Modsecurity Tools hitlist is empty / not working

menathor

Registered
Apr 5, 2016
3
0
1
Australia
cPanel Access Level
Website Owner
Hi guys

For some reason my WHM -> "Modsecurity Tools" hitlist is not working / always empty. I know modsecurity is working because hits are recorded correctly in /usr/local/apache/logs/modsec_audit.log. I don't run any WAF apps- all my rules are installed via WHM -> "Modsecurity Vendors". I've tried rules from multiple vendors and same result- they work, are logged in modsec_audit.log but the hitlist doesn't work.

Any ideas on how I could fix this?

Cheers!
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
7,904
625
263
Houston
cPanel Access Level
DataCenter Provider
Hello @menathor

This could caused by a few things. If you're able to access the server via CLI can you please run the following and provide me with the output?

Code:
grep skipmodseclog /var/cpanel/cpanel.config
Code:
grep -i modsec_audit /usr/local/cpanel/logs/tailwatchd_log |tail -n5
Where is the Audit log being output to (i.e. where are you finding it)

Is there data in /usr/local/apache/conf/modsec2.user.conf
 

dstana

Well-Known Member
Jul 6, 2016
73
8
8
Phoenix, AZ
cPanel Access Level
Root Administrator
I'm having this same problem and I can provide outputs from those:

Code:
grep skipmodseclog /var/cpanel/cpanel.config

skipmodseclog=0


grep -i modsec_audit /usr/local/cpanel/logs/tailwatchd_log |tail -n5

[9772] [2018-05-29 11:48:53 -0700] [Cpanel::TailWatch] [INFO] /etc/apache2/logs/modsec_audit.log opened with inode 1561
[9772] [2018-05-29 11:48:53 -0700] [Cpanel::TailWatch] [INFO] Restored /etc/apache2/logs/modsec_audit.log (size:0) to 0 (requested 0)
[9772] [2018-05-29 11:48:53 -0700] [Cpanel::TailWatch] [INFO] Caught up /etc/apache2/logs/modsec_audit.log to 0
[9772] [2018-05-29 11:48:53 -0700] [Cpanel::TailWatch] [INFO] Restoring /etc/apache2/logs/modsec_audit.log to catch up position 0
[9772] [2018-05-29 11:48:53 -0700] [Cpanel::TailWatch] [INFO] Restored /etc/apache2/logs/modsec_audit.log to position 0
And for me, /usr/local/apache/conf/modsec2.user.conf doesn't exist.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
7,904
625
263
Houston
cPanel Access Level
DataCenter Provider
Hi @dstana


This shows that your modsec_audit.log has nothing in it which is why you wouldn't see any hits. Do you have any rulesets besides the OWASP ruleset that comes default? Have you made customizations to the configuration? Based on what you provided the modsec_audit log is enabled and empty since this populates the hits list it may be that you haven't had any matches.


Thanks!