Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Mod_Security DBM Question in 2018

Discussion in 'Security' started by feldon27, Feb 5, 2018.

Tags:
  1. feldon27

    feldon27 Well-Known Member

    Joined:
    Mar 12, 2003
    Messages:
    118
    Likes Received:
    13
    Trophy Points:
    168
    Location:
    Houston, TX
    I'm forced to create a new thread because this forum disallows replying to threads after 1 year (what a strange rule!).

    This problem still exists after many years:

    Change secdatadir
    Mod_Security DBM Question
    ModSecurity: Rule processing failed.
    cPanel confirmed - Modsecurity incompatibility with Mod_ruid2 · Issue #1334 · SpiderLabs/ModSecurity · GitHub
    my.ultrawebhosting.com/knowledgebase/359/ModSecurity-collectionstore-Failed-to-access-DBM-file-orvarorcpanelorsecdatadirorip-Permission-denied-.html
    Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied - ConfigServer Community Forum
    serverfault.com/questions/687159/apache-with-modsec-collections-remove-stale-failed-to-access-dbm-file

    I found a possible fix:
    prakash-khadka.com.np/failed-access-dbm-file-varcpanelsecdatadirip-permission-denied/

    I tried applying the change to /etc/apache2/conf.d/modsec/modsec2.user.conf

    but apparently that file cannot override directives in /etc/apache2/conf.d/modsec/modsec2.cpanel.conf


    I applied the change directly to modsec2.cpanel.conf and mercy be, the messages have stopped!! Too bad they'll start again when cPanel rewrites this file. :( I weep for the future of my SSD drive as thousands of these messages are logged.
     
  2. Bulent Tekcan

    Bulent Tekcan Well-Known Member

    Joined:
    May 11, 2004
    Messages:
    180
    Likes Received:
    0
    Trophy Points:
    166
    Hello,

    This problem is gone, I think I found a solution like this way

    1- Edit modsec/modsec2.cpanel.conf and put SecDataDir "/var/log/secdatadir" than save and exit
    2- Make this step with SSH root access

    cp -R /var/cpanel/secdatadir /var/log/
    chmod 1733 /var/log/secdatadir
    chown -R nobody:nobody /var/log/secdatadir
    chmod ugo+rw /var/log/secdatadir/ip.*
    chmod ugo+rw /var/log/secdatadir/user.*
    chmod ugo+rw /var/log/secdatadir/global.*

    And restart https deamon. Finaly my "ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied" problem is gone

    I hope other users happy for this solutions :)
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,791
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I believe the workaround you are looking for is discussed on the following thread:

    ModSecurity - SecDataDir

    You should be able to simply define the custom path for the "SecGeoLookupDb" directive via the following option:

    "WHM Home » Security Center » ModSecurity™ Configuration » Configure Global Directives"

    Let us know if that helps.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. linuxman1

    linuxman1 Member

    Joined:
    Aug 25, 2017
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    I read on a post that this solution is temporarily, as Cpanel when it runs cpup it will overwrite this change!
     
  5. linuxman1

    linuxman1 Member

    Joined:
    Aug 25, 2017
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    This workaround didn't work on my server, still have the same errors on logs, what worked only is chmod 777 the whole secdatadir directory and not only ip.* files!
    I read before at Cpanel forums that this issue should be solved when mod security version 3 is available, and as I checked online recently it's finally available, when Cpanel will use it instead of version 2.9 which is currently used by Cpanel?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,791
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    There's currently no time frame on it's inclusion with cPanel & WHM, but I encourage you to vote and add feedback to the existing feature request at:

    ModSecurity V.3 Support

    We'll update the feature request with more information on the status of it's inclusion with cPanel & WHM as it becomes available.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. rclemings

    rclemings Active Member

    Joined:
    Nov 5, 2007
    Messages:
    43
    Likes Received:
    4
    Trophy Points:
    58
    For some reason I can't get this to work. I did the following:

    1. created /var/log/secdatadir and its files and set permissions and ownership
    2. set SecGeoLookupDb to /var/log/secdatadir in WHM
    3. restarted the web server
    4. confirmed that SecGeoLookupDb "/var/log/secdatadir" is now in /etc/apache2/conf.d/modsec/modsec2.cpanel.conf

    and I still get this in the /usr/local/apache/error_log:

    ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip"

    It looks as if the SecGeoLookupDb setting in modsec2.cpanel.conf is not being recognized.

    Where did I go wrong?




     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,791
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @rclemings,

    Can you confirm if your system is using either Mod_Ruid2 or MPM-ITK? Additionally, do you notice any further output in the Apache error log or the ModSecurity audit log at the time of the error?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. rclemings

    rclemings Active Member

    Joined:
    Nov 5, 2007
    Messages:
    43
    Likes Received:
    4
    Trophy Points:
    58
    Yes on mod_ruid2, no on mod_mpm_itk.

    The only thing I see in the Apache error log is what's noted above. Here's a sanitized example of the full line:
    Code:
    [Thu Jun 21 18:48:31.576606 2018] [:error] [pid 17159] [client xxx.xxx.xxx.xx:xxxxx] [client xxx.xxx.xxx.xx] ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "xxx.xxx.xxx"] [uri "/xxx/xxx/xxx/xxx/xxx.xxx"] [unique_id "Wyvy-znpE5EZ5QYb1vniJAAAAAM"], referer: - Removed -'
    
    ... and for the corresponding request from the modsec audit log:
    Code:
    xxx.xxx.xxx xxx.xxx.xxx.xx - - [21/Jun/2018:18:48:31 +0000] "GET /xxx/xxx/xxx/xxx/xxx.xxx?itok=odo8ZqNm HTTP/1.1" 200 3863 "-" "-" Wyvy-znpE5EZ5QYb1vniJAAAAAM "-" /xxxxxxxx/20180621/20180621-1848/20180621-184831-Wyvy-znpE5EZ5QYb1vniJAAAAAM 0 2300 md5:b74040396f83579e10ef2b633ac0c62e
    
    I don't understand why it's hitting /var/cpanel/secdatadir/ip in the first place, since I set SecGeoLookupDb to /var/log/secdatadir. I don't think I missed a step (famous last words) ...
     
    #9 rclemings, Jun 21, 2018 at 2:08 PM
    Last edited by a moderator: Jun 21, 2018 at 2:51 PM
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,791
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @rclemings,

    The workaround you used is only applicable to the Geolocation Database (SecGeoLookupDb) option. The SecDataDir configuration value still uses the /var/cpanel/secdatadir by default. You can try updating that value directly in the /etc/apache2/conf.d/modsec/modsec2.cpanel.conf file (and then restart Apache), but keep in mind these are user-submitted workarounds that are unsupported and not recommended.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. rclemings

    rclemings Active Member

    Joined:
    Nov 5, 2007
    Messages:
    43
    Likes Received:
    4
    Trophy Points:
    58
    OK. That would have to be redone after every update then, right?
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice