The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I think modsec is making some of my visitors want to stab me with an awl.

Discussion in 'Security' started by schwim, Mar 6, 2010.

  1. schwim

    schwim Well-Known Member

    Joined:
    Aug 2, 2006
    Messages:
    198
    Likes Received:
    0
    Trophy Points:
    16
    Hi there everyone,

    I'm running

    cPanel 11.24.5-S38506 - WHM 11.24.2 - X 3.9
    CENTOS 5.4 x86_64 virtuozzo on vps4269

    provided by a reseller. I moved about 6 sites from one server running cpanel to another. Now that I've moved, I've received about 20 emails from people stating that they are now receiving 501/505 error notices and can not visit a particular site. If I point them to another site on the same server, they are able to see that site. The number of people is quite substantial when you take into account that they've gone to great lengths to be able to contact me(no provided method of contact for those that can't visit).

    I had one of the people visit the same site through a proxy and they were able to view the page without issue. I thought that they might have something funny in their UA information so had them check, but I don't see anything:

    Searching the web, I'm finding that many of the people having this problem are people running forums(I'm running phpBB on this site) and resolved the issue by disabling modsec.

    In the WHM panel, I do have a modsec link, but it has absolutely nothing on the page. It simply tells me that it's running and provides a link to the WHM manual regarding modsec.

    This VPS allows me limited access, meaning I don't have root. I haven't tried turning it off via htaccess yet because I would hate to turn the whole feature off to resolve what I hope is a simple overachieving rule.

    Is there a way for me to figure out which rule is being triggered when he visits the page? I can contact the host and they will provide logs, but I would much rather be able to capture it at the script level if possible, since it takes about a day for the visitor to respond for continued troubleshooting.

    Any thoughts on this matter would be greatly appreciated.

    thanks,
    json
     
  2. morissette

    morissette Well-Known Member

    Joined:
    May 24, 2009
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Austin, TX
    cPanel Access Level:
    Root Administrator
    Hey Json,

    The easiest way to figure out which rule is being triggered is to do the following:

    tail -f /usr/local/apache/logs/error_log

    And then reload the page throwing the 501 error. The rule used to be triggered will be listed as shown below:

    [Fri Feb 05 16:20:01 2010] [error] [client IP] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "60"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "hostname"] [uri "/~username/domain/wp-content/plugins/wp-o-matic/cron.php"] [unique_id "S2y1sUp8y8YAAH0MRqIAAABY"]

    I hope this helps.

    Matt
     
  3. schwim

    schwim Well-Known Member

    Joined:
    Aug 2, 2006
    Messages:
    198
    Likes Received:
    0
    Trophy Points:
    16
    Hi there Matt,

    First, thanks very much for your help. I appreciate you taking the time to reply.

    I have one issue that makes this a little tough. I have to request the logs from the host and the visitor that is trying to help me isn't what you would consider prompt in following instructions and getting the results back to me. Without an IP attached to the error, I don't see how I'm going to pin his down.

    Is there any way to pipe the error either to screen or a log of my choosing via htaccess maybe? This sounds far-fetched even to me, but I've seen people do some amazing things through it so I thought I'd ask.

    thanks,
    json
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,450
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Are you able to update this server? It appears to be a bit out of date.
    What version of Apache are you running and do you know if SuPHP is enabled?

    There should also be a button to "Edit Config" and when you click it, you should see these links:

    Reset configuration textarea to: Default Configuration No Configuration

    Clicking Default Configuration should populate the rules. You'd click Save Configuration at bottom of page.

    IMHO, if the host is this much trouble to get in touch with and assist you with this issue, not to mention running an out of date cPanel (Aug 2009) you might do better to move them again.
     
Loading...

Share This Page