The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Comodo, are there any tests

Discussion in 'Security' started by keat63, Oct 11, 2016.

Tags:
  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I installed Comodo Mod security this morning, and disabled OWASP.
    When I look at my logs, I usually see some sort of Mod Security entry from Owasp every 15 minutes or so, But I've seen nothing from Comodo in over two hours.

    Maybe Owasp is over zealous and has many false positives, however, to be sure that Comodo is indeed protecting me, are there any tests I can run ?
     
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    After much digging, if I open the Apache error log, I can see examples of ModSec for Comodo being activated.
    It doesn't however seem to work in conjunction with CSF.
    So an attacker can keep coming back for more attacks.

    Am I missing something ?
     
  3. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    83
    Likes Received:
    15
    Trophy Points:
    8
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Are you running mod_ruid2 and jailing Apache vhosts? If so, that breaks all the Comodo rules that attempt to retain data, like IP addresses, and some of the rules (those that use initcol, setsid, and setuid) will not work. If that's the case, you should see the errors in the Apache error log that include "ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip": No such file or directory".

    The other thing I noticed with Comodo is that it seemed to work much more reliably after I disabled the rules for software I don't have--and won't ever have--on the server.
     
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I don't run Mod_Ruid2 as it won't run with SUPHP, and I can't remember the exact reasons why I use SUPHP.
    Probably something to do with the PHP version required to run one of the sites.

    I've no idea what jailing Vhosts means.
    There's only me on this server, all the accounts are mine, all of which are in a jailed shell ??

    When you mention software you'll never run, do you mean things like WordPress and Joomla ??
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    CSF parses the apache error log. If it was banning people for repeat failures of OWASP rules it will do the same with Comodo. Yes, Comodo is far less prone to false positive hits, so it will be "quieter" if run by itself.
     
    cPanelMichael likes this.
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  7. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I did a number of updates last night, so had to check my logs thoroughly this morning, and can see a few CSF entries for Comodo.
    Maybe the server reboots kick started something, or maybe it had just been a quiet day.
     
  8. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    83
    Likes Received:
    15
    Trophy Points:
    8
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Yes, that's exactly what I mean. There are also going to be rules for old versions of software you know you're not going to be using. Those can be disabled too. If you disable all the rules for software you're not using, you will boost the performance of the Comodo rules and reduce the risk of false positives. If you decide to do so, start from the last page and work your way forward; otherwise, it's easy to miss rules as the pages change. Once you've cleaned out all the extraneous rules, just periodically check to see if Comodo has added any you don't need.

    You might want to run Security Center -> Security Advisor and see what pops up. If you're not running mod_ruid2, you'll likely get a message about symlink race protection that includes the links to explain what jailing Apache vhosts is all about.
     
  9. hrace009

    hrace009 Well-Known Member

    Joined:
    Dec 24, 2013
    Messages:
    66
    Likes Received:
    8
    Trophy Points:
    8
    Location:
    Root
    cPanel Access Level:
    Root Administrator
    Twitter:
    I am using Commodo at my server, and seems good until now
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello @hrace009,

    Could you provide some more information about what's not working?

    Thanks!
     
  11. hrace009

    hrace009 Well-Known Member

    Joined:
    Dec 24, 2013
    Messages:
    66
    Likes Received:
    8
    Trophy Points:
    8
    Location:
    Root
    cPanel Access Level:
    Root Administrator
    Twitter:
    i don't tell it not working but i just tell to topic starter that I am using Commodo Rule set, and it just run fine until now.
     
    cPanelMichael likes this.
Loading...

Share This Page