SOLVED CPANEL-42469 - New cPanel installs ModSec Tools Hits empty/stopped

Operating System & Version
AlmaLinux 8
cPanel & WHM Version
108.0.12

indiemark

Member
Feb 22, 2023
10
2
3
canada
cPanel Access Level
DataCenter Provider
I have a couple freshly installed cPanel servers on Alma8, pretty baseline only softaculous added. Completed the Security Advisor (enabled mod Ruid2, Jailshell, etc.) running Nginx front end cache, Apache and PHP-FPM.

OWASP CRS v3.x for ModSec 2.9 (via pkg) ruleset installed on both. No hits showing in ModSec tools. Actual ModSec logs in /var/logs/apache2 are there, and it "seems" to be working (saw a bunch of xmlrpc brute forcing driving up lavg, added custom rule and it went away fairly quickly.

One of the servers did have some Hits from a few days ago (I think before I had enabled Ruid2 -- so might be related to that would be my guess).

How do I fix this? I saw that there was a conditional rule for different log types in the /etc/ apache config directory so I'm assuming it's "supposed" to work?

Thanks in advance!
 

indiemark

Member
Feb 22, 2023
10
2
3
canada
cPanel Access Level
DataCenter Provider
Yes. Usually (on another cPanel server I have that is not using Ruid but instead CloudLinux) there lots of hits in the ModSec Tools area. Same rules are applied, so I should be seeing similar levels of hits from bots etc. But I see NOTHING on one of my new installs and only a couple hours worth of hits on the other (I had moved some sites before realising I should enable Ruid). I'm fairly certain it's RUID and the changes to the logs that has broken this and that would link up anecdotally with the brief amount of hits in the log and other RUID/Modsec issues I've read about with cpanel from google searches. Is there a troubleshooting guide I can go to for Modsec/ruid to make sure cPanel's UI is ingesting them properly? I "think" ModSec itself is working, and if I manually look at the logs that also seems to be the case, but I would like the visibility in cPanel so I can more easily identify false positives if I get customer complaints.
 

indiemark

Member
Feb 22, 2023
10
2
3
canada
cPanel Access Level
DataCenter Provider
So to be clearer maybe:

Cpanel A -- has CloudLinux, no RUID enabled. ModSec Tools -> lots of hits listed no problems.
cPanel B -- Alma, RUID enabled AFTER moving a few sites. ModSec Tools -> brief list of Hits from a few days back but stopped when I enabled RUID in EA
cPanel C -- Alma, RUID enabled right off the bat before moving sites. ModSec Tools -> Hits are empty

All using the same OWASP ruleset, enabled. On cPanel B and C I've found the actual ModSec logs and it looks like there is action happening, just not reporting to cPanel GUI.