Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

COMODO WAF broken after EA3 to EA4 update.

Discussion in 'EasyApache' started by 01i, May 30, 2017.

Tags:
  1. 01i

    01i Member

    Joined:
    Nov 16, 2013
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    After updating from EA3 to EA4 I received an email from cPanel saying

    "The EasyApache 4 migration found Apache Include directives in the ModSecurity 2 user configuration file, modsec2.user.conf.To ensure that your web server continues to function correctly, the system commented out these directives.You must review your ModSecurity 2 configuration and verify your Include directive paths."


    I attempted to access the COMODO cPanel plugin post-update, but received a 500 error, with the message

    "No response from subprocess (/usr/local/cpanel/whostmgr/docroot/cgi/addon_cwaf.cgi): The subprocess reported error number 2 when it ended".

    Checking the /usr/local/cpanel/logs/error_log, the following error was displayed

    "can't read config /usr/local/apache/conf/modsec2.conf at /var/cpanel/cwaf/modules/CPAN/lib/Comodo/CWAF/ModSecurity.pm"

    I checked /usr/local/apache/conf, and there was no modsec2.conf file in there at all.

    I thought that I'd try removing and then re-adding the COMODO rules, so removed the Vendor in cPanel. It turns out that didn't actually do anything for me at all other than no longer have COMODO listed as a Vendor. I ended up grabbing the cwaf_client_install.sh from the COMODO WAF site, and went through the installation again.

    The install was "successful" and I can see (and access) the plugin again, but the Vendor also was not re-added during the install, so I hunted down the yaml file and now I have the vendor visible and the plugin accessible.

    Everything should work now, but it doesn't.

    In the plugin, If I enter my COMODO WAF username and password and try to schedule Rules Updates, I get an error "Error! Request to server failed". Likewise, if I try changing anything the plugin, it 'seems' to change, but if I go back in, nothing has actually changed and after all. Anything I enabled is disabled again, anything I disabled is enabled again.

    So the plugin is installed, but doesn't actually seem to be interacting with modsecurity on the server.

    Likewise, the Vendor tab is broken too. According to the Vendors tab only 1/34 sets are listed as being included (completely different to the 9/9 listed in the plugin). However if I try to enable them from that screen, I get an error:

    "The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: AH00526: Syntax error on line 22 of /var/cpanel/cwaf/rules/00_Init_Initialization.conf:
    ModSecurity: Found another rule with the same id"


    Basically I seem to have two ways to modify the modsecurity rules, but neither function :(

    At this point I've probably already lost the user configured rules that I had previously set up in ea3. The upgrade process apparently commented them out, but I never found where they were stored. I can live with the loss of a couple of custom rules, but really need to fix the COMODO WAF vendor and plugin.

    Can somebody guide me through successfully uninstalling and cleaning all traces to a clean state with no enabled modsecurity at all, so that I can reinstall the COMODO WAF Vendor and Plugin and have them work again?

    Or will I need to log a ticket?
     
  2. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    404
    Likes Received:
    3
    Trophy Points:
    143
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
    Twitter:
    You still have a valid subscription at Comodo WAF login ? Please check and confirm that First.

    To fix 500 error, me also ended up in removing and installing the same again but not tested the same in EA4.

    To uninstall properly, did you used the below steps ?

    ====
    To uninstall CWAF for cPanel just run this script:

    bash /var/cpanel/cwaf/scripts/uninstall_cwaf.sh
    =====

    If not try that and then reinstall the same and see if that works
     
  3. HostXNow_Chris

    HostXNow_Chris Registered

    Joined:
    Jan 22, 2016
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    With EasyApache 4, you can easily install Comodo WAF rules by adding them in

    Home » Security Center » ModSecurity™ Vendors » Manage Vendors

    Use:
    Code:
    https://waf.comodo.com/doc/meta_comodo_apache.yaml
     
  4. 01i

    01i Member

    Joined:
    Nov 16, 2013
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    NixTree, I've definitely got an active COMODO WAF account, I logged in to it while I was hunting down the installation instructions, and it was required during the re-install of the plugin. Thanks for letting me know about that uninstall script.

    Chris, thanks, but as mentioned in the post, I already reinstalled the Vendor and it was non-functional like the plugin. Prior to migrating to EA4 both Vendor and plugin were installed and functional.

    -----

    To get to a fresh slate, I've uninstalled the Vendor and plugin.

    However in "ModSecurity Tools -> Rules List" even after removing both COMODO installs, I have 63 rules listed. I'm beginning to think that the reason why neither vendor nor plugin could update the rules, is because some part of the ea3 to ea4 migration disconnected COMODO from it's own rules, and both were failing because they trying to re-add rules with the same ID as rules already in the system.

    I might be wrong though, those 63 rules could be default rules that come with modsecurity for all I know. I don't want to just delete them, but I'd like to get back to a default modsecurity install before I re-add the Vendor and then reinstall the plugin.

    I believe I'm pretty safe in my assumption that the following two rules are "default" rules that need to stay:

    # Deprecated due to security issues so it should be off: ModSecurity Blog: Transformation Caching Unstable, Fixed, But Deprecated
    SecCacheTransformations Off

    # Include /usr/local/apache/conf/modsec2.whitelist.conf
    Include /etc/apache2/conf.d/modsec2.whitelist.conf

    ** That link is actually a commented url that the boards have converted


    Can anyone point me to a list of rules that should be installed by default on cPanel, when there are no active Vendors? Either that, or take a quick peek at my leftOverRules.txt and let me know if the rest are all left overs from COMODO or not
     

    Attached Files:

  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    cPanel does not include any Mod_Security rules by default. You can edit and remove any existing rules if you'd like to start fresh by removing any lines in the interface at "WHM >> ModSecurity Tools >> Rules List >> Edit Rules".

    Thank you.
     
Loading...

Share This Page