The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

modsec2.user.conf and modsec2.cpanel.conf inclusion order problem

Discussion in 'Security' started by fuzzylogic, Feb 9, 2015.

  1. fuzzylogic

    fuzzylogic Registered

    Nov 8, 2014
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    WHM 11.48.0 (build 9)
    cmc: v1.16
    Mod_security is working using cpanels version of the OWASP crs

    The end of my modse2.conf file looks like this

    SecAuditLog logs/modsec_audit.log
    SecDebugLog logs/modsec_debug_log
    SecDebugLogLevel 0
    SecDefaultAction "phase:2,deny,log,status:406"
    Include "/usr/local/apache/conf/modsec2.user.conf"
    Include "/usr/local/apache/conf/modsec2.cpanel.conf"
    I want modsec2.user.conf included after modsec2.cpanel.conf so that I can enable OWASP's Collaborative Detection in an update proof way.
    Currently I have Collaborative Detection running well by editing modsecurity_crs_10_setup.conf, but nightly modsec vendor updates overwrite this file.
    If the inclusion order of modsec2.user.conf and modsec2.cpanel.conf were reversed I could override the SecDefaultAction set in modsecurity_crs_10_setup.conf which overrides the SecDefaultAction set in modse2.conf (by adding a new SecDefaultAction in my modsec2.user.conf.)

    cPanel's mod security documentation states modsec2.user.conf is included from within the modsec2.cpanel.conf file, but this is not the case on my server (and I havn't changed it)
    I have searched /usr/local/cpanel/whostmgr/docroot/cgi/configserver/cmc.cgi, but can find no code that writes the modsec2.user.conf Include

    So, is the inclusion order due to cmc actions, cPanel actions, or is my modse2.conf unusual/unique?
    If cPanel controls this inclusion order can I lodge a feature request to reverse the Inclusion order?
  2. quizknows

    quizknows Well-Known Member

    Oct 20, 2009
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    DataCenter Provider
    That is the order they're included in by default (and on my servers). It works well for most cases, because the modsec2.cpanel.conf has your exclusions (rules whitelisted via WHM) and those generally should be included last. If you reversed the order, your secdefaultaction would be set after all the rules, since the whole CRS would be included before the modsec2.user.conf where you're setting the default action. I'm not sure that would work (and I'd wager it wouldn't).

    If I understand what you're trying to do, you want to change the secdefaultaction in the OWASP rules, but since it does that right away in the setup conf, that over-rides what you set in modsec2.user.conf. Here's what I would do:

    Copy the contents of modsecurity_crs_10_setup.conf into your modsec2.user.conf. Then, make the changes you want inside the modsec2.user.conf file. Then, go into WHM under the vendor setup, "edit" the vendor, and turn that one file off (modsecurity_crs_10_setup.conf).

    This ought to take care of it. Since modsec2.user.conf is the last file included before the modsecurity_crs_10_setup.conf, and that file is the first included with the vendor setup, it should work just fine to move those settings to a file you're allowed to edit (modsec2.user.conf). Then your default action will be set before the rules are included, and your modsec2.user.conf is immune to updates by upcp.

    If you already do other stuff in modsec2.user.conf, a "cleaner" option would be to copy the modsecurity_crs_10_setup.conf to another file entirely, and call that as an Include on the last line of your modsec2.user.conf. You could edit the other includes, and disable the "normal" modsecurity_crs_10_setup.conf right from WHM the same way.

    You are right though, the docs are wrong on where that file is included from. Personally, I'm happy with modsec2.user.conf and modsec2.cpanel.conf being included in that order from modsec2.conf; it allows my custom rule set configured in modsec2.user.conf to work, as well as the OWASP rules to work simultaneously.
    #2 quizknows, Feb 10, 2015
    Last edited: Feb 10, 2015
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hello :)

    I've opened internal case number 164149 with our documentation team to verify this is by design and update the documentation to reflect this.

    Thank you.

Share This Page