HTTPD conflict with mod_security?

[Gojko]

Hello version is 76.0.8 cPanel
after update httpd goes down conflit mod_security:

[Thu Nov 15 11:05:29.690689 2018] [:error] [pid 23639:tid 47743247877888] [client 104.251.91.195:47269] [client 104.251.91.195] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "157"] [id "920180"] [rev "1"] [msg "POST request missing Content-Length Header."] [data "0"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [tag "CAPEC-272"] [hostname "www.example.net"] [uri "/"] [unique_id "[email protected]"], referer: http://www.example.net
[Thu Nov 15 11:02:08.993264 2018] [:error] [pid 23640:tid 47743231067904] [client 173.252.127.22:49184] [client 173.252.127.22] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "452"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".com"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "sitechecker.example.com"] [uri "/ajax/snap/example.com"] [unique_id "[email protected]@[email protected]"]
[Thu Nov 15 10:58:30.928044 2018] [:error] [pid 23638:tid 47743338829568] [client 221.14.172.69:55516] [client 221.14.172.69] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "47"] [id "920100"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "CONNECT www.domain.tld:443 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "www.domain.tld"] [uri "/"] [unique_id "[email protected]"]

any info how to avoid this error and turn on again mod_security/

 

[cPanelLauren]

Hello @Gojko

Do you have custom mod_security rules added? The only reason I can think of that this would occur would be because you had a custom ruleset added causing an issue. The log output you're showing here doesn't appear to insinuate that there's an issue with Apache, just that there was a rule hit (meaning mod_security is doing its job).

Are there specific errors related to ModSecurity when apache crashes - log entries that are not rule matches?


Thanks!

 

[rpvw]

I had an error with httpd after upcp to 76.0.8 as well

I had a third party modsec vendor that was not enabled for rules, but was enabled for updates.

The vendor update failed in the upcp, and it crashed httpd

I first deleted the vendor that was causing the problem, and tried to restart httpd with the service httpd restart command, but this didn't work.

I then ran the full /usr/local/cpanel/scripts/restartsrv_apache command that seemed to sort everything out and the httpd restarted as normal.

Hope this helps.