ashworth102680

Active Member
May 3, 2007
26
1
153
I've been reading all this stuff over here about 2.7, but when I look into my system I see 1.9.5.

EasyApache mod_security Module

Is there something wrong with my Easy::Apache (v3.22.4) where it's not using the newest mod_security or something? Totally confused here.

I'd love to use Atomicorp's rules, but they'll fail unless I'm using the right version.

Here's how I searched for my mod_security version. Maybe I did it wrong?

# cat /home/cpeasyapache/src/modsecurity-apache_1.9.5/apache2/mod_security.c | grep MODULE_RELEASE
#define MODULE_RELEASE "1.9.5"

- - - Updated - - -

If it helps, here are version numbers for my WHM installation:

WHM 11.38.1 (build 15)
Apache 2.2.25
PHP 5.3.27
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
/home/cpeasyapache/src/ will contain source for both apache 1 and 2. You're looking at the source for httpd 1.x which won't be built anyway.

Much easier to check for the actual module, as long as you build httpd 2.x in EA, and select ModSecurity, then ModSecurity 2.7.x will build. Once it's done you can check at root shell:

httpd -M |grep security

This should return:

security2_module (shared)
Syntax OK

If so, then modsec 2 is installed.
 

ashworth102680

Active Member
May 3, 2007
26
1
153
Thanks guys!

This doesn't give me anything:

[email protected] [/usr/local/apache/conf/modsec_rules]# cat /usr/local/apache/logs/modsec_audit.log | grep Producer
[email protected] [/usr/local/apache/conf/modsec_rules]#
[email protected] [/usr/local/apache/conf/modsec_rules]# httpd -M |grep security
security2_module (shared)
Syntax OK
Definitely on mod_security v2. What I don't know is specifically which version of 2 (ie., v2.x) I'm on. So far, I haven't been able to determine that. It's just compiled via Easy Apache. Nothing more.

Multiple guides online to get gotroot rules to run on cPanel haven't worked, and produce an error like this one:

[email protected] [/usr/local/apache/conf/modsec_rules]# service httpd configtest
Syntax error on line 37 of /usr/local/apache/conf/modsec_rules/00_asl_whitelist.conf:
ModSecurity: No action id present within the rule
Am I supposed to just give it an ID and use whatever the hell number I want?! :)

- - - Updated - - -

I downloaded 2.5 and 2.7, but both fail. It's possible I'm still not using the newest, though. I'll check that now.

According to ASL:

No action id present within the rule
This means that you using out of date rules. If you are using Atomicorp rules, then this means you are not using the latest real time rules. The latest real time rules have an id action for every rule.
- - - Updated - - -

Yeah, these are definitely the newest rules:

http://updates.atomicorp.com/channels/rules/delayed/modsec-2.7-free-latest.tar.gz
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

The Mod_Security version is logged to the Apache error_log upon starting or restarting Apache. The specific version can be determined using the following command via root SSH access:

Code:
grep "modsecurity" /usr/local/apache/logs/error_log
You will see output such as:

Code:
[Tue Aug 13 22:37:04 2013] [notice] ModSecurity for Apache/2.7.5 (http://www.modsecurity.org/) configured.
Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
A couple things could be happening here.

Unlikely, but if there is no rule ID on that line of that file, try adding one.

It's also possible whatever conf file is calling "Include /usr/local/apache/conf/modsec_rules/00_asl_whitelist.conf" (probably your modsec2.user.conf) has a rule right before that include line that is missing an ID.

If a rule ID is missing, it's easy to add, but make sure if it's a multi line rule (i.e. the first line says "chain" in the actions) that you ID the first line.

I.e.

SecRule REQUEST_URI "This_is_bad" "deny,chain"
SecRule HTTP_User-Agent "Second bad condition"

You would add to the "deny,chain" part:

SecRule REQUEST_URI "This_is_bad" "deny,chain,id:29725"
SecRule HTTP_User-Agent "Second bad condition"