Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity - Edit Custom Rules

Discussion in 'Security' started by rinkleton, May 2, 2017.

Tags:
  1. rinkleton

    rinkleton Well-Known Member

    Joined:
    Jul 16, 2015
    Messages:
    61
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Cleveland
    cPanel Access Level:
    Root Administrator
    It seems like it is no longer possible to disable rules from the Edit Custom Rules interface in WHM (modsec2.user.conf). The modsec2.conf files includes this one before the modsec2.cpanel.conf file because "user.conf must com before cpanel.conf to allow adminsitrators to selectively disable vendor rules". However I can only disable a rules AFTER it is defined. Something seems wack to me?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @rinkleton,

    I moved this post to a separate thread as it relates to a different issue.

    I believe the issue you have described is fixed in cPanel version 66 as part of internal case CPANEL-12204:

    Fixed case CPANEL-12204: Fix filtering bug in ModSecurity Tools >> Rules List display.

    Could you provide the step-by-step instructions on how you are reproducing the issue? If so, I can take the same steps on a system running a cPanel 66 development build to verify the issue is addressed.

    Thank you.
     
  3. rinkleton

    rinkleton Well-Known Member

    Joined:
    Jul 16, 2015
    Messages:
    61
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Cleveland
    cPanel Access Level:
    Root Administrator
    To reproduce: Go to ModSec > Edit Custom Rules. Add something like "SecRuleRemoveById 920440" then "Deploy and Restart Apache". Do the action that will trigger the modsec rule 920440. It is still both disallowed and logged by mod sec.

    I don't have access to a v66 system to test. Is this issue related to v64 or to OWASP 3.0? Seems like the former, but I did switch at the same time so it's hard to tell.

    This is a pretty big issue though. My options are either, let parts of hundreds of sites go down or disable mod security altogether.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,766
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You could use ConfigServer ModSecurity Control for this.
     
  5. rarod

    rarod Member

    Joined:
    Apr 20, 2017
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I am using ConfigServer ModSecurity Control to disable some custom rules by user and is not working. I detected this issue on 2017-04-16, previously this was working ok.

    I am using cPanel & WHM 64.0 (build 19).

    How can I troubleshoot this?

    Thanks.
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,766
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If CMC is not working as expected you might want to post about it on the ConfigServer forums.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I believe this issue is separate from the internal case referenced above. Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  8. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    52
    Likes Received:
    23
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    It seems that the task you are trying to achieve is to disable rule 920440 server wide.
    If this is correct then the procedure to do this is as follows...
    Go to...
    Security Center >> Tools >> Rules List >> Search for 920440 >> Click the Disable link on the right hand side.
    Click the Deploy and Restart Apache Button.

    Doing this writes SecRuleRemoveById 920440 to the bottom of etc/apache2/conf.d/modsec/modsec2.cpanel.conf
    It works in my tests.
     
    #8 fuzzylogic, May 4, 2017
    Last edited by a moderator: May 4, 2017
  9. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    52
    Likes Received:
    23
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I just tested this and it worked for me. The procedure is as follows.
    I created a new rule (for testing purposes) using
    Security Center >> Tools >> Rules List >> Add Rule
    The testing rule looked like this...
    Code:
    # Replace 66.66.66.66 with the ip of your web brower (google whats my ip)
    SecRule REMOTE_ADDR "@ipMatch 66.66.66.66" \
      "msg:'Matched ip. Test rule is being hit',\
      phase:2,\
      id:8888111,\
      t:none,\
      pass,\
      log"
    Click Deploy and Restart button.
    Visit yourdomain.com then check your modsec log for hits to the test rule.
    Security Center >> Tools >> Hits List >> Search for 8888111
    If the rule is being logged then move on to...
    Plugins >> Configserver Modsec Control >> Select a User or Domain from list beside the "Modify user whitelist" button
    Then click the "Modify user whitelist" button.
    Now you have an choice depending on what you want to achieve.

    If your want to disable a rule for all domains owned by the user the add the rule id (number only) to the ModSecurity rule ID list: text box then click the "Save whitelist for all username domains" button.

    If your want to disable a rule for one domain owned by the user then select the Domain from list beside the "Modify domain whitelist" button.
    Add the rule id (number only) to the ModSecurity rule ID list: text box then click the "Save whitelist for yourdomain.com.com" button.

    Now your test rule should be disabled for yourdomain.com
    Revisit yourdomain.com then check the modsec log again.
    This time nothing should be logged for rule 8888111
    Second test visit a second domain on the same server.
    This should log hits for the test rule.

    Once you have confirmed for yourself that the procedure works, then delete these test entries in Configserver Modsec Control.
    Delete the test rule from Security Center >> Tools >> Rules List
     
    cPanelMichael likes this.
  10. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    52
    Likes Received:
    23
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I have managed to reproduce the CMC failure.
    If the id you enter into the CMC test field is syntactically incorrect then when the save button is clicked CMC restarts Apache and no SecRuleRemoveById line is written to modsec2.whitelist.conf
    It effectively fails silently.

    The CMC hint text says "You should place one ID number per line".
    If you copy the rule id from a blog post by double clicking then paste it into the CMC field it will have a trailing space which will cause the save to fail.

    CMC will also fail in this way if you use commas or semi-colon to enter multiple ids.
     
  11. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    847
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    I haven't been able to get CMC to work for some time now. I just checked, and at least for me, it is not trailing white spaces or anything of that nature.
     
  12. rarod

    rarod Member

    Joined:
    Apr 20, 2017
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    This is not my case. The line with de ID is written correctly to modsec2.whitelist.conf.
     
Loading...

Share This Page