In Progress EA-10889 - mod_security disabled by default? Why?

sparek-3

Well-Known Member
Aug 10, 2002
2,120
255
388
cPanel Access Level
Root Administrator
Wow! Just Wow!

So apparently cPanel is shipping cPanel with mod_security disabled now? When the hell did that happen?

I've spent the last two hours trying to figure out why mod_security wasn't working on a new server. Turns out, SecRuleEngine is Off. WHO KNEW!?!

What's more, you can't enable it from the command line

/usr/local/cpanel/bin/whmapi1 modsec_batch_settings setting_id='2' state='On'

does nothing.

You have to log into the WHM, click on Security Center, click on ModSecurity Configuration and scroll down to Rules Engine and enable Process the rules.

I don't know why the hell you'd install mod_security and not enable it. But hey! Who doesn't like wasting time!

I ain't very happy right now. Two hours down the drain.
 
Last edited by a moderator:

techAMIGO

Active Member
Nov 6, 2019
33
30
18
Kerala, india
cPanel Access Level
Root Administrator
Hello,

We need to install ModSecurity Vendors like OWASP ModSecurity ruleset from WHM

Home>>Security Center>> ModSecurity™ Vendors

These rules are active only after enabling the configuration file.

To view the logged notifications and blocked traffic from these rules, navigate to

Home >> Security Center >> ModSecurity™ Tools.



1660716270167.png
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,481
1,966
363
cPanel Access Level
Root Administrator
I did confirm that a new cPanel installation of version 104 do include the ea-apache24-mod_security#### package, but there are no vendors installed.

I reached out to our web server team to get more details, and I'll share what I find out as soon as I have it.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,120
255
388
cPanel Access Level
Root Administrator
I apologize for the verbage in my post yesterday. I was pretty mad after spending a lot of time trying to figure out why mod_security wasn't working.

It looks to me like by default the file /var/cpanel/modsec_cpanel_conf_datastore comes with the setting:

SecRuleEngine: 'Off'

That doesn't seem to make a lot of sense to me.

And... there doesn't appear to be a way to change this from the command line.

Running:

/usr/local/cpanel/bin/whmapi1 modsec_set_setting setting_id='2' state='On'

Simply adds a:

pending_settings:
SecRuleEngine: 'On'


But it never actually changes makes the changes.

The only way I've figured out how to do this from the command-line is to change the file manually

sed -i -E "s/SecRuleEngine:.*/SecRuleEngine: 'On'/g" /var/cpanel/modsec_cpanel_conf_datastore

and then re-enable a vendor_id (it doesn't matter if it's already enabled)

/usr/local/cpanel/bin/whmapi1 modsec_enable_vendor vendor_id=%vender_id%

to actually make the changes in /etc/apache2/conf.d/modsec/modsec2.cpanel.conf

Just not really sure why SecRuleEngine would ever be Off if you intend to use mod_security. You're essentially saying "Here.. install these mod_security rules... but don't actually use them."

This is the behavior I saw in a new cPanel 102.0.21 on AlmaLinux 8. This is my first foray in setting up a new server in quite some time, so perhaps I'm missing something.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,481
1,966
363
cPanel Access Level
Root Administrator
Well, you're not going to like my findings - I tested with versions back until 90, and also reached out to the Apache team, and we can't find evidence that this was ever configured and running by default. A 90.0.19 machine looks just like the v104 screenshot that @techAMIGO posted.

So as far as we can tell, this has always been the case.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,120
255
388
cPanel Access Level
Root Administrator
What package contains /var/cpanel/modsec_cpanel_conf_datastore?

So you're saying it's always come with

SecRuleEngine: 'Off'

How are you suppose to turn SecRuleEngine On from the command-line?

I maintain my own, slightly customized mod_security ruleset. When I setup a new server I do a:

/usr/local/cpanel/bin/whmapi1 modsec_add_vendor

to download the ruleset, followed by a

/usr/local/cpanel/bin/whmapi1 modsec_update_vendor

to update the ruleset.

Never have I had to deal with SecRuleEngine in /var/cpanel/modsec_cpanel_conf_datastore or turn it on in any capacity.

Have any of the behaviors of modsec_add_vendor or modsec_update_vendor changed in that maybe before it was turning On SecRuleEngine and now it is not?

Coincidentally, shouldn't there be a way to turn SecRuleEngine on from the command line?

I don't know what the package is that is controlling /var/cpanel/modsec_cpanel_conf_datastore but is it really wise to ship that with default SecRuleEngine: 'Off'? That seems wildly counterproductive.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,481
1,966
363
cPanel Access Level
Root Administrator
Thanks for those details. No package controls that file, as it's just a flat configuration file.

I still have the team looking into this on my end to see if this should actually be a bug report, or if something else may be going on.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,120
255
388
cPanel Access Level
Root Administrator
Well... I mean... it has to come from some where.

It's not part of a vanilla AlmaLinux install.

It's part of a cPanel package some where. May be part of the core cPanel package. But something cPanel creates or places the /var/cpanel/modsec_cpanel_conf_datastore