In Progress EA-10889 - mod_security disabled by default? Why?

[sparek-3]

Wow! Just Wow!

So apparently cPanel is shipping cPanel with mod_security disabled now? When the hell did that happen?

I've spent the last two hours trying to figure out why mod_security wasn't working on a new server. Turns out, SecRuleEngine is Off. WHO KNEW!?!

What's more, you can't enable it from the command line

/usr/local/cpanel/bin/whmapi1 modsec_batch_settings setting_id='2' state='On'

does nothing.

You have to log into the WHM, click on Security Center, click on ModSecurity Configuration and scroll down to Rules Engine and enable Process the rules.

I don't know why the hell you'd install mod_security and not enable it. But hey! Who doesn't like wasting time!

I ain't very happy right now. Two hours down the drain.

 

[techAMIGO]

Hello,

We need to install ModSecurity Vendors like OWASP ModSecurity ruleset from WHM

Home>>Security Center>> ModSecurity™ Vendors

These rules are active only after enabling the configuration file.

To view the logged notifications and blocked traffic from these rules, navigate to

Home >> Security Center >> ModSecurity™ Tools.

 

[cPRex]

I did confirm that a new cPanel installation of version 104 do include the ea-apache24-mod_security#### package, but there are no vendors installed.

I reached out to our web server team to get more details, and I'll share what I find out as soon as I have it.

 

[sparek-3]

I apologize for the verbage in my post yesterday. I was pretty mad after spending a lot of time trying to figure out why mod_security wasn't working.

It looks to me like by default the file /var/cpanel/modsec_cpanel_conf_datastore comes with the setting:

SecRuleEngine: 'Off'

That doesn't seem to make a lot of sense to me.

And... there doesn't appear to be a way to change this from the command line.

Running:

/usr/local/cpanel/bin/whmapi1 modsec_set_setting setting_id='2' state='On'

Simply adds a:

pending_settings:
SecRuleEngine: 'On'

But it never actually changes makes the changes.

The only way I've figured out how to do this from the command-line is to change the file manually

sed -i -E "s/SecRuleEngine:.*/SecRuleEngine: 'On'/g" /var/cpanel/modsec_cpanel_conf_datastore

and then re-enable a vendor_id (it doesn't matter if it's already enabled)

/usr/local/cpanel/bin/whmapi1 modsec_enable_vendor vendor_id=%vender_id%

to actually make the changes in /etc/apache2/conf.d/modsec/modsec2.cpanel.conf

Just not really sure why SecRuleEngine would ever be Off if you intend to use mod_security. You're essentially saying "Here.. install these mod_security rules... but don't actually use them."

This is the behavior I saw in a new cPanel 102.0.21 on AlmaLinux 8. This is my first foray in setting up a new server in quite some time, so perhaps I'm missing something.

 

[cPRex]

Nah, you're good, and your feedback is always incredibly detailed and helpful, which I appreciate.

I still haven't heard back from the team, but I'll pass along these thoughts as well.

 

[cPRex]

Well, you're not going to like my findings - I tested with versions back until 90, and also reached out to the Apache team, and we can't find evidence that this was ever configured and running by default. A 90.0.19 machine looks just like the v104 screenshot that @techAMIGO posted.

So as far as we can tell, this has always been the case.

 

[sparek-3]

What package contains /var/cpanel/modsec_cpanel_conf_datastore?

So you're saying it's always come with

SecRuleEngine: 'Off'

How are you suppose to turn SecRuleEngine On from the command-line?

I maintain my own, slightly customized mod_security ruleset. When I setup a new server I do a:

/usr/local/cpanel/bin/whmapi1 modsec_add_vendor

to download the ruleset, followed by a

/usr/local/cpanel/bin/whmapi1 modsec_update_vendor

to update the ruleset.

Never have I had to deal with SecRuleEngine in /var/cpanel/modsec_cpanel_conf_datastore or turn it on in any capacity.

Have any of the behaviors of modsec_add_vendor or modsec_update_vendor changed in that maybe before it was turning On SecRuleEngine and now it is not?

Coincidentally, shouldn't there be a way to turn SecRuleEngine on from the command line?

I don't know what the package is that is controlling /var/cpanel/modsec_cpanel_conf_datastore but is it really wise to ship that with default SecRuleEngine: 'Off'? That seems wildly counterproductive.

 

[cPRex]

Thanks for those details. No package controls that file, as it's just a flat configuration file.

I still have the team looking into this on my end to see if this should actually be a bug report, or if something else may be going on.

 

[sparek-3]

Well... I mean... it has to come from some where.

It's not part of a vanilla AlmaLinux install.

It's part of a cPanel package some where. May be part of the core cPanel package. But something cPanel creates or places the /var/cpanel/modsec_cpanel_conf_datastore

 

[cPRex]

I created case EA-10889 with our EasyApache team so they could investigate this behavior and change, and see if that is something they want to add back. I'll be sure to update this thread as I get more details.