Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

EA4 Mod security Fails

Discussion in 'EasyApache' started by Keith007, Jun 12, 2017.

Tags:
  1. Keith007

    Keith007 Member

    Joined:
    Mar 30, 2013
    Messages:
    17
    Likes Received:
    4
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hi

    Why do I get errors when running EA4 build even though I dont have Comodo WAF enabled or setup
    The directory has no files in and CPanel mod security is disabled

    [Mon Jun 12 17:07:26.074176 2017] [:error] [pid 13433:tid 140145126704896] [client X.X.X.X] ModSecurity: Warning. String match "Invalid URI in request" at WEBSERVER_ERROR_LOG. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/13_HTTP_Protocol.conf"] [line "14"] [id "210210"] [rev "1"] [msg "COMODO WAF: Apache Error: Invalid URI in Request.|||F|4"] [data "GET login.cgi HTTP/1.0"] [severity "WARNING"] [tag "CWAF"] [tag "Protocol"] [hostname "X.X.X.X"] [uri "/400.shtml"] [unique_id "WT68Ps3AyEFCo8M5VEEFBAAAABg"]



    Regards

    Keith
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,484
    Likes Received:
    60
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    Check the Apache configuration and modsec configuration, there might have been some entries left in it that is triggering this..
     
  3. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    52
    Likes Received:
    23
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    When Apache restarts it checks the output of its error_log.
    If it simultaneously generates output for another reason or if it saved the error_logs it had buffered waiting to write when the restart was called then these can be included as part of the output of the restart.
    It is not infrequent that I see this behavior on my server.

    From the way you phrased your issue I assume you saw this same output more than once.
    If this is true I would assume that a script is hammering requests to login.cgi as part of a brute force attempt on that uri.
    If that is true 1,2 or 3 requests per second is not uncommon. This is why that error is repeatedly being generated when apache restarts. It is coincidental but common due to the frequency of the request.
    Many of these brute scripts are quite dumb and will continue even if the login.cgi script does not exist on your server if they don't get the response they were expecting.

    In your case your server is responding with a 400 error code.
    This response is natively generated by Apache as a response to a bad request.
    This occurs before modsecurity has even begun to execute.
    This means that modsecurity would not normally log this blocked request.
    So Modsecurity rule writers and maintainers, both Owasp and Comodo have rules to parse Apache's error log variable WEBSERVER_ERROR_LOG for the string "Invalid URI in request"
    Your error shows Comodo WAF rule ID 210210 as the rule as being triggered by that event.

    Why is a Comodo rule being triggered when you think Mod Security is disabled and Comodo rules are deleted.
    How did you "disable modsecurity"? How did you delete Comodo rules?
    You could try these.
    Check the contents of the /etc/apache2/conf.d/modsec_vendor_configs/comodo_apache directory for rules.
    Check /etc/apache2/conf.d/modsec/modsec2.cpanel.conf for Include directives to comodo rules.
    If you have no comodo rules and no Includes to them then try rebuilding httpd.conf wjth this...
    Log in to a SSH Terminal and rebuild httpd.conf with the command...
    /usr/local/cpanel/scripts/rebuildhttpdconf
    Then restart apache with the command...
    /usr/local/cpanel/scripts/restartsrv_httpd

    If you find rules and find Includes to them and still want to turn them off then try this.

    Firstly to be sure WHM has Comodo WAF disabled go to...
    WHM => Security Center => ModSecurity Vendors =>
    COMODO ModSecurity Apache Rule Set =>
    Enabled (turn on) wait for Success message =>
    Then Enabled (turn off) wait for Success message.

    Then log in to a SSH Terminal and rebuild httpd.conf with the command...
    /usr/local/cpanel/scripts/rebuildhttpdconf
    Then restart apache with the command...
    /usr/local/cpanel/scripts/restartsrv_httpd
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you browse to "WHM Home » Security Center » ModSecurity™ Vendors » Manage Vendors" and verify no custom rule sets are enabled?

    Thank you.
     
Loading...

Share This Page