ModSecurity: Rule processing failed.

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,220
463
I'm wondering about this too. Does anyone know how to disable the particular rule that is causing the "Rule processing failed" issue?
Just to clarify, do you experience this problem, and at the same time do not utilize Mod_Ruid2 or MPM-ITK?

Thank you.
 

Infopro

Well-Known Member
May 20, 2003
17,090
519
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
I'm wondering about this too. Does anyone know how to disable the particular rule that is causing the "Rule processing failed" issue?
I've enabled all 21 sets of rules and disabled them one by one. I've disabled all 21 sets of rules and enabled them, one by one. Each step checking for that message in: /usr/local/apache/logs/modsec_audit.log and finding it.

cPanel + Cloud Linux Basic Profile - MPM Prefork

I'm unable to track this down.
 

sonicthoughts

Well-Known Member
Apr 4, 2011
61
3
58
Glad you see the impact of this (folks using modruid2 turning off modsecurity) but would appreciate a patch or workaround. I'm sure there is a pragmatic approach to resolving this.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,220
463
This thread has been noted in internal case number 163393 so ensure our developers are aware of this thread.

Thank you.
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
I was tempted to disable Ruid2, but from advice given on here, i believe that i'm better off leaving Ruid2 running and putting up with the error logs for the time being.
 

verdon

Well-Known Member
Nov 1, 2003
921
12
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
Just to clarify, do you experience this problem, and at the same time do not utilize Mod_Ruid2 or MPM-ITK?

Thank you.
I am experiencing this problem with neither Mod_Ruid2 or MPM-ITK or mod_fcgid. I am using WHM 11.48.1 (build 2) and Apache 2.4.12 and php 5.4.38 (just ran easy apache to be sure all was up to date with minor versions).

Any thoughts?
 

sonicthoughts

Well-Known Member
Apr 4, 2011
61
3
58
This thread has been noted in internal case number 163393 so ensure our developers are aware of this thread.

Thank you.
Just for clarification, when you say that there is an internal case and give us the number, is there a way that we can monitor the progress or ideally get some work around or additional diagnostic. Still have all modsecurity turned off as to all the problems this has caused, but do not think that is a interim reasonable solution.

Techsupport said that modsecurity problems were not part of Cpanel support.

Kinda stuck here .... but waiting patiently... thanks.
 

jack01

Well-Known Member
Jul 21, 2004
200
0
166
From googling it looks like a problem with the geo database?
Yes, I think so, because I disabled
Code:
rules/REQUEST-10-IP-REPUTATION.conf
and the errors stopped showing in the error log.

I am using suPHP (PHP Version 5.4.33), Apache/2.2.29
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
A buddy of mine says he drastically reduced (and possibly eliminated) these messages by disabling the rule that does the GeoIP lookup. Seems to be consistent with the post above.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,220
463
Just for clarification, when you say that there is an internal case and give us the number, is there a way that we can monitor the progress or ideally get some work around or additional diagnostic. Still have all modsecurity turned off as to all the problems this has caused, but do not think that is a interim reasonable solution.
The internal case is not viewable to the public. It's provided as a reference so you can monitor our change log and determine when a resolution or change has been implemented. There's currently no update to this case, but I will update this thread with more information should it become available.

Thank you.
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
It does appear that disabling rule 900050 stops this error.
ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied.


I do have two others though, which i assumed were related, but now maybe not.

ModSecurity: Audit log: Failed to create subdirectories: /usr/local/apache/logs/modsec_audit/user/20150303/20150303-1848 (Read-only file system)

and

ModSecurity: collection_store: Failed to access DBM file /var/cpanel/secdatadir/ip
 
Last edited:

Solokron

Well-Known Member
Aug 8, 2003
852
2
168
Seattle
cPanel Access Level
DataCenter Provider
Two years later and we are still seeing this issue with modsecurity and ruid2? What a damn headache! Why has this not been corrected by anyone?
 

sonicthoughts

Well-Known Member
Apr 4, 2011
61
3
58
Two years later and we are still seeing this issue with modsecurity and ruid2? What a damn headache! Why has this not been corrected by anyone?
I know cPanel has competing priorities, but after wasting hours on this (GeoIP rule didn't do it for me), placing a support ticket that said it was out of scope to config modsecurity and watching this thread, the tradgedy is that people give up and leave modsec disabled. Including modsec seems to be a priority for cPanel, hope making it work (with common configs) is also a priority ....
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,220
463
Hello,

Much of the issue is related to limitations with Mod_Security itself with regard to shared storage and handlers like Mod_ruid2 and MPM-ITK. It's not something that cPanel can really solve, but that being said, the case is still open in order to find the best possible way to avoid these types of issues for customers.

Thank you.
 

Maarten de Boer

Registered
Apr 10, 2015
2
0
1
the Netherlands
cPanel Access Level
Root Administrator
Disabling rule 900050 does the trick, if you have a recent version of WHM you can do so by searching for 900050 in the ModSecurity Tools page search bar.

If you can't find it or don't have a recent version, add this directive to your apache configuration:
SecRuleRemoveById 900050
 

freedomizer

Member
Nov 24, 2012
11
0
1
cPanel Access Level
Root Administrator
if there is no way to disable the rules that make mod_security access /var/cpanel/secdatadir/ip

can we at least supress the logging of the error:
ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied

this error is slowly taking out weeks or months of SSD life and is indeed logging excessively causing lots of IO overhead
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
/var/cpanel/secdatadir/ip is used for storing collections data. You would have to find the rule that uses the "initcol" function for "ip," and comment out the rule entirely so the collection is not made to begin with. This will obviously break any rules that need the collection data, but most webapp defence rules (aside from brute force) don't use collections much. If you are using the WHM vendor management for the automated rule updates, you would want to disable updates for the file that initiates the collections if you do this.