In Progress [EA-8605] Mod_Security and Mod_Ruid2 with persistent storage

[Patrice Bechard]

Hi everyone,

2016 and still no fix from cPanel. We need thoses brute force rules to work with ruid2 because we need the security of ruid2, and we are hosting lots of Wordpress sites and we need to protect /wp-login from brute force attack. We made it work by appliying the workarround we found on this forum

getting permission denied in ModSecurity error_log · Issue #919 · SpiderLabs/ModSecurity · GitHub

The workarround is to change the SecDataDir from /var/cpanel/secdatadir to /var/log/secdatadir and set the right permissions in that directory. The problem is that the SecDataDir directive is set in the modsec2.cpanel.conf file and that file is overwritten by cPanel every time there is an update or we use the UI to change the config. If we set the SecDataDir in our modsec2.user.conf file, it is ignored because it is overwritten by the cpanel file that is called after in the modsec2.conf file and since the calls to the OWASP rules are in that cpanel file also, there is no way to rewrite that directive between the two calls.

Cpanel: Is there a way to change a master file somewhere so when cpanel rewrites the modsec2.cpanel.conf file, you use our SecDataDir or have an advanced setting in the UI to set that folder ?? Or more drastically, why are you not putting that folder in this location by default with the cpanel install with the right permission ?? What are the security risks of that solution ?

 

[cPanelMichael]

Hello,

I've moved this post into it's own thread.

Could you verify if you are using EasyApache 4? If so, could you let us know if defining a custom path for the "SecGeoLookupDb" directive works for this purpose? The option is configurable via:

"WHM Home » Security Center » ModSecurity™ Configuration » Configure Global Directives"

Thank you.

 

[linux4me2]

I know the OP needs to verify it on his own installation, but I can verify that a custom path saved for SecGeoLookupDb in EA4 did not get overwritten when updating from cPanel 58.0.30 to 58.0.31 on mine.

 

[rclemings]

The solution in #2 does not work for me. The "SecGeoLookupDb" global directive remains set to /var/log/secdatadir, but on the next cPanel update the following setting in /etc/apache2/conf.d/modsec/modsec2.cpanel.conf reverts to /var/cpanel/secdatadir and the errors resume:

##
## ModSecurity fixed global configuration directives
##

SecDataDir "/var/log/secdatadir"

The errors look like this:

ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/XXXX-ip": Permission denied (where XXXX is the username)

 

[cPanelMichael]

ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/XXXX-ip": Permission denied (where XXXX is the username)

Hello @rclemings,

This issue was recently brought up in a support ticket. Here's a quoted summary of the response:

The following page on the Mod_Security GitHub shows where compatibility for Mod_Ruid2 and MPM-ITK was added to Mod_Security version 2.9.3:

@ju5t patch to fix mpm-itk / mod_ruid2 compatibility by victorhora · Pull Request #1912 · SpiderLabs/ModSecurity

This PR contains the patch by @ju5t (with minor adjustments due to change in lines). It's meant to fixing compatibility issues with apache2-itk and mod_ruid2 Apache modules and ModSecurity 2.9....

github.com

However, the default permissions we set on the /var/cpanel/secdatadir directory are not permissive enough to grant individual users the ability to create and modify their own DBM files. Additionally, we don't recommend loosening the default permissions due to the security implications of such a change.

Internal case EA-8605 was recently opened to determine the feasibility of supporting persistent storage for servers using Mod_Ruid2 and Mod_Security.

I've linked internal case EA-8605 to this forums thread, and I'll reply here with updates on the status of this case as they become available.

Thank you.