Centos 8 - mod_security v3 not working custom rules

[vacancy]

I'm running tests on Centos 8.2 and Cpanel v92. When I install mod_security v3 and want to add custom rules from the edit rules section, I see the following error. None of the SecConnEngine, SecRuleEngine, SecRule codes are recognized.

Error: The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: AH00526: Syntax error on line 1 of /etc/apache2/conf.d/modsec/modsec2.user.conf: Invalid command 'SecConnEngine', perhaps misspelled or defined by a module not included in the server configuration

Error: The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: AH00526: Syntax error on line 1 of /etc/apache2/conf.d/modsec/modsec2.user.conf: Invalid command 'SecRuleEngine', perhaps misspelled or defined by a module not included in the server configuration

Error: The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: AH00526: Syntax error on line 1 of /etc/apache2/conf.d/modsec/modsec2.user.conf: Invalid command 'SecRule', perhaps misspelled or defined by a module not included in the server configuration

 

[fuzzylogic]

If I saw these errors in the circumstances you describe and if modsec was working properly with OWASP3 ruleset prior to the addition of custom rules I would be almost certain that the cause would be a syntax error in one of my custom rules.

To troubleshoot this...
1) Delete (NOT disable) all your custom rules. If you disable them they remain in place continuing to feed the syntax error to the Apache configuration.

2) Add back your one of your custom rules. Select the Deploy and Restart checkbox, then click the Save button.
If Apache restarts without error then the custom rule you just added does not contain the syntax error.

3) Continue adding one rule at a time then Select the Deploy and Restart checkbox, then click the Save button.
Once you identify the custom rule with the syntax error then repair the syntax or stop using that rule.

 

[vacancy]

Hi

OWASP3 rules are not installed, all of these rules are the codes I used in mod_security v2. Even though I ran the rules one by one, nothing changed.

Even when I use the "SecConnEngine On" rule alone, I see the same error.

 

[fuzzylogic]

Sorry, I'm not yet up on the differences between setting up mod_security v3.x and mod_security v2.

Is cPanel's implementation of Mod-security even aware of the different setup?

It's mentioned here...
at Trustwave
that mod_security v3.x requires an Apache connector middleware rather than the Apache Module used by < version mod_security v2.8.
and the github project for the Apache connector middleware says that other configuration is required. For instance...

Usage
libModSecurity for Apache extends your configuration directives. In order to load the module into Apache add the following directive to your Apache configuration:

LoadModule security3_module modules/mod_security3.so

And needs the following dierectives in Apache config...

modsecurity on
modsecurity_rules_file /etc/my_modsecurity_rules.conf;

Your experiments are in advance of my own so I'll leave you to it from here on.
Would be good to read of your pathway to success when you achieve it.

 

[vacancy]

Nothing has changed.

Error:
The “/usr/sbin/httpd -DSSL -t -f /etc/apache2/conf.d/includes/pre_main_global.conf.tmp.cfgcheck -C Include "/etc/apache2/conf.modules.d/*.conf"” command (process 6424) reported error number 1 when it ended. Configuration problem detected on line 2 of file /etc/apache2/conf.d/includes/pre_main_global.conf.tmp: Failed to open the file: /etc/my_modsecurity_rules.conf;\n --- /etc/apache2/conf.d/includes/pre_main_global.conf.tmp --- 1modsecurity on 2 ===> modsecurity_rules_file /etc/my_modsecurity_rules.conf; <=== --- /etc/apache2/conf.d/includes/pre_main_global.conf.tmp --

 

[cPRex]

Much better reply from Dan below :D

 

[cPDan]

Hello @vacancy ,

Thank you for trying out the experiment mod sec 3.0 and beta (alpha really) Apache connector for it. To help resolve your problem there are some quirks w/ mod sec 3.0 and its apache connector that are not intuitive when first coming from mod_security2 land.

1. The use of pre_main_global.conf to load the module or enable it is a red herring. If you install ea-modsec0-connector-apache24 it puts all of that in place for you.
2. The 3.0 apache connector does not support the same config syntax as 2.9:
   1. if you normally did `SecFoo bar` in the user.conf you now have to `modsecurity_rules 'SecFoo Bar'`
   2. if you normally did "Include …/rulesfile.conf" you now have to `modsecurity_rules_file "…/rulesfile.conf"`
   3. not all 2.9 directives are supported in 3.0
   4. the ones that are may behave differently
   5. its some trial and error because their documentation has only been partially updated to match reality

HTH!

For reference in case it helps anyone:

cPanel docs ➜ ModSecurity® 3 | cPanel & WHM Documentation
Mod Security 3 repo (readme is pretty good) ➜ SpiderLabs/ModSecurity
Mod Security wiki ➜ SpiderLabs/ModSecurity

 

[splaquet]

I use Imunify360, so this solution might not be for everyone... but, after installing CloudLinux, I also kept having Apache crashing on me. I had the same error messages.

here was my solution... and upon completion, Apache restarted itself:

yum remove ea-apache24-mod_security2 -y