Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

HTTPD conflict with mod_security?

Discussion in 'EasyApache' started by Gojko, Nov 20, 2018.

  1. Gojko

    Gojko Well-Known Member

    Joined:
    Nov 24, 2014
    Messages:
    94
    Likes Received:
    7
    Trophy Points:
    8
    Location:
    Macedonia
    cPanel Access Level:
    Root Administrator
    Hello version is 76.0.8 cPanel
    after update httpd goes down conflit mod_security:


    Code:
    [Thu Nov 15 11:05:29.690689 2018] [:error] [pid 23639:tid 47743247877888] [client 104.251.91.195:47269] [client 104.251.91.195] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "157"] [id "920180"] [rev "1"] [msg "POST request missing Content-Length Header."] [data "0"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [tag "CAPEC-272"] [hostname "www.example.net"] [uri "/"] [unique_id "W@1E6VtQYAfCGZPFiSteqgAAAkk"], referer: http://www.example.net
    [Thu Nov 15 11:02:08.993264 2018] [:error] [pid 23640:tid 47743231067904] [client 173.252.127.22:49184] [client 173.252.127.22] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "452"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".com"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "sitechecker.example.com"] [uri "/ajax/snap/example.com"] [unique_id "W@1EIG-nM@K8X@Ra8bB7DwAAAoE"]
    [Thu Nov 15 10:58:30.928044 2018] [:error] [pid 23638:tid 47743338829568] [client 221.14.172.69:55516] [client 221.14.172.69] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "47"] [id "920100"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "CONNECT www.domain.tld:443 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "www.domain.tld"] [uri "/"] [unique_id "W@1DRnIQ-JUXoZNUrcRsPwAAAdQ"]
    any info how to avoid this error and turn on again mod_security/
     
    #1 Gojko, Nov 20, 2018
    Last edited by a moderator: Nov 20, 2018
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,161
    Likes Received:
    474
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @Gojko

    Do you have custom mod_security rules added? The only reason I can think of that this would occur would be because you had a custom ruleset added causing an issue. The log output you're showing here doesn't appear to insinuate that there's an issue with Apache, just that there was a rule hit (meaning mod_security is doing its job).

    Are there specific errors related to ModSecurity when apache crashes - log entries that are not rule matches?


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I had an error with httpd after upcp to 76.0.8 as well

    I had a third party modsec vendor that was not enabled for rules, but was enabled for updates.

    The vendor update failed in the upcp, and it crashed httpd

    I first deleted the vendor that was causing the problem, and tried to restart httpd with the service httpd restart command, but this didn't work.

    I then ran the full /usr/local/cpanel/scripts/restartsrv_apache command that seemed to sort everything out and the httpd restarted as normal.

    Hope this helps.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice