Mod_Security DBM Question in 2018

[feldon27]

I'm forced to create a new thread because this forum disallows replying to threads after 1 year (what a strange rule!).

This problem still exists after many years:

Change secdatadir
Mod_Security DBM Question
ModSecurity: Rule processing failed.
cPanel confirmed - Modsecurity incompatibility with Mod_ruid2 · Issue #1334 · SpiderLabs/ModSecurity · GitHub
my.ultrawebhosting.com/knowledgebase/359/ModSecurity-collectionstore-Failed-to-access-DBM-file-orvarorcpanelorsecdatadirorip-Permission-denied-.html
Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied - ConfigServer Community Forum
serverfault.com/questions/687159/apache-with-modsec-collections-remove-stale-failed-to-access-dbm-file

I found a possible fix:
prakash-khadka.com.np/failed-access-dbm-file-varcpanelsecdatadirip-permission-denied/

I tried applying the change to /etc/apache2/conf.d/modsec/modsec2.user.conf

but apparently that file cannot override directives in /etc/apache2/conf.d/modsec/modsec2.cpanel.conf


I applied the change directly to modsec2.cpanel.conf and mercy be, the messages have stopped!! Too bad they'll start again when cPanel rewrites this file. I weep for the future of my SSD drive as thousands of these messages are logged.

 

[Bulent Tekcan]

Hello,

This problem is gone, I think I found a solution like this way

1- Edit modsec/modsec2.cpanel.conf and put SecDataDir "/var/log/secdatadir" than save and exit
2- Make this step with SSH root access

cp -R /var/cpanel/secdatadir /var/log/
chmod 1733 /var/log/secdatadir
chown -R nobody:nobody /var/log/secdatadir
chmod ugo+rw /var/log/secdatadir/ip.*
chmod ugo+rw /var/log/secdatadir/user.*
chmod ugo+rw /var/log/secdatadir/global.*

And restart https deamon. Finaly my "ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied" problem is gone

I hope other users happy for this solutions

 

[cPanelMichael]

Hello,

I believe the workaround you are looking for is discussed on the following thread:

ModSecurity - SecDataDir

You should be able to simply define the custom path for the "SecGeoLookupDb" directive via the following option:

"WHM Home » Security Center » ModSecurity™ Configuration » Configure Global Directives"

Let us know if that helps.

Thank you.

 

[linuxman1]

Hello,

This problem is gone, I think I found a solution like this way

1- Edit modsec/modsec2.cpanel.conf and put SecDataDir "/var/log/secdatadir" than save and exit
2- Make this step with SSH root access

cp -R /var/cpanel/secdatadir /var/log/
chmod 1733 /var/log/secdatadir
chown -R nobody:nobody /var/log/secdatadir
chmod ugo+rw /var/log/secdatadir/ip.*
chmod ugo+rw /var/log/secdatadir/user.*
chmod ugo+rw /var/log/secdatadir/global.*

And restart https deamon. Finaly my "ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied" problem is gone

I hope other users happy for this solutions

I read on a post that this solution is temporarily, as Cpanel when it runs cpup it will overwrite this change!

 

[linuxman1]

Hello,

I believe the workaround you are looking for is discussed on the following thread:

ModSecurity - SecDataDir

You should be able to simply define the custom path for the "SecGeoLookupDb" directive via the following option:

"WHM Home » Security Center » ModSecurity™ Configuration » Configure Global Directives"

Let us know if that helps.

Thank you.

This workaround didn't work on my server, still have the same errors on logs, what worked only is chmod 777 the whole secdatadir directory and not only ip.* files!
I read before at Cpanel forums that this issue should be solved when mod security version 3 is available, and as I checked online recently it's finally available, when Cpanel will use it instead of version 2.9 which is currently used by Cpanel?

 

[cPanelMichael]

I read before at Cpanel forums that this issue should be solved when mod security version 3 is available, and as I checked online recently it's finally available, when Cpanel will use it instead of version 2.9 which is currently used by Cpanel?

Hello,

There's currently no time frame on it's inclusion with cPanel & WHM, but I encourage you to vote and add feedback to the existing feature request at:

https://features.cpanel.net/topic/modsecurity-v3-support

We'll update the feature request with more information on the status of it's inclusion with cPanel & WHM as it becomes available.

Thank you.

 

[rclemings]

For some reason I can't get this to work. I did the following:

1. created /var/log/secdatadir and its files and set permissions and ownership
2. set SecGeoLookupDb to /var/log/secdatadir in WHM
3. restarted the web server
4. confirmed that SecGeoLookupDb "/var/log/secdatadir" is now in /etc/apache2/conf.d/modsec/modsec2.cpanel.conf

and I still get this in the /usr/local/apache/error_log:

ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip"

It looks as if the SecGeoLookupDb setting in modsec2.cpanel.conf is not being recognized.

Where did I go wrong?

Hello,

I believe the workaround you are looking for is discussed on the following thread:

ModSecurity - SecDataDir

You should be able to simply define the custom path for the "SecGeoLookupDb" directive via the following option:

"WHM Home » Security Center » ModSecurity™ Configuration » Configure Global Directives"

Let us know if that helps.

Thank you.

 

[cPanelMichael]

ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip"

Hello @rclemings,

Can you confirm if your system is using either Mod_Ruid2 or MPM-ITK? Additionally, do you notice any further output in the Apache error log or the ModSecurity audit log at the time of the error?

Thank you.

 

[rclemings]

Yes on mod_ruid2, no on mod_mpm_itk.

The only thing I see in the Apache error log is what's noted above. Here's a sanitized example of the full line:

[Thu Jun 21 18:48:31.576606 2018] [:error] [pid 17159] [client xxx.xxx.xxx.xx:xxxxx] [client xxx.xxx.xxx.xx] ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "xxx.xxx.xxx"] [uri "/xxx/xxx/xxx/xxx/xxx.xxx"] [unique_id "Wyvy-znpE5EZ5QYb1vniJAAAAAM"], referer: - Removed -'

... and for the corresponding request from the modsec audit log:

xxx.xxx.xxx xxx.xxx.xxx.xx - - [21/Jun/2018:18:48:31 +0000] "GET /xxx/xxx/xxx/xxx/xxx.xxx?itok=odo8ZqNm HTTP/1.1" 200 3863 "-" "-" Wyvy-znpE5EZ5QYb1vniJAAAAAM "-" /xxxxxxxx/20180621/20180621-1848/20180621-184831-Wyvy-znpE5EZ5QYb1vniJAAAAAM 0 2300 md5:b74040396f83579e10ef2b633ac0c62e

I don't understand why it's hitting /var/cpanel/secdatadir/ip in the first place, since I set SecGeoLookupDb to /var/log/secdatadir. I don't think I missed a step (famous last words) ...

 

[cPanelMichael]

Hello @rclemings,

The workaround you used is only applicable to the Geolocation Database (SecGeoLookupDb) option. The SecDataDir configuration value still uses the /var/cpanel/secdatadir by default. You can try updating that value directly in the /etc/apache2/conf.d/modsec/modsec2.cpanel.conf file (and then restart Apache), but keep in mind these are user-submitted workarounds that are unsupported and not recommended.

Thank you.

 

[rclemings]

OK. That would have to be redone after every update then, right?

 

[cPanelMichael]

Hello @rclemings,

Upon testing, the modified value in the /etc/apache2/conf.d/modsec/modsec2.cpanel.conf file was not altered upon updating cPanel and downgrading/upgrading the ea-apache24-mod_security2 RPM.

Thank you.

 

[rclemings]

great news ... thanks

 

[rclemings]

Spoke too soon ...

##
## ModSecurity fixed global configuration directives
##
SecDataDir "/var/log/secdatadir"

was reverted to

##
## ModSecurity fixed global configuration directives
##
SecDataDir "/var/cpanel/secdatadir"

in today's update from 70.0.48 to 70.0.51.

 

[cPanelMichael]

Hello,

It does appear that value can be modified. You could setup a script that replaces that line in the /etc/apache2/conf.d/modsec/modsec2.cpanel.conf file and then add a hook that runs in the upcp post stage:

Guide to Standardized Hooks - Developer Documentation - cPanel Documentation
Guide to Standardized Hooks - System Functions - Developer Documentation - cPanel Documentation

There's an example of how to do this on the following post (it's for Roundcube, but the same concept applies):

SOLVED - HELO name problem on roundcube

Thank you.

 

[Benjamin D.]

Wanted to go read and possibly upvote the feature request that you mentioned @cPanelMichael but it's gone? 404 error on your link: ModSecurity - SecDataDir

 

[cPanelMichael]

Hello @Benjamin D.,

It looks like the previous feature request for ModSecurity version 3 was lost as part of the incident noted on the following link:

Feature Request Site Downtime

I've submitted a request to open the feature request again. Once it's approved, the new feature request URL will be:

https://features.cpanel.net/topic/modsecurity-v3-support

Thank you.