The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_security Default Config + cPanel Proxy = Not Playing Nice...

Discussion in 'Security' started by safitech, Feb 7, 2009.

  1. safitech

    safitech Member

    Joined:
    Jul 16, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    It looks like if you select both of the following options under the "Tweak Settings" as well as install the mod_security apache addon within easy apache and enable the 'default config' for mod_security... you'll run into problems.

    **Add proxy VirtualHost to httpd.conf to automatically redirect unconfigured cpanel, webmail, webdisk and whm subdomains to the correct port (requires mod_rewrite and mod_proxy)

    **Automatically create cpanel, webmail, webdisk and whm proxy subdomain DNS entries for new accounts. When this is initially enabled it will add appropriate proxy subdomain DNS entries to all existing accounts. (Use /scripts/proxydomains to reconfigure the DNS entries manually)


    I've found at least two things that are affected by this...

    1) Deleting certain types of rows within PHPmyadmin, notably the 'primary key' rows...
    2) Adding 'wildcard' hosts into the MySQL remote access list...

    The following "Default config" mod_security rule will break certain pages within x3 and phpmyadmin...

    Pattern match "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:host. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "17"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"]

    [07/Feb/2009:18:09:31 --0500] SY4Uq0IHyKAAAB1mb74AAAAE 123.255.30.231 1184 66.7.200.160 80
    --d48ece02-B--
    GET /frontend/x3/sql/addhost.html?host=192.168.%25.%25 HTTP/1.1
    Host: cpanel.domain.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive
    Referer: http://cpanel.domain.com/frontend/x3/sql/managehost.html
    Cookie: logintheme=cpanel; cprelogin=no; cpsession=closed
    Authorization: Basic bGVudGlhOm5h

    --d48ece02-F--
    HTTP/1.1 404 Not Found
    Content-type: text/html
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Transfer-Encoding: chunked

    --d48ece02-H--
    Message: Access denied with code 406 (phase 2). Pattern match "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:host. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "17"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"]
    Action: Intercepted (phase 2)
    Apache-Handler: proxy-server
    Stopwatch: 1234048171516924 22209 (636 817 -)
    Producer: ModSecurity for Apache/2.5.7 (http://www.modsecurity.org/).
    Server: Apache
     
  2. safitech

    safitech Member

    Joined:
    Jul 16, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Remove this rule...

    Here's the rule you'll want to remove out of the 'default config' for mod_security until this is fixed...

    # Check decodings
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
    "chain, deny,log,auditlog,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'"
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
     
  3. VeZoZ

    VeZoZ Well-Known Member

    Joined:
    Dec 14, 2002
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
  4. MattDees

    MattDees cPanel Product Owner
    Staff Member

    Joined:
    Apr 29, 2005
    Messages:
    417
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    safitech:
    I have been unable to reproduce this exact issue on our test servers, however I would like to take a look at your server. If you could open a ticket with the subject off "ATTN: QA MATT mod_security + cpanel proxy" I would be more than happy to see the exact circumstances causing the mod_security error.

    The only time I have seen things like this happen are when people are using rules like the ones available at 403security.org and gotroot.com
     
  5. safitech

    safitech Member

    Joined:
    Jul 16, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Ticket ID...

    [cPanel ID# 376925] Re: ATTN: QA MATT mod_security + cpanel proxy

    We aren't using gotroot or 403security rules currently only the default config.
     
  6. arturoz

    arturoz Member

    Joined:
    Feb 13, 2005
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Poland, GdaƄsk
    cPanel Access Level:
    Root Administrator
    any progress with solving this problem?

    Regards,
    Artur
     
  7. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    I believe the modsec2.user.conf comes blank as default with mod_security install. Have you added any of your own custom rules?
     
  8. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    The resolution for this specific issue is to disable the mod_security rule that is identified by the log detail; in this instance the mod_security entry is that of rule ID #950107 and has a description of "Check decodings" in the default configuration (assuming the default set is used). For additional reference, this issue has the following related internal case IDs: #15322 and #21882

    To disable the rule its entry may be either removed or commented; to comment the entry simply add a pound sign "#" in front of each line as seen below (where 3 lines were disabled, leaving the descriptive line unchanged as it is already commented):
    Code:
    # Check decodings
    #SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
    #	"chain, deny,log,auditlog,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'"
    #SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"

    After using EasyApache to install mod_security the default rules may be enabled, disabled, or modified, via the following menu path in WHM:
    WHM: Main >> Plugins >> Mod Security >> Edit Config
     
  9. VeZoZ

    VeZoZ Well-Known Member

    Joined:
    Dec 14, 2002
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider

    They really should just solve this by if the person had mod_security installed via EasyApache it adds this to the vhost of the cpanel/webmail/whm/ect proxy:

    SecRuleEngine Off


    It really makes no sense to me for anyone to want mod_security to be ran through the cPanel proxy. If that was the case they'd probably also want it ran through cPanel when it's not accessed via proxy. Or optionally have this as a setting somewhere to have it turn off mod_security on the proxy vhost.

    You can add it yourself to the vhost as a temporary solution. But cPanel is claimed to be an easy panel to a degree so I think it be better to have a built in solution to this. Always get complaints from users with cPanel installed and gotroot rules or whatever and their cPanel proxy not working properly.
     
  10. mikegotroot

    mikegotroot Well-Known Member

    Joined:
    Apr 29, 2008
    Messages:
    85
    Likes Received:
    1
    Trophy Points:
    8
    The only time I have seen things like this happen are when people are using rules like the ones available at 403security.org and gotroot.com

    The gotroot.com rules don't have that broken rule in them. That rule is from the OWASP core ruleset, and its got a big bug in it.
     
  11. astopy

    astopy Well-Known Member

    Joined:
    Apr 3, 2003
    Messages:
    165
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    This can still be a problem with some mod_security rules, so here's the solution.

    First:
    cp /var/cpanel/templates/apache2/main.default /var/cpanel/templates/apache2/main.local

    Then, edit /var/cpanel/templates/apache2/main.local to add SecRuleEngine Off to the proxy VirtualHost (near the end of the file).

    Finally, "/usr/local/cpanel/bin/build_apache_conf && service httpd graceful", and you're done. (Probably a good idea to diff main.default and main.local after installing updates, just to check that nothing important got added/changed in the default file.)
     
Loading...

Share This Page