cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Hello @mariusfv,

Mod Security 3 isn't developed by cPanel and is not yet production ready. There's no specific time frame to offer on it's inclusion at this time.

Mod_ruid2 is still experimental in 2017? - The only solution for symlink attacks available at 1 click install via WHM(not advanced sys admins).
You may want to consider using the cPanel Hardened Kernel if you are using CentOS 6.x:

How to Harden Your cPanel System's Kernel - cPanel Knowledge Base - cPanel Documentation

Otherwise, a solution such as CageFS from CloudLinux would help. A full list of symlink protection solutions with EasyApache 4 is available at:

Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation

Thank you.
 

mariusfv

Active Member
Mar 24, 2013
39
7
133
Romania
cPanel Access Level
Root Administrator
Hello @mariusfv,

Mod Security 3 isn't developed by cPanel and is not yet production ready. There's no specific time frame to offer on it's inclusion at this time.
@cPanelMichael my mistake: I was referring to Modsecurity 2!

Mod Security 2 & mod_ruid2 is installed by default in Easyapache 4 -> cPanel default package and process the rules 3.0.0 that confuse me to say Modsecurity 3 :)

vi /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf

Code:
SecComponentSignature "OWASP_CRS/3.0.0"
So in prefork MPM(not ITK) cPanel install Modsecurity 2 + mod_ruid2 and have a lot of conflicts(was solved prefork + modsecurity 2 + mod_ruid2).

See few of them:

tail -f /usr/local/apache/logs/error_log

Code:
[Wed Feb 15 05:00:21.491873 2017] [:error] [pid 20211] [client 66.xxx.xxx.xxx] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "www.example.com"] [uri "/hazo/yglx.php"] [unique_id "[email protected]"]
[Wed Feb 15 05:00:21.661856 2017] [:error] [pid 20211] [client 66.xxx.xxx.xxx] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "www.example.com"] [uri "/index.php"] [unique_id "[email protected]"]
So, as long is default cPanel Easyapache 4 package can someone investigate and open a case?

Thanks!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Hello,

This isn't an issue we can fix. Here's a quote from earlier on this thread explaining why:

This problem has been around for years. cPanel is not able to take any action on this. We are not keen enough on the internals of ModSecurity to patch and ensure we didn't break anything else. This is why I feel we need to push on the ModSec development team to get this fixed, as this bug lies with them, not with cPanel or RUID2/ITK.
Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Jun 18, 2015
16
4
3
Maarheeze
cPanel Access Level
Root Administrator
Hello,

This issue will still occur when using Mod_Ruid2 and Mod_Security. The topic is discussed in more detail on the URL referenced in the earlier response:

ModSecurity + MPM ITK compatibility - inconsistent documentation

Note that the title references MPM ITK, but the same issue applies to Ruid2.

Thank you.
I have read the posts on the page with the URL you provided above but this is not enough I am afraid.
Please answer the following questions as correctly and realistic as you can.
- Will there be a solution from your side (cPanel) on this before Januari 1 2018?
- If not what is your professional advice for me (your client) on how to solve this?

Regards
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Hello,

Internal case EA-4093 is currently in-progress with the aim of offering support for MPM-ITK and Mod_Ruid2 with Mod_Security. We'll update this thread with more information on the status of this case as it becomes available.

Thank you.
 
  • Like
Reactions: Jan-Paul Kleijn

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
I'd totally forgotten that this issue existed. I disabled RUID2 due to some incompatibilities with a PHP version.
I've since updated PHP and re-enabled RUID2 to find this this issue is still ongoing.
Maybe 3 years now.

What sort of realistic timescale is there for a fix please.
 

Anoop P Alias

Well-Known Member
Mar 31, 2015
103
16
18
Kochi,Kerala,India
cPanel Access Level
Root Administrator
PHP-FPM is better than mod_ruid . If you wish to use modsec and use mod_ruid ..you can install a good nginx web server alternative with mod_sec support .Mod_sec is processing the request so having a frontend web server act as WAF is equally fine as the web server doing both WAF and PHP processing
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
What sort of realistic timescale is there for a fix please.
It's tentatively excepted for cPanel version 66.

Thank you.

Update: This is no longer planned for cPanel 66 due to some issues encountered during testing. A resolution will likely come with a production release of ModSecurity 3.x (no ETA on that at this time).
 
  • Like
Reactions: Jan-Paul Kleijn

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Checking up on progress, has anything changed since 4 months ago?
There are no plans to implement a change at this time. We'd need to wait until ModSecurity 3.x is available as a production release until any further changes are considered. In the meantime, depending on the specific issue you are facing, you may find this thread helpful:

ModSecurity - SecDataDir

Thank you.