SOLVED CPANEL-42469 - New cPanel installs ModSec Tools Hits empty/stopped

[indiemark]

I have a couple freshly installed cPanel servers on Alma8, pretty baseline only softaculous added. Completed the Security Advisor (enabled mod Ruid2, Jailshell, etc.) running Nginx front end cache, Apache and PHP-FPM.

OWASP CRS v3.x for ModSec 2.9 (via pkg) ruleset installed on both. No hits showing in ModSec tools. Actual ModSec logs in /var/logs/apache2 are there, and it "seems" to be working (saw a bunch of xmlrpc brute forcing driving up lavg, added custom rule and it went away fairly quickly.

One of the servers did have some Hits from a few days ago (I think before I had enabled Ruid2 -- so might be related to that would be my guess).

How do I fix this? I saw that there was a conditional rule for different log types in the /etc/ apache config directory so I'm assuming it's "supposed" to work?

Thanks in advance!

 

[cPRex]

Hey there! It's not completely clear to me what the question is - what are you trying to fix on the system? Are you expecting more ModSecurity logs to be happening?

 

[indiemark]

Yes. Usually (on another cPanel server I have that is not using Ruid but instead CloudLinux) there lots of hits in the ModSec Tools area. Same rules are applied, so I should be seeing similar levels of hits from bots etc. But I see NOTHING on one of my new installs and only a couple hours worth of hits on the other (I had moved some sites before realising I should enable Ruid). I'm fairly certain it's RUID and the changes to the logs that has broken this and that would link up anecdotally with the brief amount of hits in the log and other RUID/Modsec issues I've read about with cpanel from google searches. Is there a troubleshooting guide I can go to for Modsec/ruid to make sure cPanel's UI is ingesting them properly? I "think" ModSec itself is working, and if I manually look at the logs that also seems to be the case, but I would like the visibility in cPanel so I can more easily identify false positives if I get customer complaints.

 

[indiemark]

So to be clearer maybe:

Cpanel A -- has CloudLinux, no RUID enabled. ModSec Tools -> lots of hits listed no problems.
cPanel B -- Alma, RUID enabled AFTER moving a few sites. ModSec Tools -> brief list of Hits from a few days back but stopped when I enabled RUID in EA
cPanel C -- Alma, RUID enabled right off the bat before moving sites. ModSec Tools -> Hits are empty

All using the same OWASP ruleset, enabled. On cPanel B and C I've found the actual ModSec logs and it looks like there is action happening, just not reporting to cPanel GUI.

 

[cPRex]

I wonder if it's just related to the presence of RUID:

https://support.cpanel.net/hc/en-us/articles/4402130653207-Why-aren-t-ModSecurity-hits-being-logged-in-the-modsec-audit-directory-

 

[indiemark]

Agreed, that is the likely case. But I thought there were scripts or something to go and collect these logs so they showed up the ModSec Tools "hits" area?

 

[cPRex]

I found a more direct case that indicates our developers are already working on this issue:

https://support.cpanel.net/hc/en-us/articles/12670452534295-ModSecurity-Tools-hits-list-is-not-populating-when-using-mod-ruid2

so it's a known problem that we're addressing!

 

[cPRex]

Update - I have confirmed this will be fixed in version 110, and there is a backport request to version 102 in the development pipeline as well.

 

[cPRex]

Update - 110.0.0 and 108.0.14 have this resolved.