The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

New ModSecurity

Discussion in 'Security' started by k2tec, Oct 23, 2014.

  1. k2tec

    k2tec Well-Known Member

    Joined:
    Aug 26, 2011
    Messages:
    81
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    The new intergration of ModSecurity looks great, but I see that it is possible for each account to disable ModSecurity.
    Is it possible to disable this option in cPanel in WHM, so ModSecurity is not visible in cPanel.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,455
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Try here:
    WHM » Packages » Feature Manager

    Find and disable:
    Mod_Security™ Domain Manager
     
  3. k2tec

    k2tec Well-Known Member

    Joined:
    Aug 26, 2011
    Messages:
    81
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I can just smell the hacked accounts increasing as people turn off modsec to avoid a simple whitelist or rule fix >_<

    At least it seems like the feature showcase gives you the option to not turn this on in the first place, at least on boxes doing updates.

    As a large cPanel hosting provider, we already manage modsec2.user.conf for our customers. Giving them an easy way to disable it will only flood our abuse desk with more hacked wordpress sites. Surely in a perfect world their passwords would be strong and plugins up to date, but we all know how often that's actually the case.

    If this feature must be available to end users in each cPanel account to entirely strip themselves of ModSecurity protections, there should at least be a warning about it. Something should pop up and ask if they're sure they want to entirely disable it. Running a php web application without a WAF is just begging for trouble nowadays.
     
    #4 quizknows, Oct 26, 2014
    Last edited: Oct 26, 2014
    Kent Brockman likes this.
  5. Brian

    Brian Well-Known Member

    Joined:
    Dec 1, 2010
    Messages:
    117
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    The ability to wholesale disable ModSecurity from the cPanel account interface on a per-domain basis was a highly requested feature for the product. However, like you, we recognize the implications of allowing this behavior. This is why the ModSecurity Domain Manager is disabled by default on all servers (both existing and new installs). The only way for the Domain Manager to show up for a user is if the server owner has explicitly enabled the Domain Manager feature when prompted for a decision via the Feature Showcase when updating, or by manually enabling it through the Feature Manager. If you are not seeing this behavior, please open a ticket so we can investigate via http://go.cpanel.net/supportrequest

    The expected use case for the Domain Manager would be for explicit customers who ask their provider for this ability where the server owner is comfortable with extending that ability to the end user (basically, not just enabling the feature server-wide). For instance, a customer who the server owner would rather have the ability to immediately gain relief from ModSecurity errors by temporarily disabling it and then contacting their provider to investigate the origin rule cause and fix the rule/assist in them adjusting their site to comply. But, yes, the security implications do resign this to a niche use. The customer demand for this particular functionality is what resulted in it being implemented.

    With regard to a more blatant warning/notice about the implications of disabling ModSecurity, we definitely have heard similar feedback on this from others as well and will be implementing such into a future release.
     
  6. durangod

    durangod Well-Known Member

    Joined:
    May 12, 2012
    Messages:
    251
    Likes Received:
    10
    Trophy Points:
    18
    cPanel Access Level:
    Website Owner
    So the recommended setting is [ off ] for this?
     
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Although not directly related to the OPs original post, I have not updated any client boxes to 11.46 and do not plan to until I know positively that this is not going to break my existing AtomicCorp rules configuration and updating. I run the AtomicCorp rulesets on all servers that I maintain. I have no desire to ever disable modsecurity for a single user. And I have no desire to update to 11.46 and then find that none of my Atomic rules work / something breaks.

    There are specific entries in modsec2.user.conf on the machines that I maintain which should never be modified by cPanel. Can somebody from cPanel give me a clear indication as to whether I'm likely to see breakage with the update? The AtomiCorp ruleset requires specific and considerable configuration over what cPanel originally provided. I don't want any of that configuration to be blown out / rendered nonfunctional after an update.

    cPanel folks -- any comment?

    Mike
     
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    cPanel isn't going to mess with your modsec2.user.conf unless you use the interface in WHM to add rules. The exclusions and other settings set via WHM go in modsec2.cpanel.conf which is included after modsec2.user.conf in modsec2.conf. It hasn't broken my custom rule sets which I set up in a similar way to atomicorp (I update modsec2.user.conf using an RPM package)

    Thankfully, as long as you leave the modsec manager off in WHM feature manager, cPanel accounts won't get the option to disable modsec on their domains. I could not really advise anyone security conscious to allow their customers to disable modsec on their own domains.
     
  9. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Thanks, Quiz. I agree about the security aspect. I guess I might give 11.46 a try tonight on the box with the least number of squeaky wheels and see how it goes.

    M
     
  10. abdelhost77

    abdelhost77 Well-Known Member

    Joined:
    Apr 25, 2012
    Messages:
    81
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    How to disable/desinstall the new feature Cpanel-Modsecurity in 11.46 ?

    i dont find in Tweack settings .
     
  11. Brian

    Brian Well-Known Member

    Joined:
    Dec 1, 2010
    Messages:
    117
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    The ModSecurity features introduced in 11.46 do not automatically change/add/delete anything within modsec2.user.conf. You should experience an uneventful upgrade with nothing in modsec2.user.conf being changed. As another user mentioned, anything in modsec2.user.conf is editable via this new feature. So, if you go to WHM you'll be able to add edit/add/delete rules that exist within modsec2.user.conf. The only restriction that is enforced by us when using our tool to edit the conf is that we make sure ModSecurity itself reports back no syntax errors. That shouldn't be a problem for you, since if you had any syntax errors then Apache wouldn't be starting for you.

    The only change you'll see is that we've moved some of the global configs for ModSecurity (like turning the engine on/off) out of modsec2.conf to modsec2.cpanel.conf. But, even then, we'd be obeying existing settings that we had in modsec2.user.conf -- we just moved their location.

    With 11.46, the ModSecurity interface in WHM is now considered a core feature of the product which cannot be disabled/removed. The feature will only function, however, if you also have the actual mod_security Apache module installed through EasyApache. If you do not have this installed, clicking on the feature in WHM will alert you to this fact and instruct you on how to install it if you wish to use the feature.

    Disabling the ModSecurity Domain Manager in the cPanel interface (for enabling/disabling ModSecurity per-domain) is done through the Feature Manager in WHM where you can enable/disabled other similar features. Again, this only affects whether users see and are able to use the ModSecurity Domain Manager within their cPanel interface. Unless you had explicitly chosen to enable this feature in the Feature Showcase that popped up when upgrading to 11.46, the default configuration for this feature is already "disabled".
     
  12. abdelhost77

    abdelhost77 Well-Known Member

    Joined:
    Apr 25, 2012
    Messages:
    81
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Thanks Brian for feedback ,

    you say

    "With 11.46, the ModSecurity interface in WHM is now considered a core feature of the product which cannot be disabled/removed"

    and in same time , Cpanel suggest during upgrade to 11.46 to choose wether we want to install the feature or not, so it mean it is not really a core feature as we have the choice to install it or no .

    So i we install it by mistake there is no possibility to rollback on default configuration where this feature is disabled ?

    it is confusing :confused:
     
  13. Brian

    Brian Well-Known Member

    Joined:
    Dec 1, 2010
    Messages:
    117
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    When you are presented the Feature Showcase option during the upgrade to enable/disable the ModSecurity Domain Manager, it is not asking you whether to install it or not. It's already installed by the time it asks you what you want to do with it. It's just asking whether you want the feature enabled or disabled for your customers by default.

    Regardless what option you choose, the feature is *already* installed by the time you see that choice. You are simply selecting whether it is disabled or enabled. It is always "installed" and is it is not possible to prevent its install or otherwise uninstall it. This is just like any other core feature of cPanel & WHM. As of 11.46, we've introduced the ModSecurity UI as a core feature and no longer install it as a plugin like it has been in 11.44 and earlier. Note that this is just the user interface itself, the mod_security Apache module is still able to be included or excluded from Apache using the EasyApache interface in WHM.
     
  14. abdelhost77

    abdelhost77 Well-Known Member

    Joined:
    Apr 25, 2012
    Messages:
    81
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Ah ok it make sense now ,

    it is clear thank you :)
     
  15. sonicthoughts

    sonicthoughts Well-Known Member

    Joined:
    Apr 4, 2011
    Messages:
    61
    Likes Received:
    3
    Trophy Points:
    8
    I have looked at the documentation for the UI and it seems sparse at best. For example, in the tool, if it shows a triggered rule it asks if I want to enable it. The checkbox appears, but it is not clear if 1) the user was actually blocked based on severity level or it is just notifying me and 2) if the rule is enabled already or it I want to actually enable it.

    Something this important should be properly documented.

    Thanks
     
  16. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi! I have a couple questions regarding this feat

    Ok. This is crystal clear.
    So, whether you decide to activate or not in the Showcase screen, you are allegedly able to check or uncheck this option in the Feature Manager under the option "ModSecurity Domain Manager". Well... I have WHM 11.44.1 (build 23) and there is no such an option. I have ModSec already installed and being managed via ConfigServer ModSec plugin. Why may this option be absent?


    Question #2: If I prefer to manage rules using ConfigServer ModSec manager, which provides granular control over domains, subdomains and a robust rule editing, can you confirm it won't face any incompatibilities within what may be planned in the near future for this new feature? That plugin provides a very thorough and reliable UI to control almost any ModSec thing. I wouldn't like to be forced to uninstall it because of its methods being deprecated.

    Hope you can answer these ones. Thanks!!
     
Loading...

Share This Page