The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ConfigServer ModSecControl Questions

Discussion in 'Security' started by Marlon Owen Cruz, May 27, 2015.

  1. Marlon Owen Cruz

    Joined:
    May 27, 2015
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Philippines
    cPanel Access Level:
    Root Administrator
    Hi,

    I have just submitted a support ticket before I saw this thread. I thought this is related so I'd like to post it here to get an answer.

    ================
    Hi,

    For a long time, we have been using CMC in our servers using gotroot rules. In recent Cpanel updates, we found out that some old configuration for CMC have ceased to work, i.e. domain level whitelisting function, which by the way is very handy on a shared hosting environment, in case certain rule creates a conflict only for one domain and good to be active for the rest of the domain.

    Cpanel does not provide a way to disable Cpanel's ModSec Tools(CMT) via WHM and has to be done manually I believe, which I am not confident about. The existence of CMT creates a conflict with CMC configuration and results to a lot of invalid errors, i.e. screenshot: prntscr.com/79vntm

    Also this

    [Wed May 27 16:48:27.224797 2015] [:error] [pid 646798] [client 120.29.65.82] ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname ""] [uri "/wp-content/plugins/jetpack/modules/wpgroho.js"] [unique_id "VWWE23dRoNwACd6O4T8AAAAE"]

    I can't find a conclusive workaround to solve this, even on forum, other Cpanel users are complaining about similar issues,

    http://forum.configserver.com/viewtopic.php?f=30&t=8505

    Having said this, because of CMC's flexibility and ease of use plus straight forward integration with ConfigServer Exploit Scanner, I am inclined to stick with CMC unless I can get a good explanation about using CMT.

    Having said that, what do you suggest?

    In case I prefer to stick with CMC, can you share with me a way to disable CMT as if it doesn't exist so that it do not create conflict with CMC configuration and rules.

    Thank you very much,

    Owen
     
    #1 Marlon Owen Cruz, May 27, 2015
    Last edited by a moderator: May 27, 2015
  2. Marlon Owen Cruz

    Joined:
    May 27, 2015
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Philippines
    cPanel Access Level:
    Root Administrator
    Now, concerning CMC features. I'd like to take note of the following.

    -CMC allows global or domain level white listing of rules. Screenshot prntscr.com/79zawc
    -Log Entries can be expanded in greater depth/details that allows quick analysis without having to login and check logs.
    -Seamless integration with ConfigServer Exploit Scanner ( very useful security tool which Cpanel do not have yet )
     

    Attached Files:

    #2 Marlon Owen Cruz, May 27, 2015
    Last edited by a moderator: May 27, 2015
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Please keep in mind that ConfigServer develops these applications. They will need to update their application in order to work with newer versions of cPanel. I suggest continuing to consult with them through their support channels regarding this issue.

    Thank you.
     
  4. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    run this command and it should start working again

     
  5. Marlon Owen Cruz

    Joined:
    May 27, 2015
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Philippines
    cPanel Access Level:
    Root Administrator
    Thank you for the information guys.

    I have installed Cpanel OWASP rules last night and this morning. We got a bunch of tickets requesting to unblock their IPs because they've been blocked by firewall due to OWASP false positive triggers.

    I wonder if Cpanel ran a comprehensive test of these rules on shared hosting environment. I'm thinking it would be best if Cpanel could come up with a whitelisted rule database ideal for shared hosting. It's very tedious to be attending to blocking related tickets due to false positivess.

    Screenshot: - Removed -
     
    #5 Marlon Owen Cruz, May 30, 2015
    Last edited by a moderator: May 31, 2015
  6. Marlon Owen Cruz

    Joined:
    May 27, 2015
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Philippines
    cPanel Access Level:
    Root Administrator
    I have just white listed two rules that are triggering false positive.

    Rule IDs: 981205 and 970901
     
  7. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    run comodo wap here very few false positives
    the OWASP is a third party use at you own risk not really cpanel's job to to police OWASP
     
  8. Marlon Owen Cruz

    Joined:
    May 27, 2015
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Philippines
    cPanel Access Level:
    Root Administrator
    Hi Dalem,

    Thanks for the update. I'll try COMODO then, aside from the rules I have blocked yesterday, I'm seeing a bunch of other false positive today.

    About OWASP and Cpanel, I do know that OWASP is independent but what I'm thinking is that since Cpanel have included OWASP as an optional rule vendor by default, it would be great if Cpanel could at least maintain a database of rules that aren't ideal on a shared hosting environment so that users like myself will not have to go through a bunch of testing just to know which rules work and which do not. Then, we can simply have all those rules white listed or disabled.
     
    hrace009 likes this.
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    A "Report this hit" option is available on the ModSecurity Tools page when “More” is pulled down. It's important to use this feature if you want to alert the vendor about which rules are not suitable for a shared hosting environment.

    Thank you.
     
Loading...
Similar Threads - ConfigServer ModSecControl Questions
  1. danielpmc
    Replies:
    1
    Views:
    87
  2. Spork Schivago
    Replies:
    15
    Views:
    545

Share This Page