Modsecurity after EasyApache3 to EasyApache4 transition

[smess]

Modsecurity stopped working after the transition from EasyApache3 to EasyApache4. The old EasyApache3 setup included Mod_ruid2 and the Mod_Security plugin.

When trying to install a ModSecurity Vendor (OWASP CRS V3.0) on the "WHM/ModSecurity Vendors" page, I get the following error message:
--------------
Error: The system experienced the following error when it attempted to install the “OWASP ModSecurity Core Rule Set V3.0” vendor: API failure: The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: AH00526: Syntax error on line 53 of /etc/apache2/conf.d/modsec/modsec2.cpanel.conf: SecRuleRemoveById requires at least one argument, rule ID for removal
--------------
When I inspect /etc/apache2/conf.d/modsec/modsec2.cpanel.conf the file is completely empty. There is no line 53.

I have tried using EasyApache4 to uninstall and reinstall ModSecurity but that made no difference. I believe the problem may be related to files or settings left over from the old ModSecurity plug-in install under easyapache3.

 

[cPanelLauren]

Hi @smess


If you move that file and then rebuild the apache configuration with:

/scripts/rebuildhttpdconf

Then attempt to restart apache again does the issue persist?

Thanks!

 

[smess]

Thanks for the response but that did not work. I got the following error messages:

# /scripts/rebuildhttpdconf
Initial configuration generation failed with the following message:
The “/usr/sbin/httpd -DSSL -t -f /etc/apache2/conf/httpd.conf.work.d5177d3c.cfgcheck -C Include "/etc/apache2/conf.modules.d/*.conf"” command (process 20739) reported error number 1 when it ended.
httpd: Syntax error on line 253 of /etc/apache2/conf/httpd.conf.work.d5177d3c.cfgcheck: Syntax error on line 31 of /etc/apache2/conf.d/modsec2.conf: Could not open configuration file /etc/apache2/conf.d/modsec/modsec2.user.conf: No such file or directory
Rebuilding configuration without any local modifications.
Failed to generate a syntactically correct Apache configuration.
Bad configuration file located at /etc/apache2/conf/httpd.conf.work.d5177d3c
Error:
The “/usr/sbin/httpd -DSSL -t -f /etc/apache2/conf/httpd.conf.work.d5177d3c.cfgcheck -C Include "/etc/apache2/conf.modules.d/*.conf"” command (process 20740) reported error number 1 when it ended.
httpd: Syntax error on line 253 of /etc/apache2/conf/httpd.conf.work.d5177d3c.cfgcheck: Syntax error on line 31 of /etc/apache2/conf.d/modsec2.conf: Could not open configuration file /etc/apache2/conf.d/modsec/modsec2.user.conf: No such file or directory

I found another version of modsec2.cpanel.conf at /usr/local/apache.ea3/conf/modsec2.cpanel.conf. Line 53 in that file has the SecRuleRemoveById error, so I commented line 53 out but did not move the file. Still got the original "line 53" error message.

It looks like the files needed are in /usr/local/apache.ea3/conf/ but I don't know if it is safe to move them, they may be an old version. The /etc/apache2/conf.d/modsec/ directory currently only has two empty files in it: modsec2.cpanel.conf and modsec2.user.conf.

 

[cPanelLauren]

It's doing that because they're noted as includes elsewhere. Can you please open a ticket using the link in my signature? Also since you're not able to start apache this would be considered an emergency and I'd suggest you mark it as such so it gets immediate attention.

Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!

 

[smess]

Apache is working and WHM/EasyApache 4 builds with the mod_security2 and mod_ruid2 options enabled without reporting any errors. Apache restarts without issue through WHM. The problem is ModSecuity is not working and I get errors when I try to change the setup to get it working.

I will open the ticket and post the ID.

Thanks.

 

[smess]

Tickets ID# 11916435

Thanks for your help.

 

[cPanelLauren]

Hi @smess


It looks I checked in on that ticket this morning and it would appear that the issue was specific to a line in the /var/cpanel/modsec_cpanel_conf_datastore - once that line was removed ModSecurity was able to be installed successfully and Apache was able to be rebuilt.