Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Easyapache 4 + Modsecurity + Mod_ruid2 errors

Discussion in 'EasyApache' started by mariusfv, Feb 8, 2017.

Tags:
  1. mariusfv

    mariusfv Active Member

    Joined:
    Mar 24, 2013
    Messages:
    29
    Likes Received:
    4
    Trophy Points:
    78
    Location:
    Romania
    cPanel Access Level:
    Root Administrator
    Hi,

    OS: CentOS Linux release 7.3.1611 (Core)
    WHM/cPanel: WHM 62.0 (build 8)
    Server MPM: prefork
    PHP-FPM: Yes (php-fpm: master process (/opt/cpanel/ea-php70/root/etc/php-fpm.conf) / php-fpm: master process (/usr/local/cpanel/etc/php-fpm.conf)
    Installed packages via WHM: Yes

    Conflict Modsecurity + mod_ruid2 is solved or not in WHM 62.0 (build 8) / Easyapache4?

    Apache error log(OWASP ModSecurity Core Rule Set):
    tail -f /usr/local/apache/logs/error_log

    Code:
    [Wed Feb 08 07:19:47.368806 2017] [:error] [pid 18362] [client 88.xx.xxx.xxx] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "www.example.com"] [uri "/wp-cron.php"] [unique_id "WJq4gxoNZ0NsrRs3VcpdbQAAAAo"]

[Wed Feb 08 07:19:47.614697 2017] [:error] [pid 18362] [client 88.xx.xxx.xxx] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "www.example.com"] [uri "/wp-cron.php"] [unique_id "WJq4gxoNZ0NsrRs3VcpdbQAAAAo"]

[Wed Feb 08 07:19:47.614782 2017] [:error] [pid 18362] [client 88.xx.xxx.xxx] ModSecurity: Audit log: Failed to create subdirectories: /etc/apache2/logs/modsec_audit/marius/20170208/20170208-0719 (Permission denied) [hostname "www.example.com"] [uri "/wp-cron.php"] [unique_id "WJq4gxoNZ0NsrRs3VcpdbQAAAAo"]

[Wed Feb 08 07:20:01.778308 2017] [:error] [pid 18360] [client 127.0.0.1] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] [line "317"] [id "960009"] [rev "1"] [msg "Request Missing a User Agent Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "Host: "] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "server.example.com"] [uri "/whm-server-status"] [unique_id "WJq4kanq5WrIr4YLH5L2BgAAAAg"]
    1. Solution to work Modsecurity with mod_ruid2 on EA4(WHM 62.0 (build 8)?
    2. Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell is still EXPERIMENTAL in 2017?
    3. Why COMODO Mod Security Rules not compatible with Easyapache4?(Vendor added via: waf.comodo.com/doc/meta_comodo_apache.yaml)
     
    #1 mariusfv, Feb 8, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,323
    Likes Received:
    1,851
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelMichael, Feb 10, 2017
  3. mariusfv

    mariusfv Active Member

    Joined:
    Mar 24, 2013
    Messages:
    29
    Likes Received:
    4
    Trophy Points:
    78
    Location:
    Romania
    cPanel Access Level:
    Root Administrator
    In my first post I've specified: Server MPM: prefork(cPanel default) - > So this apply to prefork too or only to MPM-ITK?
    Far as I know MPM prefork and MPM ITK are 2 different modules.
     
    #3 mariusfv, Feb 11, 2017
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,323
    Likes Received:
    1,851
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    This was a blanket statement to note the Apache process is run as the cPanel user when using either Mod_Ruid2 or MPM-ITK. In your case, the system uses Mod_Ruid2.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 cPanelMichael, Feb 13, 2017
  5. mariusfv

    mariusfv Active Member

    Joined:
    Mar 24, 2013
    Messages:
    29
    Likes Received:
    4
    Trophy Points:
    78
    Location:
    Romania
    cPanel Access Level:
    Root Administrator
    Ok, I understand that in my case the system uses Mod_Ruid2.

    But nobody from staff answer to my main question: Conflict Modsecurity + mod_ruid2 is solved or not in WHM?(I provided log & all the information's).

    Thanks!
     
    #5 mariusfv, Feb 13, 2017
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,323
    Likes Received:
    1,851
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    This issue will still occur when using Mod_Ruid2 and Mod_Security. The topic is discussed in more detail on the URL referenced in the earlier response:

    ModSecurity + MPM ITK compatibility - inconsistent documentation

    Note that the title references MPM ITK, but the same issue applies to Ruid2.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 cPanelMichael, Feb 13, 2017
  7. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    105
    Likes Received:
    2
    Trophy Points:
    168
    So what needs to be done to fix this? Does this new version fix it?

    OWASP has released version 3 of their Core Rule Set for ModSecurity™. This new version of the ruleset provides enhanced protection for a number of attacks on web servers. To install the new set of rules or upgrade from the older version, go to Home » Security Center » ModSecurity™ Vendors.
     
    #7 joako, Apr 18, 2017
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,323
    Likes Received:
    1,851
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @joako,

    The issue originates from a bug with Mod Security itself, however we recently have begun working on a solution to ensure Mod Security correctly logs ModSecEvents when using MPM-ITK or RUID2, so that persistent logging works properly. You can find the most recent update at:

    ModSecurity + MPM ITK compatibility - inconsistent documentation

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #8 cPanelMichael, Apr 19, 2017
  9. eXite

    eXite Well-Known Member

    Joined:
    May 16, 2003
    Messages:
    50
    Likes Received:
    2
    Trophy Points:
    158
    cPanel Access Level:
    DataCenter Provider
    We fixed this by manually editing /etc/apache2/conf.d/modsec/modsec2.cpanel.conf and adding the following line:

    (or changing the existing /var/cpanel/secdatadir to that path)

    Afterwards run the following commands:

    Then change any modsec setting in WHM under [ModSecurityTM Configuration] to trigger the regeneration of the config and you're all set. No more errors.
     
    #9 eXite, Jul 31, 2017
    botonakis and cPanelMichael like this.
  10. sonicsam

    sonicsam Member

    Joined:
    Apr 5, 2012
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator


    I tried this but as soon as I change the modsec settings in whm the config file reverts to the old path.
     
    #10 sonicsam, Sep 3, 2017
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,323
    Likes Received:
    1,851
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    You may find the following thread helpful:

    ModSecurity - SecDataDir

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #11 cPanelMichael, Sep 5, 2017
(You must log in or sign up to post here.)
Loading...
Similar Threads - Easyapache Modsecurity Mod_ruid2
  1. cPStacy

    EasyApache 4 Update - August 15, 2018

    cPStacy, Aug 15, 2018 at 11:40 AM, in forum: EasyApache
    Replies:
    0
    Views:
    38
    cPStacy
    Aug 15, 2018 at 11:40 AM
  2. cPStacy

    EasyApache 4 Update - August 14, 2018

    cPStacy, Aug 14, 2018 at 3:31 PM, in forum: EasyApache
    Replies:
    0
    Views:
    59
    cPStacy
    Aug 14, 2018 at 3:31 PM
  3. DesFire

    RPMs missing on EasyApache? How to get them back?

    DesFire, Aug 3, 2018, in forum: EasyApache
    Replies:
    2
    Views:
    72
    cPanelMichael
    Aug 6, 2018
  4. tw_mani

    SOLVED [CPANEL-22059] WHM >> EasyApache 4 displays "Wide character in print"

    tw_mani, Aug 1, 2018, in forum: EasyApache
    Replies:
    4
    Views:
    104
    cPanelMichael
    Aug 7, 2018
  5. turingmachine

    SOLVED Enable shmop in EasyApache4?

    turingmachine, Jul 29, 2018, in forum: EasyApache
    Replies:
    3
    Views:
    62
    cPanelMichael
    Jul 31, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice