ModSecurity - Edit Custom Rules

[rinkleton]

It seems like it is no longer possible to disable rules from the Edit Custom Rules interface in WHM (modsec2.user.conf). The modsec2.conf files includes this one before the modsec2.cpanel.conf file because "user.conf must com before cpanel.conf to allow adminsitrators to selectively disable vendor rules". However I can only disable a rules AFTER it is defined. Something seems wack to me?

 

[cPanelMichael]

Hello @rinkleton,

I moved this post to a separate thread as it relates to a different issue.

I believe the issue you have described is fixed in cPanel version 66 as part of internal case CPANEL-12204:

Fixed case CPANEL-12204: Fix filtering bug in ModSecurity Tools >> Rules List display.

Could you provide the step-by-step instructions on how you are reproducing the issue? If so, I can take the same steps on a system running a cPanel 66 development build to verify the issue is addressed.

Thank you.

 

[rinkleton]

To reproduce: Go to ModSec > Edit Custom Rules. Add something like "SecRuleRemoveById 920440" then "Deploy and Restart Apache". Do the action that will trigger the modsec rule 920440. It is still both disallowed and logged by mod sec.

I don't have access to a v66 system to test. Is this issue related to v64 or to OWASP 3.0? Seems like the former, but I did switch at the same time so it's hard to tell.

This is a pretty big issue though. My options are either, let parts of hundreds of sites go down or disable mod security altogether.

 

[Infopro]

You could use ConfigServer ModSecurity Control for this.

 

[rarod]

I am using ConfigServer ModSecurity Control to disable some custom rules by user and is not working. I detected this issue on 2017-04-16, previously this was working ok.

I am using cPanel & WHM 64.0 (build 19).

How can I troubleshoot this?

Thanks.

 

[Infopro]

If CMC is not working as expected you might want to post about it on the ConfigServer forums.

 

[cPanelMichael]

To reproduce: Go to ModSec > Edit Custom Rules. Add something like "SecRuleRemoveById 920440" then "Deploy and Restart Apache". Do the action that will trigger the modsec rule 920440. It is still both disallowed and logged by mod sec.

Hello,

I believe this issue is separate from the internal case referenced above. Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[fuzzylogic]

It seems like it is no longer possible to disable rules from the Edit Custom Rules interface in WHM (modsec2.user.conf). The modsec2.conf files includes this one before the modsec2.cpanel.conf file because "user.conf must com before cpanel.conf to allow adminsitrators to selectively disable vendor rules". However I can only disable a rules AFTER it is defined. Something seems wack to me?

It seems that the task you are trying to achieve is to disable rule 920440 server wide.
If this is correct then the procedure to do this is as follows...
Go to...
Security Center >> Tools >> Rules List >> Search for 920440 >> Click the Disable link on the right hand side.
Click the Deploy and Restart Apache Button.

Doing this writes SecRuleRemoveById 920440 to the bottom of etc/apache2/conf.d/modsec/modsec2.cpanel.conf
It works in my tests.

 

[fuzzylogic]

I am using ConfigServer ModSecurity Control to disable some custom rules by user and is not working. I detected this issue on 2017-04-16, previously this was working ok.
I am using cPanel & WHM 64.0 (build 19).
How can I troubleshoot this?Thanks.

I just tested this and it worked for me. The procedure is as follows.
I created a new rule (for testing purposes) using
Security Center >> Tools >> Rules List >> Add Rule
The testing rule looked like this...

# Replace 66.66.66.66 with the ip of your web brower (google whats my ip)
SecRule REMOTE_ADDR "@ipMatch 66.66.66.66" \
  "msg:'Matched ip. Test rule is being hit',\
  phase:2,\
  id:8888111,\
  t:none,\
  pass,\
  log"

Click Deploy and Restart button.
Visit yourdomain.com then check your modsec log for hits to the test rule.
Security Center >> Tools >> Hits List >> Search for 8888111
If the rule is being logged then move on to...
Plugins >> Configserver Modsec Control >> Select a User or Domain from list beside the "Modify user whitelist" button
Then click the "Modify user whitelist" button.
Now you have an choice depending on what you want to achieve.

If your want to disable a rule for all domains owned by the user the add the rule id (number only) to the ModSecurity rule ID list: text box then click the "Save whitelist for all username domains" button.

If your want to disable a rule for one domain owned by the user then select the Domain from list beside the "Modify domain whitelist" button.
Add the rule id (number only) to the ModSecurity rule ID list: text box then click the "Save whitelist for yourdomain.com.com" button.

Now your test rule should be disabled for yourdomain.com
Revisit yourdomain.com then check the modsec log again.
This time nothing should be logged for rule 8888111
Second test visit a second domain on the same server.
This should log hits for the test rule.

Once you have confirmed for yourself that the procedure works, then delete these test entries in Configserver Modsec Control.
Delete the test rule from Security Center >> Tools >> Rules List

 

[fuzzylogic]

I am using ConfigServer ModSecurity Control to disable some custom rules by user and is not working.

I have managed to reproduce the CMC failure.
If the id you enter into the CMC test field is syntactically incorrect then when the save button is clicked CMC restarts Apache and no SecRuleRemoveById line is written to modsec2.whitelist.conf
It effectively fails silently.

The CMC hint text says "You should place one ID number per line".
If you copy the rule id from a blog post by double clicking then paste it into the CMC field it will have a trailing space which will cause the save to fail.

CMC will also fail in this way if you use commas or semi-colon to enter multiple ids.

 

[verdon]

I have managed to reproduce the CMC failure.
If the id you enter into the CMC test field is syntactically incorrect then when the save button is clicked CMC restarts Apache and no SecRuleRemoveById line is written to modsec2.whitelist.conf
It effectively fails silently.

The CMC hint text says "You should place one ID number per line".
If you copy the rule id from a blog post by double clicking then paste it into the CMC field it will have a trailing space which will cause the save to fail.

CMC will also fail in this way if you use commas or semi-colon to enter multiple ids.

I haven't been able to get CMC to work for some time now. I just checked, and at least for me, it is not trailing white spaces or anything of that nature.

 

[rarod]

I have managed to reproduce the CMC failure.
If the id you enter into the CMC test field is syntactically incorrect then when the save button is clicked CMC restarts Apache and no SecRuleRemoveById line is written to modsec2.whitelist.conf
It effectively fails silently.

This is not my case. The line with de ID is written correctly to modsec2.whitelist.conf.