, Apr 28, 2017
    Last edited by a moderator: Apr 28, 2017
  6. fuzzylogic

    fuzzylogic Active Member

    Joined:
    Nov 8, 2014
    Messages:
    39
    Likes Received:
    13
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Quote.
    "implemented OWASP ModSecurity Core Rule Set V3.0
    as well as the core OWASP ModSecurity Core Rule Set"

    It makes no sense to have both rule sets enabled simultaneously.
    Try with only the Core Rule Set V3.0 enabled.


    While logged into WHM try to view Server Status => Apache Status
    Then view Security Center => Tools and look or search for hits from 127.0.0.1
    You will see the rules that have been triggered. (or an absence of triggered rules)

    With this setup, even without the exception rule I would expect you could view Server Status => Apache Status, but it will record a non blocking log entry for rule 920280.
     
  7. cuzzmunger

    cuzzmunger Member

    Joined:
    Apr 28, 2017
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Sydney
    cPanel Access Level:
    Root Administrator
    Thanks fuzzylogic,
    I thought that might be the case having both running.
    I disabled the old rule set and enabled the above rule and now getting the results for Apache Status.

    Below is the result of having both running with or without the above rule.
    Code:
    2017-04-29 13:30:35     127.0.0.1    CRITICAL    403 
     949110: Inbound Anomaly Score Exceeded (Total Score: 8)
    Request:    GET /whm-server-status/
    Action Description:    Access denied with code 403 (phase 2).
    Justification:    Operator GE matched 5 at TX:anomaly_score.
    I'm still getting a WARNING
    Code:
    2017-04-29 13:39:05    127.0.0.1    WARNING    200  
     920280: Request Missing a Host Header  Hide
    Request:    GET /whm-server-status/
    Action Description:    Warning.
    Justification:    Operator EQ matched 0 at REQUEST_HEADERS.
    Should I worry about the warning?

    Thanks again.
     
    #7 cuzzmunger, Apr 28, 2017
    Last edited: Apr 28, 2017
  8. fuzzylogic

    fuzzylogic Active Member

    Joined:
    Nov 8, 2014
    Messages:
    39
    Likes Received:
    13
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    This is a legitimate and safe request from your server to itself, so it is nothing to worry about.
    My server makes similar requests for three separate reasons.
    1. Loading Apache Status page as you reported
    2. Every 5 minutes WHM makes request to /whm-server-status
    3. Every 5 minutes WHM Plugin Munin makes 3 requests to /whm-server-status?auto
    These requests score 4 incoming anomaly points each time. The Default max incoming anomaly points is 5. So triggering one of these rules per request does not block that request.

    What does happen though is that your modsec hits logs get many events logged which are of little use for you.

    The exclusion rule I posted above will (for these requests only) turn off the 2 rules that are triggered.
    This in turn will stop the log entries for these requests.
     
  9. cuzzmunger

    cuzzmunger Member

    Joined:
    Apr 28, 2017
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Sydney
    cPanel Access Level:
    Root Administrator
    Cheers, Thank you.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Note that as mentioned in the thread linked earlier, internal case CPANEL-1070 is open to report the false positive that appears when accessing "WHM >> Server Status >> Apache Status" with the OWASP ruleset enabled. We'll update that thread with more information on the status of that case as it becomes available.

    Thank you.
     
  11. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    cPanelMichael,

    Do you know if CPANEL-1070 will add a proper header to the request to whm-server-status or if it'll just add / modify a ModSec conf file to disable the rules that show up in the log file?

    Thanks.
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    The case is still under review, so no determination on a change has been made at this time. However, the suggestion in the case is to add the necessary headers in the HTTP GET request for /whm-server-status.

    Thank you.
     
    Spork Schivago likes this.
  13. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Thank you!!!!!
     
Loading...

Share This Page