ModSecurity + MPM ITK compatibility

[sonicthoughts]

Apache Module: MPM ITK - EasyApache 4 - cPanel Documentation states

The MPM ITK module is not compatible with the following modules:

• Mod Ruid2
• mod_userdir
• EAccelerator
• Mod suPHP
• ModSecurity™

however
Apache Module: ModSecurity - EasyApache - cPanel Documentation states:

Mod_ruid2 Apache module
If you select the Mod Security option and either the Mod Ruid2 or the MPM ITK option in EasyApache, the ModSecurity log location changes to ....

So is Modsec + MPM ITK compatible in EA3 or EA4?
Would use ModRuid2 but no cache/memcache (I presume MPM ITK will work with caching)

 

[JacobPerkins]

Hi,

In EasyApache 4, we're ensured there's a conflict with the RPMs because there are a couple of issues with DBM and the like that are still issues in EA3 that we'd like to fix in EA4 before we declare them 'compatible'. In EA3, they are able to be used together, in EA4 though, not quite yet.

I hope this helps!

 

[sonicthoughts]

Ok, what I want is caching (memcache) + modsec + PHP 5.6 or 5.5 + uid for apache (ruid2 or itk) this should give good mem/performance trade-offs. To confirm, on EA3 that should all be compatible (yeah!) now I'm on ruid2. are there issues/guides/concerns switching to itk?

BTW - I'm noticing more support for itk than

 

[sonicthoughts]

Ok, On EA3 I just discovered that ITK will ONLY work with apache 2.2 - that is really disappointing. There is really no good option here for performance and it is really hard to follow the what works wit h which version.

 

[Andrew Gritsuk]

Are there any plans in the near future to ensure compatibility mod_ruid2 - mod_security ea4?

 

[Todd DeSantis]

I am also wondering this about mod_ruid2 and mod_security! I have just updated to EA4, and I was using ruid2 and modsecurity on EA3. I didn't realize they aren't compatible.

Will they be at some point?

Also, this makes me make a decision right now: What is more important for security?

A. ruid2 and the way it prevents apache processes from running as 'nobody'
B. Modsecurity

 

[cPanelMichael]

Hello,

Internal case EA-4430 will allow for the combined use of Mod_Security and Mod_Ruid2/mod_mpm_itk, despite the minor bugs currently associated with using them together.

Thank you.

 

[Andrew Gritsuk]

Hello,

Internal case EA-4430 will allow for the combined use of Mod_Security and Mod_Ruid2/mod_mpm_itk, despite the minor bugs currently associated with using them together.

Thank you.

The following conflicts are installed on this machine or selected in this profile:
ea-apache24-mod_mpm_itk

The following dependencies are not installed on this machine or not selected in this profile:
ea-apache24-mod_unique_id

I ignore this warning?

 

[cPanelMichael]

You should not ignore that warning message if you are using Mod_Ruid2. EA-4430 is not yet implemented.

Thank you.

 

[sonicthoughts]

I have to believe this is an important request. see cross post: https://features.cpanel.net/topic/modsec-compatability-with-caching-and-mod_ruid2-and-mpm_itk

There is a patch here: https://github.com/SpiderLabs/ModSecurity/issues/712#issuecomment-48206694

Please backport to EA3. thx

 

[JacobPerkins]

I have to believe this is an important request. see cross post: https://features.cpanel.net/topic/modsec-compatability-with-caching-and-mod_ruid2-and-mpm_itk

There is a patch here: https://github.com/SpiderLabs/ModSecurity/issues/712#issuecomment-48206694

Please backport to EA3. thx

Hi!

While that patch may work for you, there's major risk in patching a WAF system like this, and that's not an easy decision to make. We don't know what consequences that may arise from the patch, and if the patch hasn't been accepted upstream in 2 years that it's been in that thread, there may be a good reason why it's not in the main line of code.

I'd recommend requesting that patch to be considered for their mainline branch, and to be officially reviewed / accepted by ModSecurity before we sent it out to millions of websites. At this time though, I feel the unknowns and risks outweigh the benefits.

 

[sonicthoughts]

Seriously? Here is another point of view:

1. That's a pretty simple answer to a problem that has been repeatedly reported
2. Is Cpanel taking any action or are you saying that I should push for a patch - i don't even know how to do that.
3. The alternative - ie. turning off modsec seems a bit more sever
4. You are using a lot of anecdotes to make this determination
5. Please actually look at the code and you can see if changes the file permission for mod_ruid2
6. Please make it really clear why this isn't supported in the docs.

This has appeared in multiple forums in various ways and its a big deal to a lot of folks so please be explicit in limitations / workarounds and actions being taken.

Thanks for hearing me out.

 

[JacobPerkins]

Seriously? Here is another point of view:

1. That's a pretty simple answer to a problem that has been repeatedly reported
2. Is Cpanel taking any action or are you saying that I should push for a patch - i don't even know how to do that.
3. The alternative - ie. turning off modsec seems a bit more sever
4. You are using a lot of anecdotes to make this determination
5. Please actually look at the code and you can see if changes the file permission for mod_ruid2
6. Please make it really clear why this isn't supported in the docs.

This has appeared in multiple forums in various ways and its a big deal to a lot of folks so please be explicit in limitations / workarounds and actions being taken.

Thanks for hearing me out.

Hi!

This problem has been around for years. cPanel is not able to take any action on this. We are not keen enough on the internals of ModSecurity to patch and ensure we didn't break anything else. This is why I feel we need to push on the ModSec development team to get this fixed, as this bug lies with them, not with cPanel or RUID2/ITK.

 

[sonicthoughts]

I'd like to know if Cpanel is actively "pushing" the ModSec development team or just posting for us to do that.

Also I found another item in the docs - is there an implicit workaround by not using persistance storaage?

https://confluence2.cpanel.net/display/EA4/Apache+Module:+ModSecurity
Important:

If your system uses either the mod_ruid2 or the mod_mpm_itk Apache modules and also uses Persistant Storage with the initcol, setuid, or setsid directives in the ModSecurity rules, Apache will fail to track that rule. Apache will also log errors to its error_log file. For example, the IP Reputation rule in the OWASP core ruleset may give this error.

So is there a way to implement without persistent storage and not have to chose between the two? The point of this thread (there are several on this topic) is that the documentation is not clear.

Thanks for clarifying.

 

[sonicthoughts]

Spiderlabs say they resolved this in modsec 3 - are there plans to use that? Geo Lookup: Failed to lock proc mutex · Issue #1168 · SpiderLabs/ModSecurity · GitHub
Also, yet again the docs are confusing: Current Status of EasyApache 4 - EasyApache 4 - cPanel Documentation says In EasyApache 3, an existing bug with ModSecurity2 and the mod_ruid2 and mod_mpm_itk Apache modules causes some tracking functionality to not work properly with per-user MPMs. We added a conflict to the RPMS in EasyApache 4, so that you cannot install the mod_ruid2 or mod_mpm_itk Apache modules with ModSecurity2. cPanel cannot fix this bug, as this is a ModSecurity2 issue.
So if I upgrade to EA4 you will force the disable? Others say it will work? Again confused and frustrated that this does not seem to be taken seriously.

 

[JacobPerkins]

Hi,

ModSec3 is not ready for production, as stated on their github:
"Notice: This project is under development and it is NOT ready to be placed in production yet. It currently does not support all the operators and/or actions of the SecRules language, yet."

We're not going to send out non-stable modules, especially for a WAF that's as popular as ModSecurity. As of June 15th, we have removed the RPM conflict between RUID2/ITK and ModSec, so you can use them again, however the bug still persists.

Thanks for letting us know about the Current Status page, I updated it this morning, but it's in the queue to be published. That will get updated shortly.

 

[olie Murphy]

Ok, On EA3 I just discovered that ITK will ONLY work with apache 2.2 - that is really disappointing. There is really no good option here for performance and it is really hard to follow the what works wit h which version.

 

[sonicthoughts]

There are dozens of posts on this - want to make sure someone is looking into this. Cross post: modsec compatability with caching and Mod_ruid2 and mpm_itk

Please have your team contact Filipe and discuss approaches.

 

[JacobPerkins]

Hi,

I'm not sure what we can do by contacting Felipe. These are not issues we can solve, and we are not going to use ModSec 3 until it's production ready. I would recommend having Felipe backport those fixes into ModSec 2.9 so it can be used by those who are using ModSec.

 

[mariusfv]

@cPJacob - Can you please watch the logs provided in first post here: Easyapache 4 + Modsecurity + Mod_ruid2 errors

I was redirected to this topic and I've read here "We are not going to use ModSec 3, because it is not ready for production environments".

My question is: when will be solved the conflict between Easyapache 4 + Modsecurity + Mod_ruid2?

Security should be first cPanel concern!

PS

Mod_ruid2 is still experimental in 2017? - The only solution for symlink attacks available at 1 click install via WHM(not advanced sys admins).