The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problem with new OWASP3 rules

Discussion in 'Security' started by joako, Apr 18, 2017.

Tags:
  1. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    105
    Likes Received:
    2
    Trophy Points:
    168
    So basically it's broken and no way to fix?

    Why do you ship this then? And please don't give the 3rd party excuse... after the last release of Cpanel I get a big message that says:

    OWASP has released version 3 of their Core Rule Set for ModSecurity™. This new version of the ruleset provides enhanced protection for a number of attacks on web servers. To install the new set of rules or upgrade from the older version, go to Home » Security Center » ModSecurity™ Vendors.


    Why are you shipping these broken rules and saying they are a feature?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,086
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you provide some more information about the specific error message or issue you are facing?

    Thank you.
     
  3. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    105
    Likes Received:
    2
    Trophy Points:
    168
    Well first for a long time the default mod_security rules that ship with cpanel blocks internal Cpanel queries:

    960008: Request Missing a Host Header
    Source 127.0.0.1
    Request:
    GET /whm-server-status
    Action Description:
    Warning.
    Justification:
    Operator EQ matched 0 at REQUEST_HEADERS.

    Now it seems like when using EasyApache4 with defaultish settings (just adding some needed php modules) these errors are constantly shown in the error log:

    [Wed Feb 08 07:19:47.368806 2017] [:error] [pid 18362] [client 88.xx.xxx.xxx] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "www.example.com"] [uri "/wp-cron.php"] [unique_id "WJq4gxoNZ0NsrRs3VcpdbQAAAAo"]

    [Wed Feb 08 07:19:47.614697 2017] [:error] [pid 18362] [client 88.xx.xxx.xxx] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "www.example.com"] [uri "/wp-cron.php"] [unique_id "WJq4gxoNZ0NsrRs3VcpdbQAAAAo"]
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,086
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Here's a quote from our ModSecurity documentation that explains what's happening when you encounter the DBM error messages:

    Regarding your other questions:

    This is similar to the topic discussed on the following thread (the linked post includes a case number and workaround):

    217220 COMODO WAF: Request Missing a Host Header

    This is a long-standing issue with ModSecurity, and the most recent update is posted at:

    ModSecurity + MPM ITK compatibility - inconsistent documentation

    You may also find this thread helpful if you are seeking a workaround:

    ModSecurity - SecDataDir

    Thank you.
     
Loading...

Share This Page