Mod_Security DBM Question in 2018

feldon27

Well-Known Member
Mar 12, 2003
122
14
168
Houston, TX
I'm forced to create a new thread because this forum disallows replying to threads after 1 year (what a strange rule!).

This problem still exists after many years:

Change secdatadir
Mod_Security DBM Question
ModSecurity: Rule processing failed.
cPanel confirmed - Modsecurity incompatibility with Mod_ruid2 · Issue #1334 · SpiderLabs/ModSecurity · GitHub
my.ultrawebhosting.com/knowledgebase/359/ModSecurity-collectionstore-Failed-to-access-DBM-file-orvarorcpanelorsecdatadirorip-Permission-denied-.html
Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied - ConfigServer Community Forum
serverfault.com/questions/687159/apache-with-modsec-collections-remove-stale-failed-to-access-dbm-file

I found a possible fix:
prakash-khadka.com.np/failed-access-dbm-file-varcpanelsecdatadirip-permission-denied/

I tried applying the change to /etc/apache2/conf.d/modsec/modsec2.user.conf

but apparently that file cannot override directives in /etc/apache2/conf.d/modsec/modsec2.cpanel.conf


I applied the change directly to modsec2.cpanel.conf and mercy be, the messages have stopped!! Too bad they'll start again when cPanel rewrites this file. :( I weep for the future of my SSD drive as thousands of these messages are logged.
 

Bulent Tekcan

Well-Known Member
May 11, 2004
185
2
168
cPanel Access Level
Root Administrator
Hello,

This problem is gone, I think I found a solution like this way

1- Edit modsec/modsec2.cpanel.conf and put SecDataDir "/var/log/secdatadir" than save and exit
2- Make this step with SSH root access

cp -R /var/cpanel/secdatadir /var/log/
chmod 1733 /var/log/secdatadir
chown -R nobody:nobody /var/log/secdatadir
chmod ugo+rw /var/log/secdatadir/ip.*
chmod ugo+rw /var/log/secdatadir/user.*
chmod ugo+rw /var/log/secdatadir/global.*

And restart https deamon. Finaly my "ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied" problem is gone

I hope other users happy for this solutions :)
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,224
463
Hello,

I believe the workaround you are looking for is discussed on the following thread:

ModSecurity - SecDataDir

You should be able to simply define the custom path for the "SecGeoLookupDb" directive via the following option:

"WHM Home » Security Center » ModSecurity™ Configuration » Configure Global Directives"

Let us know if that helps.

Thank you.
 

linuxman1

Member
Aug 25, 2017
14
0
1
Egypt
cPanel Access Level
Root Administrator
Hello,

This problem is gone, I think I found a solution like this way

1- Edit modsec/modsec2.cpanel.conf and put SecDataDir "/var/log/secdatadir" than save and exit
2- Make this step with SSH root access

cp -R /var/cpanel/secdatadir /var/log/
chmod 1733 /var/log/secdatadir
chown -R nobody:nobody /var/log/secdatadir
chmod ugo+rw /var/log/secdatadir/ip.*
chmod ugo+rw /var/log/secdatadir/user.*
chmod ugo+rw /var/log/secdatadir/global.*

And restart https deamon. Finaly my "ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied" problem is gone

I hope other users happy for this solutions :)
I read on a post that this solution is temporarily, as Cpanel when it runs cpup it will overwrite this change!
 

linuxman1

Member
Aug 25, 2017
14
0
1
Egypt
cPanel Access Level
Root Administrator
Hello,

I believe the workaround you are looking for is discussed on the following thread:

ModSecurity - SecDataDir

You should be able to simply define the custom path for the "SecGeoLookupDb" directive via the following option:

"WHM Home » Security Center » ModSecurity™ Configuration » Configure Global Directives"

Let us know if that helps.

Thank you.
This workaround didn't work on my server, still have the same errors on logs, what worked only is chmod 777 the whole secdatadir directory and not only ip.* files!
I read before at Cpanel forums that this issue should be solved when mod security version 3 is available, and as I checked online recently it's finally available, when Cpanel will use it instead of version 2.9 which is currently used by Cpanel?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,224
463
I read before at Cpanel forums that this issue should be solved when mod security version 3 is available, and as I checked online recently it's finally available, when Cpanel will use it instead of version 2.9 which is currently used by Cpanel?
Hello,

There's currently no time frame on it's inclusion with cPanel & WHM, but I encourage you to vote and add feedback to the existing feature request at:

https://features.cpanel.net/topic/modsecurity-v3-support

We'll update the feature request with more information on the status of it's inclusion with cPanel & WHM as it becomes available.

Thank you.
 
Last edited:

rclemings

Well-Known Member
Nov 5, 2007
51
5
58
For some reason I can't get this to work. I did the following:

1. created /var/log/secdatadir and its files and set permissions and ownership
2. set SecGeoLookupDb to /var/log/secdatadir in WHM
3. restarted the web server
4. confirmed that SecGeoLookupDb "/var/log/secdatadir" is now in /etc/apache2/conf.d/modsec/modsec2.cpanel.conf

and I still get this in the /usr/local/apache/error_log:

ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip"

It looks as if the SecGeoLookupDb setting in modsec2.cpanel.conf is not being recognized.

Where did I go wrong?




Hello,

I believe the workaround you are looking for is discussed on the following thread:

ModSecurity - SecDataDir

You should be able to simply define the custom path for the "SecGeoLookupDb" directive via the following option:

"WHM Home » Security Center » ModSecurity™ Configuration » Configure Global Directives"

Let us know if that helps.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,224
463
ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip"
Hello @rclemings,

Can you confirm if your system is using either Mod_Ruid2 or MPM-ITK? Additionally, do you notice any further output in the Apache error log or the ModSecurity audit log at the time of the error?

Thank you.
 

rclemings

Well-Known Member
Nov 5, 2007
51
5
58
Yes on mod_ruid2, no on mod_mpm_itk.

The only thing I see in the Apache error log is what's noted above. Here's a sanitized example of the full line:
Code:
[Thu Jun 21 18:48:31.576606 2018] [:error] [pid 17159] [client xxx.xxx.xxx.xx:xxxxx] [client xxx.xxx.xxx.xx] ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "xxx.xxx.xxx"] [uri "/xxx/xxx/xxx/xxx/xxx.xxx"] [unique_id "Wyvy-znpE5EZ5QYb1vniJAAAAAM"], referer: - Removed -'
... and for the corresponding request from the modsec audit log:
Code:
xxx.xxx.xxx xxx.xxx.xxx.xx - - [21/Jun/2018:18:48:31 +0000] "GET /xxx/xxx/xxx/xxx/xxx.xxx?itok=odo8ZqNm HTTP/1.1" 200 3863 "-" "-" Wyvy-znpE5EZ5QYb1vniJAAAAAM "-" /xxxxxxxx/20180621/20180621-1848/20180621-184831-Wyvy-znpE5EZ5QYb1vniJAAAAAM 0 2300 md5:b74040396f83579e10ef2b633ac0c62e
I don't understand why it's hitting /var/cpanel/secdatadir/ip in the first place, since I set SecGeoLookupDb to /var/log/secdatadir. I don't think I missed a step (famous last words) ...
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,224
463
Hello @rclemings,

The workaround you used is only applicable to the Geolocation Database (SecGeoLookupDb) option. The SecDataDir configuration value still uses the /var/cpanel/secdatadir by default. You can try updating that value directly in the /etc/apache2/conf.d/modsec/modsec2.cpanel.conf file (and then restart Apache), but keep in mind these are user-submitted workarounds that are unsupported and not recommended.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,224
463
Hello @rclemings,

Upon testing, the modified value in the /etc/apache2/conf.d/modsec/modsec2.cpanel.conf file was not altered upon updating cPanel and downgrading/upgrading the ea-apache24-mod_security2 RPM.

Thank you.
 

rclemings

Well-Known Member
Nov 5, 2007
51
5
58
Spoke too soon ...

##
## ModSecurity fixed global configuration directives
##
SecDataDir "/var/log/secdatadir"

was reverted to

##
## ModSecurity fixed global configuration directives
##
SecDataDir "/var/cpanel/secdatadir"

in today's update from 70.0.48 to 70.0.51.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,224
463
Hello,

It does appear that value can be modified. You could setup a script that replaces that line in the /etc/apache2/conf.d/modsec/modsec2.cpanel.conf file and then add a hook that runs in the upcp post stage:

Guide to Standardized Hooks - Developer Documentation - cPanel Documentation
Guide to Standardized Hooks - System Functions - Developer Documentation - cPanel Documentation

There's an example of how to do this on the following post (it's for Roundcube, but the same concept applies):

SOLVED - HELO name problem on roundcube

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,224
463