The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity

Discussion in 'Security' started by popeye, Jun 7, 2013.

  1. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Hi i am having lots of problems people getting blocked visiting customers sites

    One of my customers had her friends go and look at there site and when they tried to change the currency it blocked them ?

    ModSecurity: Access denied with code 406

    In modsecurity i have a few blocked with reasons like this below

    /catalog/view/javascript/jquery/ui/external/jquery.cookie.js HTTP/1.1

    /cart.php?a=byroe&templatefile=../../../configuration.php%00 HTTP/1.1


    Audit log: Failed to lock global mutex: Permission denied


    Access denied with code 501 (phase 2). Match of "rx ^((??OS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "38"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"]


    Just read some info that says ModSecurity is not fully compatible with mod_ruid2. and i have both installed, would it be best to take ModSecurity off ?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The "Access Denied" error indicates one of the Mod_Security rules is being hit. You could disable this specific rule globally if you find it's causing problems for your accounts.

    As for using Mod_Security and Mod_Ruid2, this is documented:

    Under heavy load, an AcceptMutex can be held by another UID. This causes ModSecurity to fail and exit, which then causes Apache to crash. We are aware of this issue and are working on a solution. In the meantime, do not use ModSecurity with mod_ruid2.

    You can find more information on Mod_Ruid2 incompatibilities at:

    Apache Module: Ruid2

    Thank you.
     
  3. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Hi i have took Mod_Security off and just have mod_ruid2 installed because it says its not compatible
     
  4. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    I would suggest you to keep your mod security enabled as making it disabled can be a major loop hole on server security.

    If you need then I would suggest you to set up your server on suEXEC and suPHP, as this will fulfill the need of mod_ruid2.
     
  5. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Hi i have now installed ModSecurity again but when i click default config it blocks visitors to my customers sites ?

    I have been looking around the web and cant find out how to sort it out, and my brain cells are starting to curl over and die.

    I did read that you can setup and install rules and updates from owasp.org but cant find any instructions on how to do this, could someone please help me.
     
    #5 popeye, Jun 11, 2013
    Last edited: Jun 11, 2013
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can check the Apache error log to see which specific rule is blocking access attempts. Then, you can comment out that rule directly in the referenced Mod_Security configuration file.

    Or, to disable Mod_Security for a specific domain name, you can add the following entry to the domain name's VirtualHost:

    Code:
    <IfModule mod_security2.c>
    SecRuleEngine Off
    </IfModule>
    
    To disable a single rule on a single domain name:
    Code:
    <IfModule mod_security2.c>
    SecRuleRemoveById 981173
    </IfModule>
    The following guide provides information on how to include such entries into a domain name's VirtualHost:

    Changes Contained Within a VirtualHost Directive

    Thank you.
     
  7. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    It only does it when i use the Default Configuration if i click no Configuration its all fine, the error is below.

    So do i need edit something in Default Configuration ? if i do can you tell me where to find the file in root instead of doing inside whm please.

    also i was told you have to add new rules all the time as they come out do i just add them to this file? sorry for all the question but i am learning all this for the first time.

    [Tue Jun 11 10:20:01 2013] [error] [client 888.999.228.101] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:eek:pyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:eek:(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.domain.com"] [uri "/catalog/view/javascript/jquery/ui/external/jquery.cookie.js"] [unique_id "UbbrwU6B6FoAAAddCKAAAAAE"]
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You will need to edit the following file directly using the editor of your choice on the command line (e.g. vi, nano):

    Code:
    /usr/local/apache/conf/modsec2.user.conf
    Browse to line 118 (that's what is listed in the error you provided) and remove the "SecRule" and "SecAction" entries for the specific rule. Then, save the file and run the following command to ensure you removed the rules properly:

    Code:
    # /scripts/rebuildhttpdconf
    Thank you.
     
  9. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Hi there is nothing in modsec2.user.conf ? its just empty.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It should be populated with rules based on the error message you provided here. It would be empty if you have reset the rules to "No Configuration" in the Mod Security plugin page within WHM.

    Thank you.
     
  11. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Yes sorry i had it set to no configuration, i have this file open now but not 100% sure what to do. i think its in this section xss below so do i remove all the text from under #xss ? can i PM you what it says please to make sure.

    # XSS
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can simply remove the "SecRule" and "SecAction" entries for the specific rule referenced in the error message from the Apache error log.

    Thank you.
     
  13. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Ok just to make sure because i don't want to do it wrong i remove only this SecAction & SecRule and leave all the other text there.
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can backup the file before making changes:

    Code:
    # cp -a /usr/local/apache/conf/modsec2.user.conf /usr/local/apache/conf/modsec2.user.conf.backup
    Then, if you see a failure when rebuilding the Apache configuration file, just move the backed up file back into place.

    Thank you.
     
  15. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Just tested it and banned my I.P again i must be doing it wrong
     
  16. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Did you see the exact same error in the Apache error log, or was there a different rule/line number referenced? Are you sure you restarted Apache (or rebuilt the Apache configuration file) after the last edit you made?

    Thank you.
     
  17. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    not look in the Apache error log since last time i looked it was full or all sorts, and none made any sense.
    i am starting to give in now to be honest wish i had not took a 3 year contract out on my own server,
     
  18. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You could use the following command:

    Code:
    # tail -f /usr/local/apache/logs/error_log
    Then, watch the output as you browse the website and the specific error should appear. It will detail the line number and rule number so you can see if it's the same rule or a new one that you are hitting.

    Thank you.
     
  19. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Hi i put that command in and got this below, i have just installed ConfigServer ModSecurity Control - cmc v1.04


    [Removed - Not Relevant]
     
  20. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I removed the output because it was not relevant to the error you have been receiving. The idea is to browse the website that gives you an error message related to Mod_Security so that you can paste the specific Mod_Security error from the Apache error log. Are you still getting blocked by Mod_Security rules?

    Thank you.
     
Loading...

Share This Page