The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity question (in WHM 11.48)

Discussion in 'Security' started by mtindor, Feb 4, 2015.

  1. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    1. When upgrading to 11.48, will the update blow away an existing ModSecurity setup

    I've been running the Atomic ruleset for years on servers I maintain. I prefer to keep it that way, at least for now. If I upgrade to 11.48, is anything at all going to get changed in the process (like modsec2.conf, modsec2.user.conf) ?

    2. In 11.48, is there a "restore ModSecurity to stock/default" ?

    Assuming I've backed up my existing ModSec configuration and want to try out the cPanel ModSecurity Solution including OWASP rules, is there a way to tell cPanel to totally wipe out existing modsec2.conf, modsec2.cpanel.conf and modsec2.user.conf and populate them with default settings and such before I attempt to install the OWASP rules?

    I really want to make sure that I won't suddenly be surprised by a nonfunctioning modsecurity when updating to 11.48, and I really want to make sure that if I want to try out OWASP I can "start from scratch" and have only the information in modsec2.conf and modsec2.user.conf that cPanel provides.

    I tested out the OWASP ruleset last night, and I don't like it's defaults. First off, it appears that if a rule is triggered, the end user has no clue -- basically, the request gets redirected back to http://FQDN. So if I sent http://www.mysite.com/index.php?get=http://www.foo.bar, modsecurity would show the rule as triggering and then would redirect the visitor to http://www.mysite.com. I'm so used to having a 403 or 406 error generated, and would prefer to keep it that way.

    I also noticed that when running the OWASP rules, I would often see this in the Apache error log:

    [Wed Feb 04 00:47:42.437126 2015] [:error] [pid 3560] [client 66.249.64.17] ModSecurity: Rule processing failed. [hostname "mysite.com"] [uri "/robots.txt"] [unique_id "VNGyfkJUCPQAAA3o0E0AAAAC"]

    With issues like that, I have a very low confidence level in the cPanel+OWASP solution at this time. Maybe it's my configuration. And that's why I'm asking if there is a way to simply tell cPanel "revert back to a stock/default configuration" after I've removed OWASP rules. Then I can start from scratch attempting to get the OWASP rules working again.

    Mike
     
  2. filoucp

    filoucp Member

    Joined:
    Aug 28, 2005
    Messages:
    9
    Likes Received:
    1
    Trophy Points:
    3
    I've seen a lot of this in my logs too. I had to desactivate the OWASO rules for the moment. Any idea if a specific rule can be causing this error ?

    Filou
     
  3. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    A rule might be. Hard to tell. I'm not inclined to investigate any further. If the ruleset doesn't work 100% I'm not interested. If the ruleset requires tons of exceptions to be made for Wordpress/Joomla sites, I'm not interested. I don't have any of these problems with Atomicorp.

    Mike
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    1. Your current rules are not disabled or modified when you update to 11.48. There are no tools to backup the existing rules automatically, but you could copy over the Mod_Security configuration files via the command line. Have you reviewed the "WHM Home » Security Center » ModSecurity™ Configuration" option to see the interface? The OWASP ruleset is not enabled by default. Please see:

    OWASP ModSecurity CRS
    ModSecurity Configuration
    ModSecurity Tools

    Let us know if you have any questions about using the interface.

    2. As far as the "Rule processing failed" messages, are those the only messages you see in /usr/local/apache/logs/error_log when this happens? Is Mod_Ruid2 enabled?

    Thank you.
     
  5. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Michael,

    I'm not concerned about backing my current modsecurity configuration. I do / have done so. My concern is specifically that I want to test out the OWASP rules, but I want to make sure that there is no legacy information [from my previous configuration using Atomicorp rules] left in my modsec2.conf or modsec2.user.conf. That's easy enough for me to make sure that doesn't exist.

    However, I think there needs to be a ware for me to guarantee that what IS in the modsec2.conf and modsec2.user.conf is exactly what cpanel would put in there if (a) this was a brand new machine and (b) I had never previously installed modsecurity via EA and attempted to activate it.

    If I just remove all existing content from modsec2.conf, modsec2.user.conf and modsec2.cpanel.conf, Apache will run fine but there will certainly be no rules [not even basic rules] active. And that is why I need to know what should be contained in those files.

    None of my machines are brand new deploys, and all of my machines are currently configured to use Atomicorp rules with configurations specifically suggested by Atomicorp. So before I attempt to switch to using the most basic of modsecurity [as provided solely by cPanel], I need to know what cpanel would have put in the modsec2.conf, modsec2.user.conf and modsec2.cpanel.conf of a newly installed server. [this is why I say that cPanel should have an option in the interface to restore to a completely default stock modsecurity configuration]

    No, I certainly see items in the logfile that would suggest that rules are being triggered and bad things are being blocked. But along with those "normal" entries I see the "Rule Processing failed" lines.

    No, not mod_ruid2. I'm running CL6, AP 2.4.12, PHP 5.3.47, suPHP on this particular machine that I was testing with.

    Mike
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,453
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Include "/usr/local/apache/conf/modsec2.cpanel.conf"

    Nothing I don't think.

    If new Vendor Rules are installed but disabled:

    Code:
    ################################################################
    ## This file is automatically generated from the data kept in ##
    ## /var/cpanel/modsec_cpanel_conf_datastore.                  ##
    ##                                                            ##
    ## Manual changes made directly here will be lost when the    ##
    ## file is regenerated.                                       ##
    ################################################################
    
    ##
    ## ModSecurity fixed global configuration directives
    ##
    
    SecDataDir "/var/cpanel/secdatadir"
    
    ##
    ## ModSecurity manageable global configuration directives
    ##
    
    SecAuditEngine "RelevantOnly"
    SecConnEngine "On"
    SecRuleEngine "On"
    
    ##
    ## ModSecurity configuration file includes:
    ##
    
    [COLOR="#FF0000"]This area is populated with Includes if Rules are enabled.[/COLOR]
    
    ##
    ## ModSecurity disabled rules:
    ##
    When ever you enable or disable the "Vendor Rulesets", the Includes are added or removed to that file.

    In, WHM » Security Center » Manage Vendors, you can choose to delete the Vendor Rules. Once it's been deleted, it will show up again, but now showing as not installed.
     
  7. kjg

    kjg Well-Known Member

    Joined:
    Mar 2, 2004
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    16
    Have the same problems with "Rule processing failed".
    Thousands of instances in apache error_log on each server since activating OWASP rules.
    ex:
    [Thu Feb 05 15:35:46 2015] [error] [client xx.xx.xx.xx] ModSecurity: Rule processing failed. [hostname "www.domain.com"] [uri "/robots.txt"] [unique_id "VNN-wlETsmIADEpzSoAAAAO"]
    [Thu Feb 05 15:35:46 2015] [error] [client yy.yy.yy.yy] ModSecurity: Rule processing failed. [hostname "www.anotherdomain.com"] [uri "/index.php"] [unique_id "VNN-wlETsmIADEpxCAAAAAB"]

    The uri shows all kind of files (txt, jpg, php etc etc)

    When checking in the modsec database, they do not show up there. Searching for the IP's that are in the error_log gives no result.

    The same issue on 5 different servers where we have tested the new modsec in 11.48

    When checking the IP's in the rows, I see that lots of them are bots (googlebot, msn, ahref, etc).

    Any ideas how to stop this behaviour?
     
  8. Brian

    Brian Well-Known Member

    Joined:
    Dec 1, 2010
    Messages:
    117
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    From 11.46 and forward, there are two files that should never be manually edited or otherwise put customizations within:

    modsec2.conf
    modsec2.cpanel.conf

    Both of those files are "managed" by cPanel & WHM and you're at risk of your customizations being blown away when they're regenerated/managed by cPanel & WHM be it through update processes or if a user makes changes through WHM.

    The only file that supports customization is:

    modsec2.user.conf

    Please put all customizations in that file. It will never be modified by cPanel & WHM automatically. The only way this file sees changes are if (1) You manually do it, or (2) you manually use the custom rule editor in WHM to make a change to a rule in that file

    With regard to stock/default, kind of in line with the above, the only file you'd have to empty out is modsec2.user.conf. Doing so would put the custom rules back to stock (empty). The other files cPanel & WHM relies upon would be forcibly set as needed (modsec2.cpanel.conf and modsec2.conf) when running a cPanel update or using the ModSecurity Configuration/Tools feature in WHM.
     
  9. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Thank you for the detailed response, Brian.

    - M
     
  10. sonicthoughts

    sonicthoughts Well-Known Member

    Joined:
    Apr 4, 2011
    Messages:
    61
    Likes Received:
    3
    Trophy Points:
    8
    Will existing rules conflict or duplicate? What is the default modsec2.conf / modsec2.user.conf? I also have modsec2.whitelist.conf - is that still being used (i believe it is called from the modsec2.user.conf file.)

    I see some defaults here: /home/cpeasyapache/src/modsec2.user.conf.default - please invest in documentation and clarification of this - the update screen does not mention the need to make all these changes.
     
  11. filoucp

    filoucp Member

    Joined:
    Aug 28, 2005
    Messages:
    9
    Likes Received:
    1
    Trophy Points:
    3
    Any update on this problem ?

    Filou
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  13. vgermovil

    vgermovil Registered

    Joined:
    Feb 12, 2015
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    yes to last 2 questions

    I am using mod_ruid2 & owasp. What about redirection errors in wordpress or internal error 500 if I disable modsecurity?
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Re: yes to last 2 questions

    Please see the following post regarding Mod_Ruid2 and Mod_Security:

    Mod_Ruid2 and Mod_Security Compatibility

    You shouldn't receive error messages when disabling Mod_Security.

    Thank you.
     
Loading...

Share This Page