Problem with new OWASP3 rules

[joako]

So basically it's broken and no way to fix?

Why do you ship this then? And please don't give the 3rd party excuse... after the last release of Cpanel I get a big message that says:

OWASP has released version 3 of their Core Rule Set for ModSecurity™. This new version of the ruleset provides enhanced protection for a number of attacks on web servers. To install the new set of rules or upgrade from the older version, go to Home » Security Center » ModSecurity™ Vendors.


Why are you shipping these broken rules and saying they are a feature?

 

[cPanelMichael]

Hello,

Could you provide some more information about the specific error message or issue you are facing?

Thank you.

 

[joako]

Well first for a long time the default mod_security rules that ship with cpanel blocks internal Cpanel queries:

960008: Request Missing a Host Header
Source 127.0.0.1
Request:
GET /whm-server-status
Action Description:
Warning.
Justification:
Operator EQ matched 0 at REQUEST_HEADERS.

Now it seems like when using EasyApache4 with defaultish settings (just adding some needed php modules) these errors are constantly shown in the error log:

[Wed Feb 08 07:19:47.368806 2017] [:error] [pid 18362] [client 88.xx.xxx.xxx] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "www.example.com"] [uri "/wp-cron.php"] [unique_id "WJq4gxoNZ0NsrRs3VcpdbQAAAAo"]

[Wed Feb 08 07:19:47.614697 2017] [:error] [pid 18362] [client 88.xx.xxx.xxx] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "www.example.com"] [uri "/wp-cron.php"] [unique_id "WJq4gxoNZ0NsrRs3VcpdbQAAAAo"]

 

[cPanelMichael]

Hello,

Here's a quote from our ModSecurity documentation that explains what's happening when you encounter the DBM error messages:

Important:
If your system uses either the mod_ruid2 or the mod_mpm_itk Apache modules and also uses Persistant Storage with the initcol, setuid, or setsid directives in the ModSecurity rules, Apache will fail to track that rule. Apache will also log errors to its error_log file. For example, the IP Reputation rule in the OWASP core ruleset may give this error.

Regarding your other questions:

Well first for a long time the default mod_security rules that ship with cpanel blocks internal Cpanel queries:

960008: Request Missing a Host Header
Source 127.0.0.1
Request:
GET /whm-server-status
Action Description:
Warning.
Justification:
Operator EQ matched 0 at REQUEST_HEADERS.

This is similar to the topic discussed on the following thread (the linked post includes a case number and workaround):

217220 COMODO WAF: Request Missing a Host Header

Now it seems like when using EasyApache4 with defaultish settings (just adding some needed php modules) these errors are constantly shown in the error log:

[Wed Feb 08 07:19:47.368806 2017] [:error] [pid 18362] [client 88.xx.xxx.xxx] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "www.example.com"] [uri "/wp-cron.php"] [unique_id "WJq4gxoNZ0NsrRs3VcpdbQAAAAo"]

[Wed Feb 08 07:19:47.614697 2017] [:error] [pid 18362] [client 88.xx.xxx.xxx] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "www.example.com"] [uri "/wp-cron.php"] [unique_id "WJq4gxoNZ0NsrRs3VcpdbQAAAAo"]

This is a long-standing issue with ModSecurity, and the most recent update is posted at:

ModSecurity + MPM ITK compatibility - inconsistent documentation

You may also find this thread helpful if you are seeking a workaround:

ModSecurity - SecDataDir

Thank you.