Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod_Security DBM Question

Discussion in 'EasyApache' started by Spork Schivago, Nov 9, 2016.

Tags:
  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Also, with just modsecurity and no mod_ruid2, I receive the DB error messages in the modsecurity logs under the /etc/apache2/logs/ directory. Is that normal? I've always hated those DB error messages. ModSecurity 3 is being released soon. It's not supposed to have those issues and it's supposed to be compatible with mod_ruid2. Hopefully, when it comes out, cPanel upgrades to ModSec 3. Do you know if there are any plans for the upgrade? Thanks.
     
    #1 Spork Schivago, Nov 9, 2016
    Last edited by a moderator: Nov 10, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you let us know the specific DBM error messages you are seeing?

    A production version of ModSecurity 3 has not yet been released. The process of analyzing, testing, and considering it for inclusion with EasyApache 4 will occur once it's released and stable. I encourage you to open a feature request for ModSecurity 3, and you can then subscribe to the request to receive updates on the progress of it's inclusion:

    Submit A Feature Request

    Thank you.
     
    Spork Schivago likes this.
  3. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Are you sure it's not production yet? I just checked my e-mail and I see a message from the mailing list...this is what it says:
    Code:
    The OWASP ModSecurity Core Rule Set team is excited to announce the
    CRS release v3.0.0, short CRS3.
    
    Over 4 years in the making, this release represents a huge step forward
    in terms of capabilities, usability and protection. Key features
    include:
    
    * Over 90% reduction of false alarms in a default install
      when compared to CRS2
    * A user-defined Paranoia Level to enable additional strict checks
    * Application-specific exclusions for WordPress Core and Drupal
    * Sampling mode: runs the CRS on a user-defined percentage of traffic
    * SQLi/XSS parsing using libinjection embedded in ModSecurity
    
    For a complete list of new features and the changes in this release, see
    the new site of the project
    https://modsecurity.org/crs
    or the CHANGES document on github
    https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/CHANGES
    
    CRS3 is the best stable release of the OWASP ModSecurity Core Rule Set.
    We advise all users and providers of boxed CRS versions to update their
    setups. CRS2 will reach its end of life soon.
    
    CRS3 requires an Apache/IIS/Nginx web server with ModSecurity 2.8.0 or
    higher.
    
    Our GitHub repository is the preferred way to download and update CRS:
    $> git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
    
    For detailed installation instructions, see the INSTALL document.
    https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/INSTALL
    
    The release is accompanied by a series of tutorials that guide you
    through the
    * Setup of ModSecurity
    https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/
    * Inclusion of the CRS
    https://www.netnea.com/cms/apache-tutorial-7_including-modsecurity-core-rules/
    * Handling of false positives
    https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/
    
    Our desire is to see the Core Rules project as a simple baseline
    security feature, effectively fighting OWASP TOP 10 weaknesses with few
    side effects. As such we attempted to cut down on false positives as
    much as possible in the default install. Of course this must not affect
    the detection capabilities of the WAF. We honestly believe that the
    default install of CRS3 brings at least the same level of security and
    higher paranoia levels let you protect your site even more tightly.
    
    We are very excited about this release. So excited, we want to make it
    into a movie. As a first step, we designed the following poster:
    https://modsecurity.org/crs/poster
    Please share this link and feel free to print it for your personal use!
    
    Sincerely,
    
    Christian Folini on behalf of Chaim Sanders and Walter Hop
    (The Core CRS team, so to say)
    [IMG]https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif[/IMG]
    
    I made bold the part about CRS2 hitting EOL and how they advise all their users and providers of boxed CRS versions to update their setups to CRS3. To me, this sounds like CRS3 just went into production. What do you think cPanelMichael? I understand even once it goes into production status, there will still be a lot of testing that needs to be done before it's implemented into cPanel. That's one of the things I love about cPanel and what made me decide to continue using it. It's fairly stable and when there is a problem, you and your team have no problems opening an internal case. It doesn't seem to take long for the internal cases to get fixed either.

    Here's the exact error message I receive, over and over and over again. Starting at [Wed Nov 09 15:11:08.347964 2016], in /etc/apache2/logs/error_log, I have 47,077 lines of text, most of them saying:
    Code:
    [Wed Nov 09 15:11:19.105770 2016] [core:warn] [pid 23822] AH00111: Config variable ${REQUEST_URI} is not defined
    [Wed Nov 09 15:11:19.106369 2016] [:error] [pid 23822] [client <my server's IP address>] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "example.com"] [uri "/domcfg.nsf"] [unique_id "WCOC51yjguAUmeGkQeAWwgAAAAE"]
    [Wed Nov 09 15:11:19.106405 2016] [:error] [pid 23822] [client <my server's IP address>] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "example.com"] [uri "/domcfg.nsf"] [unique_id "WCOC51yjguAUmeGkQeAWwgAAAAE"]
    [Wed Nov 09 15:11:19.187538 2016] [:error] [pid 23822] [client <my server's IP address>] ModSecurity: Access denied with redirection to http://example.com/ using status 302 (phase 2). Matched phrase "nikto" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP/rules/REQUEST-13-SCANNER-DETECTION.conf"] [line "17"] [id "990002"] [rev "2"] [msg "Request Indicates a Security Scanner Scanned the Site"] [data "Matched Data: nikto found within REQUEST_HEADERS:User-Agent: mozilla/5.00 (nikto/2.1.6) (evasions:none) (test:domino detection)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "Host: example.com"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-reputation"] [tag "reputation-scanner"] [tag "OWASP_CRS/AUTOMATION/SECURITY_SCANNER"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "example.com"] [uri "/domcfg.nsf"] [unique_id "WCOC51yjguAUmeGkQeAWwgAAAAE"]
    [Wed Nov 09 15:11:19.187968 2016] [:error] [pid 23822] [client <my server's IP address>] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "example.com"] [uri "/domcfg.nsf"] [unique_id "WCOC51yjguAUmeGkQeAWwgAAAAE"]
    

    I replaced my hostname with example.com and I replaced my server's IP address in the [client ] tag with <my server's IP address>. I was running Nikto, locally, trying to search for some old weaknesses. These error messages repeat over and over and over again. The whole failed to access DBM file "/var/cpanel/secdatadir/ip" message....

    These are the file permissions of /var/cpanel/secdatadir and the files inside that directory:
    Code:
    drwxr-xr-x 23 root   root      4096 Nov 10 04:04 /var/
    drwx--x--x 98 root   root     12288 Nov 10 16:04 /var/cpanel/
    drwxrwx-wT 2  root   nobody    4096 Jan 21  2016 /var/cpanel/secdatadir/
    -rw-rw-r-- 1  nobody nobody       0 Jan 21  2016 /var/cpanel/secdatadir/global.dir
    -rw-rw-r-- 1  nobody nobody       0 Jan 21  2016 /var/cpanel/secdatadir/global.pag
    -rw-rw-rw- 1  nobody nobody    4096 Nov  9 14:55 /var/cpanel/secdatadir/ip.dir
    -rw-rw-rw- 1  nobody nobody 2009088 Nov 10 15:58 /var/cpanel/secdatadir/ip.pag
    
     
  4. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I tried submitting a feature request. It had the word ModSec 3 in the title, but I don't see it listed in the Feature Request. How can I make sure it was successfully submitted? I searched for ModSec 3 and didn't see it in the search results.

    I've submitted it twice now and it just doesn't show up under the feature requests that I've submitted. The title of the feature request was:

    Replace ModSec 2 with ModSec 3.

    Any ideas why?
     
    #4 Spork Schivago, Nov 10, 2016
    Last edited by a moderator: Nov 10, 2016
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,765
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Feature Requests are moderated. You can read more about that here if needed:
    https://forums.cpanel.net/pages/cpfeatures/


    I would think so, yes. The cPanel team probably got the same email you did, just today.


    Here's the actual link to the OWASP list for reference:
    [Owasp-modsecurity-core-rule-set] OWASP ModSecurity Core Rule Set Version 3.0.0 Released


    Funny parts:

    4 years in the waiting with some of the most problematic rules I've ever used, and we get jokes. :rolleyes:
     
    Spork Schivago likes this.
  6. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Haha.

    So the moderation comment you made, that means my feature requests won't show up under my profile until a moderator approves them? Thanks.
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,765
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    That is correct, yes. :)
     
    Spork Schivago likes this.
  8. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,765
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Anytime. Happy to help. :)
     
  10. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I wanted to say I made a mistake in my original post. Modsecurity 3 hasn't been released yet. It's the Core Rule Set 3 that's been released. cPanel Benny was kind enough to mention my mistake and offered to create a feature request to support CRS3. Also, the ModSecurity team was talking about implementing the various Mod_RUID2 / MPM-ITK patches into 2.9.2, so hopefully, when ModSecurity 2.9.2 is released, Mod_RUID2 will be compatible again.

    Anyway, seeing how I have Mod_RUID2 disabled but MPM-ITK enabled, could the error messages I might be seeing be caused by MPM-ITK and ModSecurity 2 not being fully compatible? I guess I could try the patch that's available on ModSecurity's git repository and see if that fixes these pesky error messages.
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Those error messages are discussed on the following thread:

    ModSecurity Failed to lock proc mutex

    You may also find this thread helpful:

    https://forums.cpanel.net/threads/modsecurity-secdatadir.575411

    Thank you.
     
    Spork Schivago likes this.
Loading...

Share This Page