Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPanel's implementation of Mod_Security

Discussion in 'Security' started by ottdev, Aug 8, 2018.

  1. ottdev

    ottdev Well-Known Member

    Oct 1, 2013
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    1. If one enables the OWASP ruleset provided by cPanel, how does it affect the default ruleset in the module - do they run side by side, different numbering - and each vendor would generally use non-conflicting numbers? Or OWASP replaces the module's defaults when enabled via WHM?

    2. The mention in the cPanel docs
    OWASP renumbered the configuration files in 2016. We strongly recommend that you update your rulesets
    How does one tell WHAT YEAR is installed - or which version - and can you include mention of that corresponding version number as well in the docs, please?

    3. Presently we have update=ON. If that is OFF, does it disable only the actual automatic updating but still check if an update is compatible with the server's current Apache version and will show a note there in the vendor page or it will be included in security recommendations? Or does turning update=OFF cause it to not even check at all?
  2. fuzzylogic

    fuzzylogic Well-Known Member

    Nov 8, 2014
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    The Apache module (that is ModSecurity for Apache/2.9.2) is an interpeter for modsecurity rule language.
    It has no rules inherent in it.
    If you have no rule sets enabled in Home » Security Center » ModSecurity™ Vendors » Manage Vendors, then no rules are being processed.
    If you have a rule set enabled please copy its full name into your next post.
    Please copy the full name of "the OWASP ruleset" you are asking about enabling.
    To check the Apache Module modsecurity version number run the ssh command...
    grep -i 'ModSecurity for Apache' /usr/local/apache/logs/error_log
    It should return something like...
    [Wed Aug 01 18:17:24.640083 2018] [:notice] [pid xx:tid xx] ModSecurity for Apache/2.9.2 ( configured.
    Apache logs the version to the error_log when it restarts.

    If your server was provisioned before 2016/2017 then the older version of the owasp ruleset from before the renumbering would have been available (but not enabled by default) in the the Home » Security Center » ModSecurity™ Vendors » Manage Vendors section of WHM (named OWASP rule set).

    After the renumbering a newer version of the ruleset named "OWASP ModSecurity Core Rule Set V3.0" also became available in Home » Security Center » ModSecurity™ Vendors » Manage Vendors section of WHM

    So cPanel recommended that the older OWASP ruleset be disabled and OWASP ModSecurity Core Rule Set V3.0 be enabled, explaining the quote in your point 2.

    3. If you turn on Update for a ruleset (say for instance OWASP ModSecurity Core Rule Set V3.0), then if you ALSO have cPanel Autoupdate turned on, then when upcp runs (once a day) the ruleset yaml file will be checked. If the distribution name-number has changed since last check, it will download the new ruleset zip file.
    If you have cPanel Autoupdate turned off then the ruleset yaml file would only be checked when you ran cPanel Update manually.

    If you set Update OFF for a ruleset it will not check at all.

    upcp runs the command /usr/local/cpanel/scripts/modsec_vendor update --auto
    You can run it manually any time to see if/how it is working.
    /usr/local/cpanel/scripts/modsec_vendor update --auto
    [2018-08-10 21:33:38 +1000] info [modsec_vendor] Updates are in progress for all of the installed ModSecurity vendors with automatic updates enabled.
    [2018-08-10 21:33:38 +1000] info [modsec_vendor] You have not enabled the vendor "OWASP3". The vendor will not receive automatic updates.
    [2018-08-10 21:33:38 +1000] info [modsec_vendor] You have not enabled the vendor "comodo_apache". The vendor will not receive automatic updates.
    [2018-08-10 21:33:39 +1000] info [modsec_vendor] Restored modsec_cpanel_conf_datastore backup
    [2018-08-10 21:33:40 +1000] info [modsec_vendor] The vendor "configserver" is already up to date.
    OWASP3 and comodo_apache have updates turned OFF (they are not enabled either)
    configserver had updates turned on, it checked the yaml file and the distribution had not changed.

    Compatability for a ruleset is not with the Apache version, but with the modsecurity Apache Module version.
    It is/should be handled in the yaml file providing a different ruleset download url for each likely version of modsecurity Apache Module to be encountered. This will make more sense if you read a yaml file...
    Might be a good time to manage your expectations too.
    OWASP CRS is a generic rule set.
    It has rules designed to detect generic attack vectors such as sql injection or directory traversal for instance.
    It has no specific rules for any known or published web application vulnerabilities.
    So updates are infrequent and not in direct response to newly found vulnerabilities.
    cPanelLauren likes this.
  3. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Nov 14, 2017
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    DataCenter Provider
    Wonderfully explained @fuzzylogic thank you so much for the detailed information.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice