The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

EasyApache4 install ModSec alongside ModRuid2?

Discussion in 'EasyApache' started by NightStorm, Apr 7, 2016.

Tags:
  1. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    I know that currently EA4 does not allow one to install both Ruid2 and ModSecurity, but EA3 did have support for this. Are there any plans to bring that support forward into EA4, or am I forced to roll back to EA3 and ride that out to the bitter end?
    Or, does anyone know of another option that allows ModSec to install on Apache while forcing each php process to run as UID instead of as NOBODY?
     
    sonicthoughts likes this.
  2. cPJacob

    cPJacob cPanel Product Owner
    Staff Member

    Joined:
    May 2, 2014
    Messages:
    508
    Likes Received:
    64
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi,

    There are some bugs with RUID2 and ModSec, both in EA3 and EA4. ModSec doesn't work well with per-user MPMs, as it can't do proper IP tracking because the DBM files aren't owned by the user, they are global. This would need work by ModSec (pretty much a rewrite on how it operates) in order to work properly. I had originally hoped we'd be able to fix this ourselves, and we added the conflict in EA4. We haven't been able to get this working, so we should probably remove that conflict, and just allow those two packages to operate side by side. I've opened case EA-4430 to tackle this, we'll hopefully have these updated RPMs ready on our next production release.

    I hope this helps!
     
  3. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    It would be very helpful, actually. I've managed for a while now to operate both side by side via EA3 with no issues (I primarily use ModSec to monitor for known exploits, spam posts, and failed logins on my users sites, so I have luckily been able to avoid the problems that came about a few years ago in the whole ModSec/Ruid2/EA3 conflicts. Right now, I just feel like I'm sitting wide open asking for someone to come and mess with the sites, but I am having to chose between ModSec rules, or keeping the server at a level where PHP can't run out of control without being traceable (running as NOBODY makes finding a memory hole or exploited script a LOT harder to track down).
    Is there a timeline for Production Release?
     
    sonicthoughts likes this.
  4. cPJacob

    cPJacob cPanel Product Owner
    Staff Member

    Joined:
    May 2, 2014
    Messages:
    508
    Likes Received:
    64
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi,

    Our next production release isn't scheduled, as we just did a release on Tuesday. I imagine we'll do another sync in the next few weeks.
     
  5. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Alrighty, I'll just ride it out. Not a fan of Russian Roulette, but I guess now is as good a time as any to practice. ;)
     
  6. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Good morning Jacob (and whomever else). Did this feature make the cut for the latest EA4 that was rolled out? I don't see it mentioned in the changelog, but I imagine changes often happen that aren't actually listed (keep to the major stuff, so to speak).
     
  7. cPJacob

    cPJacob cPanel Product Owner
    Staff Member

    Joined:
    May 2, 2014
    Messages:
    508
    Likes Received:
    64
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    No, unfortunately it did not. While we were making the change, we noticed that we actually have to do a lot of other work to get this 'switch' fixed properly. While we could remove the conflict, if the DBM exists and has incorrect permissions, we need to make some changes to allow the module to properly read / write the configs. This greatly enhanced the scope of the change, and we had to hold off on it a bit longer. While I don't have an ETA, I hope we'll have it ready for next months release.
     
  8. sonicthoughts

    sonicthoughts Well-Known Member

    Joined:
    Apr 4, 2011
    Messages:
    61
    Likes Received:
    3
    Trophy Points:
    8
  9. sonicthoughts

    sonicthoughts Well-Known Member

    Joined:
    Apr 4, 2011
    Messages:
    61
    Likes Received:
    3
    Trophy Points:
    8
    I also feel that this has to be a pretty common request and that I'm completely missing some other config that people use (suPHP which has terrible performance?)
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    To update, the following case is now published as part of EasyApache 4:

    814b990: EA-4632 - Remove mod_mpm_itk and mod_ruid2 conflicts

    The full change log is documented at:

    EasyApache 4 Change Log - EasyApache 4 - cPanel Documentation

    Note the DBM issues persist, but we no longer prevent users from enabling both modules at the same time.

    Thank you.
     
Loading...

Share This Page