The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity + MPM ITK compatibility - inconsistent documentation

Discussion in 'EasyApache' started by sonicthoughts, Oct 31, 2015.

Tags:
  1. sonicthoughts

    sonicthoughts Well-Known Member

    Joined:
    Apr 4, 2011
    Messages:
    61
    Likes Received:
    3
    Trophy Points:
    8
    Apache Module: MPM ITK - EasyApache 4 - cPanel Documentation states
    however
    Apache Module: ModSecurity - EasyApache - cPanel Documentation states:
    So is Modsec + MPM ITK compatible in EA3 or EA4?
    Would use ModRuid2 but no cache/memcache (I presume MPM ITK will work with caching)
     
  2. cPJacob

    cPJacob cPanel Product Owner
    Staff Member

    Joined:
    May 2, 2014
    Messages:
    510
    Likes Received:
    66
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi,

    In EasyApache 4, we're ensured there's a conflict with the RPMs because there are a couple of issues with DBM and the like that are still issues in EA3 that we'd like to fix in EA4 before we declare them 'compatible'. In EA3, they are able to be used together, in EA4 though, not quite yet.

    I hope this helps!
     
  3. sonicthoughts

    sonicthoughts Well-Known Member

    Joined:
    Apr 4, 2011
    Messages:
    61
    Likes Received:
    3
    Trophy Points:
    8
    Ok, what I want is caching (memcache) + modsec + PHP 5.6 or 5.5 + uid for apache (ruid2 or itk) this should give good mem/performance trade-offs. To confirm, on EA3 that should all be compatible (yeah!) now I'm on ruid2. are there issues/guides/concerns switching to itk?

    BTW - I'm noticing more support for itk than
     
  4. sonicthoughts

    sonicthoughts Well-Known Member

    Joined:
    Apr 4, 2011
    Messages:
    61
    Likes Received:
    3
    Trophy Points:
    8
    Ok, On EA3 I just discovered that ITK will ONLY work with apache 2.2 - that is really disappointing. There is really no good option here for performance and it is really hard to follow the what works wit h which version.
     
  5. Andrew Gritsuk

    Andrew Gritsuk Registered

    Joined:
    Aug 28, 2015
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Minsk, Belarus
    cPanel Access Level:
    Root Administrator
    Are there any plans in the near future to ensure compatibility mod_ruid2 - mod_security ea4?
     
  6. Todd DeSantis

    Todd DeSantis Registered

    Joined:
    May 22, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Portland, ME
    cPanel Access Level:
    Website Owner
    I am also wondering this about mod_ruid2 and mod_security! I have just updated to EA4, and I was using ruid2 and modsecurity on EA3. I didn't realize they aren't compatible.

    Will they be at some point?

    Also, this makes me make a decision right now: What is more important for security?

    A. ruid2 and the way it prevents apache processes from running as 'nobody'
    B. Modsecurity
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Internal case EA-4430 will allow for the combined use of Mod_Security and Mod_Ruid2/mod_mpm_itk, despite the minor bugs currently associated with using them together.

    Thank you.
     
  8. Andrew Gritsuk

    Andrew Gritsuk Registered

    Joined:
    Aug 28, 2015
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Minsk, Belarus
    cPanel Access Level:
    Root Administrator
    The following conflicts are installed on this machine or selected in this profile:
    ea-apache24-mod_mpm_itk

    The following dependencies are not installed on this machine or not selected in this profile:
    ea-apache24-mod_unique_id


    I ignore this warning?
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  10. sonicthoughts

    sonicthoughts Well-Known Member

    Joined:
    Apr 4, 2011
    Messages:
    61
    Likes Received:
    3
    Trophy Points:
    8
  11. cPJacob

    cPJacob cPanel Product Owner
    Staff Member

    Joined:
    May 2, 2014
    Messages:
    510
    Likes Received:
    66
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi!

    While that patch may work for you, there's major risk in patching a WAF system like this, and that's not an easy decision to make. We don't know what consequences that may arise from the patch, and if the patch hasn't been accepted upstream in 2 years that it's been in that thread, there may be a good reason why it's not in the main line of code.

    I'd recommend requesting that patch to be considered for their mainline branch, and to be officially reviewed / accepted by ModSecurity before we sent it out to millions of websites. At this time though, I feel the unknowns and risks outweigh the benefits.
     
  12. sonicthoughts

    sonicthoughts Well-Known Member

    Joined:
    Apr 4, 2011
    Messages:
    61
    Likes Received:
    3
    Trophy Points:
    8
    Seriously? Here is another point of view:
    1. That's a pretty simple answer to a problem that has been repeatedly reported
    2. Is Cpanel taking any action or are you saying that I should push for a patch - i don't even know how to do that.
    3. The alternative - ie. turning off modsec seems a bit more sever
    4. You are using a lot of anecdotes to make this determination
    5. Please actually look at the code and you can see if changes the file permission for mod_ruid2
    6. Please make it really clear why this isn't supported in the docs.
    This has appeared in multiple forums in various ways and its a big deal to a lot of folks so please be explicit in limitations / workarounds and actions being taken.

    Thanks for hearing me out.
     
  13. cPJacob

    cPJacob cPanel Product Owner
    Staff Member

    Joined:
    May 2, 2014
    Messages:
    510
    Likes Received:
    66
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi!

    This problem has been around for years. cPanel is not able to take any action on this. We are not keen enough on the internals of ModSecurity to patch and ensure we didn't break anything else. This is why I feel we need to push on the ModSec development team to get this fixed, as this bug lies with them, not with cPanel or RUID2/ITK.
     
  14. sonicthoughts

    sonicthoughts Well-Known Member

    Joined:
    Apr 4, 2011
    Messages:
    61
    Likes Received:
    3
    Trophy Points:
    8
    I'd like to know if Cpanel is actively "pushing" the ModSec development team or just posting for us to do that.

    Also I found another item in the docs - is there an implicit workaround by not using persistance storaage?

    https://confluence2.cpanel.net/display/EA4/Apache+Module:+ModSecurity
    Important:

    If your system uses either the mod_ruid2 or the mod_mpm_itk Apache modules and also uses Persistant Storage with the initcol, setuid, or setsid directives in the ModSecurity rules, Apache will fail to track that rule. Apache will also log errors to its error_log file. For example, the IP Reputation rule in the OWASP core ruleset may give this error.

    So is there a way to implement without persistent storage and not have to chose between the two? The point of this thread (there are several on this topic) is that the documentation is not clear.

    Thanks for clarifying.
     
  15. sonicthoughts

    sonicthoughts Well-Known Member

    Joined:
    Apr 4, 2011
    Messages:
    61
    Likes Received:
    3
    Trophy Points:
    8
    Spiderlabs say they resolved this in modsec 3 - are there plans to use that? Geo Lookup: Failed to lock proc mutex · Issue #1168 · SpiderLabs/ModSecurity · GitHub
    Also, yet again the docs are confusing: Current Status of EasyApache 4 - EasyApache 4 - cPanel Documentation says In EasyApache 3, an existing bug with ModSecurity2 and the mod_ruid2 and mod_mpm_itk Apache modules causes some tracking functionality to not work properly with per-user MPMs. We added a conflict to the RPMS in EasyApache 4, so that you cannot install the mod_ruid2 or mod_mpm_itk Apache modules with ModSecurity2. cPanel cannot fix this bug, as this is a ModSecurity2 issue.
    So if I upgrade to EA4 you will force the disable? Others say it will work? Again confused and frustrated that this does not seem to be taken seriously.
     
  16. cPJacob

    cPJacob cPanel Product Owner
    Staff Member

    Joined:
    May 2, 2014
    Messages:
    510
    Likes Received:
    66
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi,

    ModSec3 is not ready for production, as stated on their github:
    "Notice: This project is under development and it is NOT ready to be placed in production yet. It currently does not support all the operators and/or actions of the SecRules language, yet."

    We're not going to send out non-stable modules, especially for a WAF that's as popular as ModSecurity. As of June 15th, we have removed the RPM conflict between RUID2/ITK and ModSec, so you can use them again, however the bug still persists.

    Thanks for letting us know about the Current Status page, I updated it this morning, but it's in the queue to be published. That will get updated shortly.
     
  17. olie Murphy

    olie Murphy Registered

    Joined:
    Jul 20, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    usa
    cPanel Access Level:
    Root Administrator
    Ok, On EA3 I just discovered that ITK will ONLY work with apache 2.2 - that is really disappointing. There is really no good option here for performance and it is really hard to follow the what works wit h which version.
     
  18. sonicthoughts

    sonicthoughts Well-Known Member

    Joined:
    Apr 4, 2011
    Messages:
    61
    Likes Received:
    3
    Trophy Points:
    8
  19. cPJacob

    cPJacob cPanel Product Owner
    Staff Member

    Joined:
    May 2, 2014
    Messages:
    510
    Likes Received:
    66
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi,

    I'm not sure what we can do by contacting Felipe. These are not issues we can solve, and we are not going to use ModSec 3 until it's production ready. I would recommend having Felipe backport those fixes into ModSec 2.9 so it can be used by those who are using ModSec.
     
Loading...

Share This Page