Mod_security fail after provision

dahu

Member
Dec 7, 2001
23
2
303
Ive updated my config by easyapache ... and fail, apache doesnt restart
( CENTOS 7.6 v86.0.16 )

" httpd: Syntax error in -C/-c directive: Syntax error on line 14 of /etc/apache2/conf.modules.d/800-mod_security2.conf: Cannot load modules/mod_security2.so into server: /opt/cpanel/libcurl/lib64/libcurl.so.4: undefined symbol: libssh2_scp_recv2 "

If i provision without mod_security2 all works fine ...

Any idea ?
 

fuzzylogic

Well-Known Member
Nov 8, 2014
140
83
28
cPanel Access Level
Root Administrator
I would most highly suspect a syntax error in a mod-security rule.
I would most highly suspect the syntax error to be in a user supplied custom rule.
To test, on the old Apache build, disable all custom rules, then disable all entire rule-sets.
Then rebuild Apache with mod_security2 included.
If this succeeds, re-enable your custom rules one at a time being sure to Deploy and Restart Apache with each new rule.
The syntax error will be reported to the GUI on any restart failure isolating the faulty rule.
If all custom rules save and restart Apache without error then move on to re-enabling each rule set one at a time until an error is encountered.
 

dahu

Member
Dec 7, 2001
23
2
303
"To test, on the old Apache build, disable all custom rules, then disable all entire rule-sets. "

where can i find the old config or the old rules ? no modsec2 files found
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
10,088
877
313
Houston
So all that's present in the file is an IfModule by default:

Code:
     12 # Mod Security requires Apache's mod_unique_id to operate
     13 <IfModule mod_unique_id.c>
     14     LoadModule security2_module  modules/mod_security2.so
     15 </IfModule>

What is the output of the following:

Code:
 rpm -qa |egrep 'libssh|libcurl|mod_sec'
 

dahu

Member
Dec 7, 2001
23
2
303
Code:
# rpm -qa |egrep 'libssh|libcurl|mod_sec'
libssh2-1.4.3-12.el7_6.3.x86_64
libcurl-7.29.0-51.el7_6.3.x86_64
libssh2-devel-1.4.3-12.el7_6.3.x86_64
ea-libcurl-7.68.0-1.1.2.cpanel.x86_64
 

fuzzylogic

Well-Known Member
Nov 8, 2014
140
83
28
cPanel Access Level
Root Administrator
After further investigation it seems unlikely that the first error message posted would be caused by a mod-security rule syntax error.
This fragment of the error text has been discussed in various forums on the internet.
Code:
libcurl.so.4: undefined symbol: libssh2_scp_recv2
In most cases it seems to be related to Dynamic linking of libraries especially in the build process using curl
2017 github - conda-forge/curl-feedstock
Code:
OSError: /home/jlord/.conda/envs/dask/lib/python3.6/lib-dynload/../.././libcurl.so.4: undefined symbol: libssh2_scp_recv2
Is anyone here setting LD_LIBRARY_PATH? If so, please try unsetting LD_LIBRARY_PATH and retrying.
The curl build does link against libssh2, which we also build and package, and our copy of libssh2 has the libssh2_scp_recv2 symbol. So am not seeing anything actionable here.
The most common problem. LD_LIBRARY_PATH forces an application to load a shared library it wasn’t linked against. (libcurl loads the wrong libssh2)
They suggest 3 reasons this problem may occur.
  1. Problem with version of curl (in 2017 - should be fixed by now)
  2. old/broken curl package pulled in (from path with higher priority)
  3. LD_LIBRARY_PATH being set when it should not be.
To check if LD_LIBRARY_PATH is set run
Code:
echo $LD_LIBRARY_PATH
If unset it will return blank.
If set it will return a path.

Talking about Dynamic Linking and build process is way above my pay grade.
These are just suggestions for others to think about when troubleshooting.
Over and Out.