Problem with ModSecurity Vendors

[Motamedi]

hello

this error show to ModSecurity when enable or delete vendor

Error: The system experienced the following error when it attempted to remove the vendor COMODO ModSecurity LiteSpeed Rule Set: API failure: The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: httpd_ls_bak: Syntax error on line 259 of /etc/apache2/conf/httpd.conf: Syntax error on line 32 of /etc/apache2/conf.d/modsec2.conf: Syntax error on line 27 of /etc/apache2/conf.d/modsec/modsec2.cpanel.conf: Could not open configuration file /etc/apache2/conf.d/modsec_vendor_configs/configserver/00_configserver.conf: No such file or directory

and show this error when add new vendor

Error: API failure: The system could not download the file “https://waf.comodo.com/doc/meta_comodo_litespeed.yaml” curl: (28) Resolving timed out after 1549399935847 milliseconds

How to solve this problem ?!

thanks ...

 

[cPanelLauren]

Hello @Motamedi

It would seem you have the 3rd party comodo WAF ruleset installed on the server which is ultimately causing issues. I'd suggest removing the 3rd party plugin and then trying to rebuild + restart apache.

In other instances we've seen the litespeed/comodo related entries in the following being removed as resolving the issue as well:

/etc/apache2/conf.d/modsec/modsec2.cpanel.conf

 

[Motamedi]

@cpanellauren thanks for answer

Please give me detailed and complete training
What should I do to solve my problem?
Tell me all the commands you need

thanks

 

[cPanelLauren]

Hello @Motamedi

First I would attempt to disable/remove the plugin while the issue is occurring:

Log in to WHM>>Security Center>>ModSecurity Vendors and disable or delete the Comodo Vender there.

Then let us know if the issue persists.


Thanks!

 

[Motamedi]

Hello @Motamedi

First I would attempt to disable/remove the plugin while the issue is occurring:

Log in to WHM>>Security Center>>ModSecurity Vendors and disable or delete the Comodo Vender there.

Then let us know if the issue persists.


Thanks!

i'm deleted Comodo vender , but i can not add again

this error show when add vendor

Error: API failure: The system could not download the file “Free ModSecurity Rules from Comodo: curl: (28) Resolving timed out after 1549363132798 milliseconds

How to solve the problem
Can i add again?

thanks

 

[cPanelLauren]

Hello,

First I'd ensure that you can restart apache successfully.

Secondly, the error you're getting would suggest a connection issue with Comodo WAF and until that is resolved you won't be able to utilize their ruleset. To troubleshoot that you'd need to contact them directly.

 

[Infopro]

this error show when add vendor

This thread may be related: modsec_vendor update error

 

[Motamedi]

Unfortunately, after a few days, my problem was not resolved
I entered this command in SSH and show this error

-bash-4.2# /usr/local/cpanel/scripts/modsec_vendor add https://waf.comodo.com/doc/meta_comodo_litespeed.yaml
warn [modsec_vendor] The system could not add the vendor: The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: httpd_ls_bak: Syntax error on line 259 of /etc/apache2/conf/httpd.conf: Syntax error on line 32 of /etc/apache2/conf.d/modsec2.conf: Syntax error on line 32 of /etc/apache2/conf.d/modsec/modsec2.cpanel.conf: Could not open configuration file /etc/apache2/conf.d/modsec_vendor_configs/comodo_litespeed/05_Global_Exceptions.conf: No such file or directory


info [modsec_vendor] Restored modsec_cpanel_conf_datastore backup
warn [modsec_vendor] The system could not uninstall the vendor: The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: httpd_ls_bak: Syntax error on line 259 of /etc/apache2/conf/httpd.conf: Syntax error on line 32 of /etc/apache2/conf.d/modsec2.conf: Syntax error on line 27 of /etc/apache2/conf.d/modsec/modsec2.cpanel.conf: Could not open configuration file /etc/apache2/conf.d/modsec_vendor_configs/configserver/00_configserver.conf: No such file or directory


warn [modsec_vendor] The system failed to add the vendor from the URL “Free ModSecurity Rules from Comodo: The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: httpd_ls_bak: Syntax error on line 259 of /etc/apache2/conf/httpd.conf: Syntax error on line 32 of /etc/apache2/conf.d/modsec2.conf: Syntax error on line 32 of /etc/apache2/conf.d/modsec/modsec2.cpanel.conf: Could not open configuration file /etc/apache2/conf.d/modsec_vendor_configs/comodo_litespeed/05_Global_Exceptions.conf: No such file or directory

-bash-4.2#

How to solve the problem?

thanks

 

[Infopro]

Are these docs of any use to you?
litespeedtech.com/support/wiki/doku.php/litespeed_wiki:waf:comodo

 

[fuzzylogic]

Reading the warnings you got when you tried to add the vendor meta_comodo_litespeed.yaml
It appears you have two vendor rulesets partially deleted.

It seems the first issue happened with cxs rule where the .conf file was deleted but the Include to it was not deleted.
Secondary to this a litespeed .conf was deleted but the Include to it was not.

When you add/remove modec vendor or enable/disable a modsec ruleset apache's
/etc/apache2/conf/httpd.conf
is rebuilt using the newly edited modsec files.
In your case this rebuild process failing because of the Includes to missing files in
/etc/apache2/conf.d/modsec/modsec2.cpanel.conf

To test the rebuild process run the command (do it now so you can compare the output later)...
/scripts/rebuildhttpdconf
It should produce errors similar to the ones you posted earlier.

Now you need to edit
/etc/apache2/conf.d/modsec/modsec2.cpanel.conf
If you do not know how to open, edit and save files on the command line then the ConfigServer ModSecurity Control plugin can provide a gui to edit this file.
You need to remove all lines in that file which have an Include to a .conf file.
Then save the file.
This should fix the missing file errors and allow httpd.conf to rebuild.
Run
/scripts/rebuildhttpdconf
to see if you now have success.
If you have success I would now restart apache...
/usr/local/cpanel/scripts/restartsrv_httpd

If you have success with restarting Apache, move on to the WHM » Security Center »ModSecurity™ Vendors » Manage Vendors interface.
Delete the vendor ConfigServer
Delete the vendor Comodo

If success move on to add
https://waf.comodo.com/doc/meta_comodo_litespeed.yaml
using the WHM interface or with the ssh command you ran in the other post.

Go to CXS interface and enable modsecurity integration to restore its functionality.
Go back to WHM » Security Center »ModSecurity™ Vendors » Manage Vendors interface to ensure CXS rule is installed and enabled.

 

[Seff]

Fixed after deleting the file /var/cpanel/modsec_cpanel_conf_datastore

 

[ipsonuser]

Reading the warnings you got when you tried to add the vendor meta_comodo_litespeed.yaml
It appears you have two vendor rulesets partially deleted.

It seems the first issue happened with cxs rule where the .conf file was deleted but the Include to it was not deleted.
Secondary to this a litespeed .conf was deleted but the Include to it was not.

When you add/remove modec vendor or enable/disable a modsec ruleset apache's
/etc/apache2/conf/httpd.conf
is rebuilt using the newly edited modsec files.
In your case this rebuild process failing because of the Includes to missing files in
/etc/apache2/conf.d/modsec/modsec2.cpanel.conf

To test the rebuild process run the command (do it now so you can compare the output later)...
/scripts/rebuildhttpdconf
It should produce errors similar to the ones you posted earlier.

Now you need to edit
/etc/apache2/conf.d/modsec/modsec2.cpanel.conf
If you do not know how to open, edit and save files on the command line then the ConfigServer ModSecurity Control plugin can provide a gui to edit this file.
You need to remove all lines in that file which have an Include to a .conf file.
Then save the file.
This should fix the missing file errors and allow httpd.conf to rebuild.
Run
/scripts/rebuildhttpdconf
to see if you now have success.
If you have success I would now restart apache...
/usr/local/cpanel/scripts/restartsrv_httpd

If you have success with restarting Apache, move on to the WHM » Security Center »ModSecurity™ Vendors » Manage Vendors interface.
Delete the vendor ConfigServer
Delete the vendor Comodo

If success move on to add
https://waf.comodo.com/doc/meta_comodo_litespeed.yaml
using the WHM interface or with the ssh command you ran in the other post.

Go to CXS interface and enable modsecurity integration to restore its functionality.
Go back to WHM » Security Center »ModSecurity™ Vendors » Manage Vendors interface to ensure CXS rule is installed and enabled.

Dear fuzzylogic
Thank You very much for detailed reply.
I simply updated WHM and CPANEL on Centos 7.9 .
We don't use any customization and no unique mods, no unique custom vendors WAFs absolutely nothing like this, just out of the box cpanel.
After the update we lost the httpd service.
Thank to you, I was able to edit /etc/apache2/conf.d/modsec/modsec2.cpanel.conf and delete .conf files for any mods that are included that were never on this server and httpd is now running.

I am baffled how cpanel could not get their sh*t together and have that fixed as part of their procedures, I am certain this affects a lot of people and nobody does any update.

Once again, thank you very much.

 

[cPRex]

@ipsonuser - most of the data in this thread is over two years old and related to non-standard rulesets. If you're seeing problems with the default owasp rules on the server after an update, it would be best to create a ticket with our team so we can look into that, as the issues from two years ago presented here are almost certainly not related.

 

[johncarlopogix]

Fixed after deleting the file /var/cpanel/modsec_cpanel_conf_datastore

thanks