cPanel's implementation of Mod_Security

ottdev

Well-Known Member
Oct 1, 2013
139
7
68
cPanel Access Level
Root Administrator
1. If one enables the OWASP ruleset provided by cPanel, how does it affect the default ruleset in the module - do they run side by side, different numbering - and each vendor would generally use non-conflicting numbers? Or OWASP replaces the module's defaults when enabled via WHM?

2. The mention in the cPanel docs
OWASP renumbered the configuration files in 2016. We strongly recommend that you update your rulesets
How does one tell WHAT YEAR is installed - or which version - and can you include mention of that corresponding version number as well in the docs, please?

3. Presently we have update=ON. If that is OFF, does it disable only the actual automatic updating but still check if an update is compatible with the server's current Apache version and will show a note there in the vendor page or it will be included in security recommendations? Or does turning update=OFF cause it to not even check at all?
 

fuzzylogic

Well-Known Member
Nov 8, 2014
154
93
78
cPanel Access Level
Root Administrator
1. If one enables the OWASP ruleset provided by cPanel, how does it affect the default ruleset in the module
The Apache module (that is ModSecurity for Apache/2.9.2) is an interpeter for modsecurity rule language.
It has no rules inherent in it.
If you have no rule sets enabled in Home » Security Center » ModSecurity™ Vendors » Manage Vendors, then no rules are being processed.
If you have a rule set enabled please copy its full name into your next post.
Please copy the full name of "the OWASP ruleset" you are asking about enabling.
To check the Apache Module modsecurity version number run the ssh command...
Code:
grep -i 'ModSecurity for Apache' /usr/local/apache/logs/error_log
It should return something like...
[Wed Aug 01 18:17:24.640083 2018] [:notice] [pid xx:tid xx] ModSecurity for Apache/2.9.2 (modsecurity.org) configured.
Apache logs the version to the error_log when it restarts.

2. The mention in the cPanel docs
OWASP renumbered the configuration files in 2016. We strongly recommend that you update your rulesets
If your server was provisioned before 2016/2017 then the older version of the owasp ruleset from before the renumbering would have been available (but not enabled by default) in the the Home » Security Center » ModSecurity™ Vendors » Manage Vendors section of WHM (named OWASP rule set).

After the renumbering a newer version of the ruleset named "OWASP ModSecurity Core Rule Set V3.0" also became available in Home » Security Center » ModSecurity™ Vendors » Manage Vendors section of WHM

So cPanel recommended that the older OWASP ruleset be disabled and OWASP ModSecurity Core Rule Set V3.0 be enabled, explaining the quote in your point 2.

3. If you turn on Update for a ruleset (say for instance OWASP ModSecurity Core Rule Set V3.0), then if you ALSO have cPanel Autoupdate turned on, then when upcp runs (once a day) the ruleset yaml file will be checked. If the distribution name-number has changed since last check, it will download the new ruleset zip file.
If you have cPanel Autoupdate turned off then the ruleset yaml file would only be checked when you ran cPanel Update manually.

If you set Update OFF for a ruleset it will not check at all.

upcp runs the command /usr/local/cpanel/scripts/modsec_vendor update --auto
You can run it manually any time to see if/how it is working.
Code:
/usr/local/cpanel/scripts/modsec_vendor update --auto
[2018-08-10 21:33:38 +1000] info [modsec_vendor] Updates are in progress for all of the installed ModSecurity vendors with automatic updates enabled.
[2018-08-10 21:33:38 +1000] info [modsec_vendor] You have not enabled the vendor "OWASP3". The vendor will not receive automatic updates.
[2018-08-10 21:33:38 +1000] info [modsec_vendor] You have not enabled the vendor "comodo_apache". The vendor will not receive automatic updates.
[2018-08-10 21:33:39 +1000] info [modsec_vendor] Restored modsec_cpanel_conf_datastore backup
[2018-08-10 21:33:40 +1000] info [modsec_vendor] The vendor "configserver" is already up to date.
OWASP3 and comodo_apache have updates turned OFF (they are not enabled either)
configserver had updates turned on, it checked the yaml file and the distribution had not changed.

Compatability for a ruleset is not with the Apache version, but with the modsecurity Apache Module version.
It is/should be handled in the yaml file providing a different ruleset download url for each likely version of modsecurity Apache Module to be encountered. This will make more sense if you read a yaml file...
Code:
http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP3.yaml
Might be a good time to manage your expectations too.
OWASP CRS is a generic rule set.
It has rules designed to detect generic attack vectors such as sql injection or directory traversal for instance.
It has no specific rules for any known or published web application vulnerabilities.
So updates are infrequent and not in direct response to newly found vulnerabilities.
 
  • Like
Reactions: cPanelLauren