The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip"

Discussion in 'EasyApache' started by WorkinOnIt, Sep 10, 2016.

  1. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    49
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi

    I run two servers:

    Server1)
    • CENTOS 6.8 x86_64
    • WHM 58.0 (build 26)
    • mod security
    • Easy Apache3
    Server 2)
    • CLOUDLINUX 6.8 x86_64
    • WHM 58.0 (build 27)
    • mod security
    • Easy Apache4
    On both servers I have exactly the same custom mod security rules as follows (the paths are slightly different on Server1 because the directory in use is still usr/local/apache/conf - whereas server 2 EasyApache4 has changed the file paths to /etc/apache2/conf.d/modsec)

    Code:
    ## Custom Mod Sec rules (mostly for wordpress)
    
    SecDataDir /var/log/apache2/ipdata
    #permissions on the above must be 777
    
    SecResponseBodyAccess On
    SecResponseBodyLimitAction ProcessPartial
    SecResponseBodyMimeType text/xml
    
    
    # 5000135 Block bad wp-logins
    SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
    
    # Setup brute force detection.
    <Locationmatch "/wp-login.php">
    
    # React if block flag has been set.
    SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'denying %{REMOTE_ADDR} ip address blocked for 15 minutes, more than 10 login attempts in 3 minutes.'"
    
    # Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
    
    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
    SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=900,setvar:ip.bf_counter=0"
    </locationmatch>
    #900 = 15 minutes
    ErrorDocument 401 default
    
    
    # check bots by user agent and match to included file
    # block bad bots
    SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/apache2/conf.d/blackbots.txt" "id:980001,rev:1,severity:2,log,msg:'Bot Rule: Black Bot detected.'"
    
    # Block attacks to xmlrpc.php
    # See http://alzabo.io/modsecurity/2014/09/15/wordpress-xml-rpc-brute-force.html
    # SecStreamInBodyInspection requires ModSecurity 2.6.0 or greater
    SecStreamInBodyInspection On
    SecAction "phase:1,nolog,pass,id:19300,\
        initcol:ip=%{REMOTE_ADDR}"
    
    <FilesMatch "xmlrpc.php">
        SecRule RESPONSE_BODY "faultString" "id:19301,nolog,phase:4,\
            t:none,t:urlDecode,setvar:ip.xmlrpc_bf_counter=+1,\
            deprecatevar:ip.xmlrpc_bf_counter=1/300,pass"
    
        SecRule STREAM_INPUT_BODY "<methodCall>wp\." "id:19302,log,chain,\
            deny,status:406,phase:4,t:none,t:urlDecode,\
            msg:'Temporary block due to multiple XML-RPC method call failures'"
    
        SecRule ip:xmlrpc_bf_counter "@gt 4" "t:none,t:urlDecode,\
            t:removeWhitespace
    
    </FilesMatch>
    
    #disabled old rules
    #SecRule REQUEST_LINE "POST .*xmlrpc.*" "pass,initcol:ip=%{REMOTE_ADDR},setvar:ip.maxlimit=+1,deprecatevar:ip.maxlimit=1/600,nolog,id:350201"
    #SecRule IP:MAXLIMIT "@gt 10" "log,deny,id:350202,msg:'wp-xmlrpc: denying %{REMOTE_ADDR} (%{ip.maxlimit} connection attempts)'"
    Include /etc/apache2/conf.d/modsec2.whitelist.conf
    
    Server1 (according to the logs) is doing a wonderful job of blocking the brute force attacks to wp-login and the xmlrpc.

    However server 2 is producing the following errors;

    Code:
    [client 333.33.33.93] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied
    [hostname "www.userdomainname.com"] [uri "/cgi-sys/ea-php56/wordpress/wp-login.php"]
    
    [client 333.33.33.93] ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "www.userdomainname.com"] [uri "/cgi-sys/ea-php56/index.php"]
    
    
    

    I have googled and searched but don't appear to be able to solve this issue. Can anyone please provide some assistance to explain what might be happening here? The permissions on the folder /var/cpanel/secdatadir/ are set to 777
     
    #1 WorkinOnIt, Sep 10, 2016
    Last edited by a moderator: Sep 12, 2016
  2. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    are you running mod_ruid 2 on that server
     
  3. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    49
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Thanks for the tip - yes, it appears I am - according to EA4 on server2 (I just installed the defaults)

    ea-apache24-mod_cgi
    ea-apache24-mod_deflate
    ea-apache24-mod_expires
    ea-apache24-mod_hostinglimits

    ea-apache24-mod_proxy
    ea-apache24-mod_proxy_fcgi
    ea-apache24-mod_proxy_http
    ea-apache24-mod_ruid2
    ea-apache24-mod_security2
    ea-apache24-mod_ssl
    ea-apache24-mod_unique_id


    On server1, I'm running mod_suphp - so I will un-install mod_ruid and switch to suphp on server2 and see how that works out.

     
    #3 WorkinOnIt, Sep 10, 2016
    Last edited: Sep 10, 2016
  4. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    49
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    I removed mod_ruid and installed suPHP and now mod_sec rules are logging and working correctly as expected.... but I have new issues;

    1) Server load is much higher - went from averages of around 0.10 to now at around 1.20. I looked at introducing mod_fastcgi to try to bring down averages, but I now see that fastcgi using EA4 is not yet supported. I know this is something common to suPHP but are there any recommended methods to reduce this?

    2) In TOP the username is no longer displayed - instead it simply shows as "nobody" - which is not very helpful in terms of trying to view current connections by host.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    The PHP sub-processes should run as the account username with suPHP, however Apache itself will still run as the "nobody" user.

    Do you notice any slowness with the websites with the increased load average? In some cases, the increased resource usage with suPHP doesn't necessarily result in any issues with website performance. Note that documentation on ModSecurity rule compatibility with the mod_ruid2 and mod_mpm_itk Apache modules is available at:

    Apache Module: ModSecurity - EasyApache 4 - cPanel Documentation

    One option to consider is to disable the individual rules that are incompatible with Mod_Ruid2 to allow for the use of both modules. You may also find the following feature request informative if you plan to use FPM:

    Enhance FPM support

    Thank you.
     
  6. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    49
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Just to follow up (for me as much as anyone else), I also discovered I needed to change permissions as follows;

    chown -R nobody.nobody /var/cpanel/secdatadir
     
  7. cPLevey

    cPLevey Technical Analyst Supervisor
    Staff Member

    Joined:
    Dec 3, 2015
    Messages:
    41
    Likes Received:
    8
    Trophy Points:
    8
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Hey @WorkinOnIt

    Thanks for sharing! I'm glad you were able to get it figured out.
     
  8. PbG

    PbG Well-Known Member

    Joined:
    Mar 11, 2003
    Messages:
    241
    Likes Received:
    0
    Trophy Points:
    16
    This did not work on my 2.4 Jailed Apache + mod_ruid install. Instead I disabled every rule that relies on DBM. Mainly REQUEST-10-IP-REPUTATION.conf, REQUEST-12-DOS-PROTECTION.conf & bottom of modsecurity_crs_10_setup.conf. That leaves you with most of 19 out of 21 OWASP rules in play depending on what users need. I would rather have some symlink race protection which is not an option with cP suphp and/or BH patch which restricted legit traffic.


     
    #8 PbG, Oct 25, 2016
    Last edited: Oct 25, 2016
Loading...

Share This Page