ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip"

Hi

I run two servers:

Server1)

• CENTOS 6.8 x86_64
  
• WHM 58.0 (build 26)
• mod security
• Easy Apache3

Server 2)

• CLOUDLINUX 6.8 x86_64
• WHM 58.0 (build 27)
• mod security
• Easy Apache4

On both servers I have exactly the same custom mod security rules as follows (the paths are slightly different on Server1 because the directory in use is still usr/local/apache/conf - whereas server 2 EasyApache4 has changed the file paths to /etc/apache2/conf.d/modsec)

Code:

## Custom Mod Sec rules (mostly for wordpress)

SecDataDir /var/log/apache2/ipdata
#permissions on the above must be 777

SecResponseBodyAccess On
SecResponseBodyLimitAction ProcessPartial
SecResponseBodyMimeType text/xml


# 5000135 Block bad wp-logins
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134

# Setup brute force detection.
<Locationmatch "/wp-login.php">

# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'denying %{REMOTE_ADDR} ip address blocked for 15 minutes, more than 10 login attempts in 3 minutes.'"

# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"

SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=900,setvar:ip.bf_counter=0"
</locationmatch>
#900 = 15 minutes
ErrorDocument 401 default


# check bots by user agent and match to included file
# block bad bots
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/apache2/conf.d/blackbots.txt" "id:980001,rev:1,severity:2,log,msg:'Bot Rule: Black Bot detected.'"

# Block attacks to xmlrpc.php
# See http://alzabo.io/modsecurity/2014/09/15/wordpress-xml-rpc-brute-force.html
# SecStreamInBodyInspection requires ModSecurity 2.6.0 or greater
SecStreamInBodyInspection On
SecAction "phase:1,nolog,pass,id:19300,\
    initcol:ip=%{REMOTE_ADDR}"

<FilesMatch "xmlrpc.php">
    SecRule RESPONSE_BODY "faultString" "id:19301,nolog,phase:4,\
        t:none,t:urlDecode,setvar:ip.xmlrpc_bf_counter=+1,\
        deprecatevar:ip.xmlrpc_bf_counter=1/300,pass"

    SecRule STREAM_INPUT_BODY "<methodCall>wp\." "id:19302,log,chain,\
        deny,status:406,phase:4,t:none,t:urlDecode,\
        msg:'Temporary block due to multiple XML-RPC method call failures'"

    SecRule ip:xmlrpc_bf_counter "@gt 4" "t:none,t:urlDecode,\
        t:removeWhitespace

</FilesMatch>

#disabled old rules
#SecRule REQUEST_LINE "POST .*xmlrpc.*" "pass,initcol:ip=%{REMOTE_ADDR},setvar:ip.maxlimit=+1,deprecatevar:ip.maxlimit=1/600,nolog,id:350201"
#SecRule IP:MAXLIMIT "@gt 10" "log,deny,id:350202,msg:'wp-xmlrpc: denying %{REMOTE_ADDR} (%{ip.maxlimit} connection attempts)'"
Include /etc/apache2/conf.d/modsec2.whitelist.conf

Server1 (according to the logs) is doing a wonderful job of blocking the brute force attacks to wp-login and the xmlrpc.

However server 2 is producing the following errors;

Code:

[client 333.33.33.93] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied
[hostname "www.userdomainname.com"] [uri "/cgi-sys/ea-php56/wordpress/wp-login.php"]

[client 333.33.33.93] ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "www.userdomainname.com"] [uri "/cgi-sys/ea-php56/index.php"]

I have googled and searched but don't appear to be able to solve this issue. Can anyone please provide some assistance to explain what might be happening here? The permissions on the folder /var/cpanel/secdatadir/ are set to 777

 

Thanks for the tip - yes, it appears I am - according to EA4 on server2 (I just installed the defaults)

ea-apache24-mod_cgi
ea-apache24-mod_deflate
ea-apache24-mod_expires
ea-apache24-mod_hostinglimits
ea-apache24-mod_proxy
ea-apache24-mod_proxy_fcgi
ea-apache24-mod_proxy_http
ea-apache24-mod_ruid2
ea-apache24-mod_security2
ea-apache24-mod_ssl
ea-apache24-mod_unique_id

On server1, I'm running mod_suphp - so I will un-install mod_ruid and switch to suphp on server2 and see how that works out.

 

I removed mod_ruid and installed suPHP and now mod_sec rules are logging and working correctly as expected.... but I have new issues;

1) Server load is much higher - went from averages of around 0.10 to now at around 1.20. I looked at introducing mod_fastcgi to try to bring down averages, but I now see that fastcgi using EA4 is not yet supported. I know this is something common to suPHP but are there any recommended methods to reduce this?

2) In TOP the username is no longer displayed - instead it simply shows as "nobody" - which is not very helpful in terms of trying to view current connections by host.

 

Just to follow up (for me as much as anyone else), I also discovered I needed to change permissions as follows;

chown -R nobody.nobody /var/cpanel/secdatadir