ModSecurity question (in WHM 11.48)

[mtindor]

1. When upgrading to 11.48, will the update blow away an existing ModSecurity setup

I've been running the Atomic ruleset for years on servers I maintain. I prefer to keep it that way, at least for now. If I upgrade to 11.48, is anything at all going to get changed in the process (like modsec2.conf, modsec2.user.conf) ?

2. In 11.48, is there a "restore ModSecurity to stock/default" ?

Assuming I've backed up my existing ModSec configuration and want to try out the cPanel ModSecurity Solution including OWASP rules, is there a way to tell cPanel to totally wipe out existing modsec2.conf, modsec2.cpanel.conf and modsec2.user.conf and populate them with default settings and such before I attempt to install the OWASP rules?

I really want to make sure that I won't suddenly be surprised by a nonfunctioning modsecurity when updating to 11.48, and I really want to make sure that if I want to try out OWASP I can "start from scratch" and have only the information in modsec2.conf and modsec2.user.conf that cPanel provides.

I tested out the OWASP ruleset last night, and I don't like it's defaults. First off, it appears that if a rule is triggered, the end user has no clue -- basically, the request gets redirected back to http://FQDN. So if I sent http://www.mysite.com/index.php?get=http://www.foo.bar, modsecurity would show the rule as triggering and then would redirect the visitor to http://www.mysite.com. I'm so used to having a 403 or 406 error generated, and would prefer to keep it that way.

I also noticed that when running the OWASP rules, I would often see this in the Apache error log:

[Wed Feb 04 00:47:42.437126 2015] [:error] [pid 3560] [client 66.249.64.17] ModSecurity: Rule processing failed. [hostname "mysite.com"] [uri "/robots.txt"] [unique_id "VNGyfkJUCPQAAA3o0E0AAAAC"]

With issues like that, I have a very low confidence level in the cPanel+OWASP solution at this time. Maybe it's my configuration. And that's why I'm asking if there is a way to simply tell cPanel "revert back to a stock/default configuration" after I've removed OWASP rules. Then I can start from scratch attempting to get the OWASP rules working again.

Mike

 

[filoucp]

I also noticed that when running the OWASP rules, I would often see this in the Apache error log:

[Wed Feb 04 00:47:42.437126 2015] [:error] [pid 3560] [client 66.249.64.17] ModSecurity: Rule processing failed. [hostname "mysite.com"] [uri "/robots.txt"] [unique_id "VNGyfkJUCPQAAA3o0E0AAAAC"]

Mike

I've seen a lot of this in my logs too. I had to desactivate the OWASO rules for the moment. Any idea if a specific rule can be causing this error ?

Filou

 

[mtindor]

I've seen a lot of this in my logs too. I had to desactivate the OWASO rules for the moment. Any idea if a specific rule can be causing this error ?

Filou

A rule might be. Hard to tell. I'm not inclined to investigate any further. If the ruleset doesn't work 100% I'm not interested. If the ruleset requires tons of exceptions to be made for Wordpress/Joomla sites, I'm not interested. I don't have any of these problems with Atomicorp.

Mike

 

[cPanelMichael]

Hello

1. Your current rules are not disabled or modified when you update to 11.48. There are no tools to backup the existing rules automatically, but you could copy over the Mod_Security configuration files via the command line. Have you reviewed the "WHM Home » Security Center » ModSecurity™ Configuration" option to see the interface? The OWASP ruleset is not enabled by default. Please see:

OWASP ModSecurity CRS
ModSecurity Configuration
ModSecurity Tools

Let us know if you have any questions about using the interface.

2. As far as the "Rule processing failed" messages, are those the only messages you see in /usr/local/apache/logs/error_log when this happens? Is Mod_Ruid2 enabled?

Thank you.

 

[mtindor]

Hello

1. Your current rules are not disabled or modified when you update to 11.48. There are no tools to backup the existing rules automatically, but you could copy over the Mod_Security configuration files via the command line. Have you reviewed the "WHM Home » Security Center » ModSecurity™ Configuration" option to see the interface? The OWASP ruleset is not enabled by default. Please see:

OWASP ModSecurity CRS
ModSecurity Configuration
ModSecurity Tools

Let us know if you have any questions about using the interface.

Michael,

I'm not concerned about backing my current modsecurity configuration. I do / have done so. My concern is specifically that I want to test out the OWASP rules, but I want to make sure that there is no legacy information [from my previous configuration using Atomicorp rules] left in my modsec2.conf or modsec2.user.conf. That's easy enough for me to make sure that doesn't exist.

However, I think there needs to be a ware for me to guarantee that what IS in the modsec2.conf and modsec2.user.conf is exactly what cpanel would put in there if (a) this was a brand new machine and (b) I had never previously installed modsecurity via EA and attempted to activate it.

If I just remove all existing content from modsec2.conf, modsec2.user.conf and modsec2.cpanel.conf, Apache will run fine but there will certainly be no rules [not even basic rules] active. And that is why I need to know what should be contained in those files.

None of my machines are brand new deploys, and all of my machines are currently configured to use Atomicorp rules with configurations specifically suggested by Atomicorp. So before I attempt to switch to using the most basic of modsecurity [as provided solely by cPanel], I need to know what cpanel would have put in the modsec2.conf, modsec2.user.conf and modsec2.cpanel.conf of a newly installed server. [this is why I say that cPanel should have an option in the interface to restore to a completely default stock modsecurity configuration]

2. As far as the "Rule processing failed" messages, are those the only messages you see in /usr/local/apache/logs/error_log when this happens? Is Mod_Ruid2 enabled?

No, I certainly see items in the logfile that would suggest that rules are being triggered and bad things are being blocked. But along with those "normal" entries I see the "Rule Processing failed" lines.

No, not mod_ruid2. I'm running CL6, AP 2.4.12, PHP 5.3.47, suPHP on this particular machine that I was testing with.

Mike

 

[Infopro]

I need to know what cpanel would have put in the modsec2.conf,

Include "/usr/local/apache/conf/modsec2.cpanel.conf"

modsec2.user.conf

Nothing I don't think.

and modsec2.cpanel.conf of a newly installed server.

If new Vendor Rules are installed but disabled:

################################################################
## This file is automatically generated from the data kept in ##
## /var/cpanel/modsec_cpanel_conf_datastore.                  ##
##                                                            ##
## Manual changes made directly here will be lost when the    ##
## file is regenerated.                                       ##
################################################################

##
## ModSecurity fixed global configuration directives
##

SecDataDir "/var/cpanel/secdatadir"

##
## ModSecurity manageable global configuration directives
##

SecAuditEngine "RelevantOnly"
SecConnEngine "On"
SecRuleEngine "On"

##
## ModSecurity configuration file includes:
##

[COLOR="#FF0000"]This area is populated with Includes if Rules are enabled.[/COLOR]

##
## ModSecurity disabled rules:
##

When ever you enable or disable the "Vendor Rulesets", the Includes are added or removed to that file.

[this is why I say that cPanel should have an option in the interface to restore to a completely default stock modsecurity configuration]

In, WHM » Security Center » Manage Vendors, you can choose to delete the Vendor Rules. Once it's been deleted, it will show up again, but now showing as not installed.

 

[kjg]

Have the same problems with "Rule processing failed".
Thousands of instances in apache error_log on each server since activating OWASP rules.
ex:
[Thu Feb 05 15:35:46 2015] [error] [client xx.xx.xx.xx] ModSecurity: Rule processing failed. [hostname "www.domain.com"] [uri "/robots.txt"] [unique_id "VNN-wlETsmIADEpzSoAAAAO"]
[Thu Feb 05 15:35:46 2015] [error] [client yy.yy.yy.yy] ModSecurity: Rule processing failed. [hostname "www.anotherdomain.com"] [uri "/index.php"] [unique_id "VNN-wlETsmIADEpxCAAAAAB"]

The uri shows all kind of files (txt, jpg, php etc etc)

When checking in the modsec database, they do not show up there. Searching for the IP's that are in the error_log gives no result.

The same issue on 5 different servers where we have tested the new modsec in 11.48

When checking the IP's in the rows, I see that lots of them are bots (googlebot, msn, ahref, etc).

Any ideas how to stop this behaviour?

 

[Brian]

1. When upgrading to 11.48, will the update blow away an existing ModSecurity setup

2. In 11.48, is there a "restore ModSecurity to stock/default" ?

From 11.46 and forward, there are two files that should never be manually edited or otherwise put customizations within:

modsec2.conf
modsec2.cpanel.conf

Both of those files are "managed" by cPanel & WHM and you're at risk of your customizations being blown away when they're regenerated/managed by cPanel & WHM be it through update processes or if a user makes changes through WHM.

The only file that supports customization is:

modsec2.user.conf

Please put all customizations in that file. It will never be modified by cPanel & WHM automatically. The only way this file sees changes are if (1) You manually do it, or (2) you manually use the custom rule editor in WHM to make a change to a rule in that file

With regard to stock/default, kind of in line with the above, the only file you'd have to empty out is modsec2.user.conf. Doing so would put the custom rules back to stock (empty). The other files cPanel & WHM relies upon would be forcibly set as needed (modsec2.cpanel.conf and modsec2.conf) when running a cPanel update or using the ModSecurity Configuration/Tools feature in WHM.

 

[mtindor]

Thank you for the detailed response, Brian.

- M

 

[sonicthoughts]

From 11.46 and forward, there are two files that should never be manually edited or otherwise put customizations within:

modsec2.conf
modsec2.cpanel.conf

Both of those files are "managed" by cPanel & WHM and you're at risk of your customizations being blown away when they're regenerated/managed by cPanel & WHM be it through update processes or if a user makes changes through WHM.

The only file that supports customization is:

modsec2.user.conf

Please put all customizations in that file. It will never be modified by cPanel & WHM automatically. The only way this file sees changes are if (1) You manually do it, or (2) you manually use the custom rule editor in WHM to make a change to a rule in that file

With regard to stock/default, kind of in line with the above, the only file you'd have to empty out is modsec2.user.conf. Doing so would put the custom rules back to stock (empty). The other files cPanel & WHM relies upon would be forcibly set as needed (modsec2.cpanel.conf and modsec2.conf) when running a cPanel update or using the ModSecurity Configuration/Tools feature in WHM.

Will existing rules conflict or duplicate? What is the default modsec2.conf / modsec2.user.conf? I also have modsec2.whitelist.conf - is that still being used (i believe it is called from the modsec2.user.conf file.)

I see some defaults here: /home/cpeasyapache/src/modsec2.user.conf.default - please invest in documentation and clarification of this - the update screen does not mention the need to make all these changes.

 

[filoucp]

Have the same problems with "Rule processing failed".
Thousands of instances in apache error_log on each server since activating OWASP rules.
ex:
[Thu Feb 05 15:35:46 2015] [error] [client xx.xx.xx.xx] ModSecurity: Rule processing failed. [hostname "www.domain.com"] [uri "/robots.txt"] [unique_id "VNN-wlETsmIADEpzSoAAAAO"]
[Thu Feb 05 15:35:46 2015] [error] [client yy.yy.yy.yy] ModSecurity: Rule processing failed. [hostname "www.anotherdomain.com"] [uri "/index.php"] [unique_id "VNN-wlETsmIADEpxCAAAAAB"]

The uri shows all kind of files (txt, jpg, php etc etc)

Any update on this problem ?

Filou

 

[cPanelMichael]

Any update on this problem ?

Filou

Are you using Mod_Ruid2 or MPM-ITK on your system?

Thank you.

 

[vgermovil]

yes to last 2 questions

I am using mod_ruid2 & owasp. What about redirection errors in wordpress or internal error 500 if I disable modsecurity?

 

[cPanelMichael]

Re: yes to last 2 questions

I am using mod_ruid2 & owasp. What about redirection errors in wordpress or internal error 500 if I disable modsecurity?

Please see the following post regarding Mod_Ruid2 and Mod_Security:

Mod_Ruid2 and Mod_Security Compatibility

You shouldn't receive error messages when disabling Mod_Security.

Thank you.