Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Easyapache 4 + Modsecurity + Mod_ruid2 errors

Discussion in 'EasyApache' started by mariusfv, Feb 8, 2017.

Tags:
  1. mariusfv

    mariusfv Member

    Joined:
    Mar 24, 2013
    Messages:
    22
    Likes Received:
    4
    Trophy Points:
    3
    Location:
    Romania
    cPanel Access Level:
    Root Administrator
    Hi,

    OS: CentOS Linux release 7.3.1611 (Core)
    WHM/cPanel: WHM 62.0 (build 8)
    Server MPM: prefork
    PHP-FPM: Yes (php-fpm: master process (/opt/cpanel/ea-php70/root/etc/php-fpm.conf) / php-fpm: master process (/usr/local/cpanel/etc/php-fpm.conf)
    Installed packages via WHM: Yes

    Conflict Modsecurity + mod_ruid2 is solved or not in WHM 62.0 (build 8) / Easyapache4?

    Apache error log(OWASP ModSecurity Core Rule Set):
    tail -f /usr/local/apache/logs/error_log

    Code:
    [Wed Feb 08 07:19:47.368806 2017] [:error] [pid 18362] [client 88.xx.xxx.xxx] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "www.example.com"] [uri "/wp-cron.php"] [unique_id "WJq4gxoNZ0NsrRs3VcpdbQAAAAo"]
    
    [Wed Feb 08 07:19:47.614697 2017] [:error] [pid 18362] [client 88.xx.xxx.xxx] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "www.example.com"] [uri "/wp-cron.php"] [unique_id "WJq4gxoNZ0NsrRs3VcpdbQAAAAo"]
    
    [Wed Feb 08 07:19:47.614782 2017] [:error] [pid 18362] [client 88.xx.xxx.xxx] ModSecurity: Audit log: Failed to create subdirectories: /etc/apache2/logs/modsec_audit/marius/20170208/20170208-0719 (Permission denied) [hostname "www.example.com"] [uri "/wp-cron.php"] [unique_id "WJq4gxoNZ0NsrRs3VcpdbQAAAAo"]
    
    [Wed Feb 08 07:20:01.778308 2017] [:error] [pid 18360] [client 127.0.0.1] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] [line "317"] [id "960009"] [rev "1"] [msg "Request Missing a User Agent Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "Host: "] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "server.example.com"] [uri "/whm-server-status"] [unique_id "WJq4kanq5WrIr4YLH5L2BgAAAAg"]
    1. Solution to work Modsecurity with mod_ruid2 on EA4(WHM 62.0 (build 8)?
    2. Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell is still EXPERIMENTAL in 2017?
    3. Why COMODO Mod Security Rules not compatible with Easyapache4?(Vendor added via: waf.comodo.com/doc/meta_comodo_apache.yaml)
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,428
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  3. mariusfv

    mariusfv Member

    Joined:
    Mar 24, 2013
    Messages:
    22
    Likes Received:
    4
    Trophy Points:
    3
    Location:
    Romania
    cPanel Access Level:
    Root Administrator
    In my first post I've specified: Server MPM: prefork(cPanel default) - > So this apply to prefork too or only to MPM-ITK?
    Far as I know MPM prefork and MPM ITK are 2 different modules.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,428
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    This was a blanket statement to note the Apache process is run as the cPanel user when using either Mod_Ruid2 or MPM-ITK. In your case, the system uses Mod_Ruid2.

    Thanks!
     
  5. mariusfv

    mariusfv Member

    Joined:
    Mar 24, 2013
    Messages:
    22
    Likes Received:
    4
    Trophy Points:
    3
    Location:
    Romania
    cPanel Access Level:
    Root Administrator
    Ok, I understand that in my case the system uses Mod_Ruid2.

    But nobody from staff answer to my main question: Conflict Modsecurity + mod_ruid2 is solved or not in WHM?(I provided log & all the information's).

    Thanks!
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,428
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    This issue will still occur when using Mod_Ruid2 and Mod_Security. The topic is discussed in more detail on the URL referenced in the earlier response:

    ModSecurity + MPM ITK compatibility - inconsistent documentation

    Note that the title references MPM ITK, but the same issue applies to Ruid2.

    Thank you.
     
  7. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    105
    Likes Received:
    2
    Trophy Points:
    168
    So what needs to be done to fix this? Does this new version fix it?

    OWASP has released version 3 of their Core Rule Set for ModSecurity™. This new version of the ruleset provides enhanced protection for a number of attacks on web servers. To install the new set of rules or upgrade from the older version, go to Home » Security Center » ModSecurity™ Vendors.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,428
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @joako,

    The issue originates from a bug with Mod Security itself, however we recently have begun working on a solution to ensure Mod Security correctly logs ModSecEvents when using MPM-ITK or RUID2, so that persistent logging works properly. You can find the most recent update at:

    ModSecurity + MPM ITK compatibility - inconsistent documentation

    Thank you.
     
  9. eXite

    eXite Well-Known Member

    Joined:
    May 16, 2003
    Messages:
    50
    Likes Received:
    1
    Trophy Points:
    158
    cPanel Access Level:
    DataCenter Provider
    We fixed this by manually editing /etc/apache2/conf.d/modsec/modsec2.cpanel.conf and adding the following line:

    (or changing the existing /var/cpanel/secdatadir to that path)

    Afterwards run the following commands:

    Then change any modsec setting in WHM under [ModSecurityTM Configuration] to trigger the regeneration of the config and you're all set. No more errors.
     
    cPanelMichael likes this.
  10. sonicsam

    sonicsam Member

    Joined:
    Apr 5, 2012
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator


    I tried this but as soon as I change the modsec settings in whm the config file reverts to the old path.
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,428
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    You may find the following thread helpful:

    ModSecurity - SecDataDir

    Thank you.
     
Loading...

Share This Page