Custom mod_security rules disappear

spry_jdk

Registered
Jan 2, 2011
3
0
51
I have created 2 custom mod_security rules to whitelist specific IP addresses. I am doing this through the ModSecurity Tools -> Rules List -> Add Rule interface in WHM.

On at least two separate occasions, these custom rules have disappeared. The last incident happened today. I just happened to check on them yesterday (because I was looking up the syntax for the rule), and they were there, so I am certain that this is actually occurring and not just a fluke.

I have the OSWAP Core Ruleset enabled. I am wondering if they get wiped out when the ruleset is updated.

1. Is there a way to prevent my custom rules from being deleted?
2. If not, is there a way to get notified when the ruleset is updated so I can reapply my custom rules?

Thanks,
Julia
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Julia,

The add rules interface in WHM will add the rules to /usr/local/apache/conf/modsec2.user.conf. Some hosting providers manage this file for you, so you should check in the file /usr/local/apache/conf/modsec2.user.conf to see if there is any information in there. The owasp ruleset does get updated by cPanel so if you added custom rules to the actual OWASP rules files you should expect them to disappear.

Worst case you could use a file like /usr/local/apache/conf/includes/post_virtualhost_global.conf but this shouldn't be necessary.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463

spry_jdk

Registered
Jan 2, 2011
3
0
51
Thank you, both. I see my custom rules at the bottom of /usr/local/apache/conf/modsec2.user.conf now, so the process of adding it via the WHM UI is not the issue.

At the top of this file, it says the following:
## DO NOT MAKE DIRECT MODIFICATIONS TO THIS FILE.
# Changes to this file may be over-written by future upgrades to mod_security rules.
# If you need to whitelist rules, please use /usr/local/apache/conf/modsec2/whitelist.conf

The comments appear to be from my hosting provider, so I take it to mean that they are managing mod_security rules for me in a way that isn't compatible with the current functionality provided by WHM. I'll contact them to resolve the issue.

Thanks,
Julia


Hello,

The method you used to add the custom rule should allow it to be preserved:
"WHM Home » Security Center » ModSecurity™ Tools » Rules List » Add Rule"

Is your /usr/local/apache/conf/modsec2.user.conf file manipulated by another application or service? Note this is documented here:

https://documentation.cpanel.net/di...:ModSecurity-Apache,mod_securityandEasyApache

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Hello,

I am happy to see you were able to find an answer to your question. Thank you for updating us with the outcome.