ModSecurity + MPM ITK compatibility

[cPanelMichael]

Hello @mariusfv,

Mod Security 3 isn't developed by cPanel and is not yet production ready. There's no specific time frame to offer on it's inclusion at this time.

Mod_ruid2 is still experimental in 2017? - The only solution for symlink attacks available at 1 click install via WHM(not advanced sys admins).

You may want to consider using the cPanel Hardened Kernel if you are using CentOS 6.x:

How to Harden Your cPanel System's Kernel - cPanel Knowledge Base - cPanel Documentation

Otherwise, a solution such as CageFS from CloudLinux would help. A full list of symlink protection solutions with EasyApache 4 is available at:

Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation

Thank you.

 

[mariusfv]

Hello @mariusfv,

Mod Security 3 isn't developed by cPanel and is not yet production ready. There's no specific time frame to offer on it's inclusion at this time.

@cPanelMichael my mistake: I was referring to Modsecurity 2!

Mod Security 2 & mod_ruid2 is installed by default in Easyapache 4 -> cPanel default package and process the rules 3.0.0 that confuse me to say Modsecurity 3

vi /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf

SecComponentSignature "OWASP_CRS/3.0.0"

So in prefork MPM(not ITK) cPanel install Modsecurity 2 + mod_ruid2 and have a lot of conflicts(was solved prefork + modsecurity 2 + mod_ruid2).

See few of them:

tail -f /usr/local/apache/logs/error_log

[Wed Feb 15 05:00:21.491873 2017] [:error] [pid 20211] [client 66.xxx.xxx.xxx] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "www.example.com"] [uri "/hazo/yglx.php"] [unique_id "[email protected]"]
[Wed Feb 15 05:00:21.661856 2017] [:error] [pid 20211] [client 66.xxx.xxx.xxx] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "www.example.com"] [uri "/index.php"] [unique_id "[email protected]"]

So, as long is default cPanel Easyapache 4 package can someone investigate and open a case?

Thanks!

 

[cPanelMichael]

Hello,

This isn't an issue we can fix. Here's a quote from earlier on this thread explaining why:

This problem has been around for years. cPanel is not able to take any action on this. We are not keen enough on the internals of ModSecurity to patch and ensure we didn't break anything else. This is why I feel we need to push on the ModSec development team to get this fixed, as this bug lies with them, not with cPanel or RUID2/ITK.

Thank you.

 

[mariusfv]

@cPanelMichael do you have the official Modsecurity github or forum link where to report / discuss bugs?
Thanks.

 

[cPanelMichael]

@cPanelMichael do you have the official Modsecurity github or forum link where to report / discuss bugs?
Thanks.

Hello,

ModSecurity: Open Source Web Application Firewall
ModSecurity GitHub
ModSecurity / Mailing Lists

Thank you.

 

[mariusfv]

Can somebody from cPanel team or anyone else who use Modsecurity + mod_ruid2 to support this issue on Modsecurity Github as long as cPanel confirm this bug as Modsecurity side?

Link: cPanel confirmed - Modsecurity incompatibility with Mod_ruid2 · Issue #1334 · SpiderLabs/ModSecurity · GitHub

Thanks!

 

[Jan-Paul Kleijn]

Hello,

This issue will still occur when using Mod_Ruid2 and Mod_Security. The topic is discussed in more detail on the URL referenced in the earlier response:

ModSecurity + MPM ITK compatibility - inconsistent documentation

Note that the title references MPM ITK, but the same issue applies to Ruid2.

Thank you.

I have read the posts on the page with the URL you provided above but this is not enough I am afraid.
Please answer the following questions as correctly and realistic as you can.
- Will there be a solution from your side (cPanel) on this before Januari 1 2018?
- If not what is your professional advice for me (your client) on how to solve this?

Regards

 

[cPanelMichael]

Hello,

Internal case EA-4093 is currently in-progress with the aim of offering support for MPM-ITK and Mod_Ruid2 with Mod_Security. We'll update this thread with more information on the status of this case as it becomes available.

Thank you.

 

[keat63]

I'd totally forgotten that this issue existed. I disabled RUID2 due to some incompatibilities with a PHP version.
I've since updated PHP and re-enabled RUID2 to find this this issue is still ongoing.
Maybe 3 years now.

What sort of realistic timescale is there for a fix please.

 

[Anoop P Alias]

PHP-FPM is better than mod_ruid . If you wish to use modsec and use mod_ruid ..you can install a good nginx web server alternative with mod_sec support .Mod_sec is processing the request so having a frontend web server act as WAF is equally fine as the web server doing both WAF and PHP processing

 

[cPanelMichael]

What sort of realistic timescale is there for a fix please.

It's tentatively excepted for cPanel version 66.

Thank you.

Update: This is no longer planned for cPanel 66 due to some issues encountered during testing. A resolution will likely come with a production release of ModSecurity 3.x (no ETA on that at this time).

 

[Jan-Paul Kleijn]

PHP-FPM is better than mod_ruid . If you wish to use modsec and use mod_ruid ..you can install a good nginx web server alternative with mod_sec support .Mod_sec is processing the request so having a frontend web server act as WAF is equally fine as the web server doing both WAF and PHP processing

Is this relevant to this issue?

 

[Jan-Paul Kleijn]

Checking up on progress, has anything changed since 4 months ago?

 

[cPanelMichael]

Checking up on progress, has anything changed since 4 months ago?

There are no plans to implement a change at this time. We'd need to wait until ModSecurity 3.x is available as a production release until any further changes are considered. In the meantime, depending on the specific issue you are facing, you may find this thread helpful:

ModSecurity - SecDataDir

Thank you.