The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Revert to mod_security 2.7.7

Discussion in 'EasyApache' started by Tom Risager, Jun 5, 2014.

  1. Tom Risager

    Tom Risager Well-Known Member

    Joined:
    Jul 10, 2012
    Messages:
    107
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Copenhagen, Denmark, Denmark
    cPanel Access Level:
    Root Administrator
    Is there a safe way of reverting mod_security from 2.8.0 to 2.7.7?

    We are using the paid Atomicorp ruleset, and we get a syntax error with the latest version of the rules. Looking in the Atomicorp wiki there is this: Note: Due to numerous bugs in modsecurity 2.8.0, it is not supported at this time. Do not use 2.8.0.

    mod_security went from 2.7.7 to 2.8.0 on our server after we ran an EasyApache update on May 15. We would like to undo that update if possible, until Atomicorp can support the mod_security version used by cPanel. Is that possible?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Downgrading to a previous version of Mod_Security through EasyApache is not supported. The changes with Mod_Security 2.8 are documented here:

    Mod_Security 2.8 Changes

    Thank you.
     
  3. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    18
    Hi. Totally agree with the OP. This is always a bone of contention. I really wish cpanel would offer a bit more control over the ModSec version. ModSecurity 2.8 has a few bugs, and one of them has meant that anyone using Atomic Corp Realtime Rules (I'm sure we are not alone here) are finding problems as follows:

    Atomicorp • View topic - Syntax error?

    The fix is simply to get rid of any CIDR notations from the ipMatch parameters. This script will fix the current problem but I expect there will be more to come unless Atomic Corp either support 2.8 or cPanel allow a downgrade - between the two organisations us poor hosters are getting the rough end of the stick.

    Code:
    #!/bin/bash
    #TEMPORARY PATCH DUE TO MODSEC 2.8 BUG
    IFS=$'\n'
    declare -a Files=($(egrep -l "ipMatch 127.0.0.0/8" /usr/local/apache/conf/modsec_rules/*))
    unset IFS
    for File in "${Files[@]}"; do
       /bin/sed -i -e 's:ipMatch 127\.0\.0\.0\/8:ipMatch 127.0.0.1:' $File
    done
    
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    18
    Disappointed with this response. I am slightly less disappointed with Atomic Corp's response:

    Atomicorp • View topic - Syntax error?

    because I sympathise with their point of view that 2.8 is too buggy.

    It begs the question - Why push out Mod Security 2.8 when there were very clearly documented problems with it:

    https://github.com/SpiderLabs/ModSecurity/issues/706

    ...and one of the biggest players in managed Mod Security rulesets won't even touch it? This was poorly managed, poorly researched, and a bad decision that has negatively affected, I expect, a lot of customers.
     
    speckados likes this.
  6. speckados

    speckados Well-Known Member

    Joined:
    May 21, 2003
    Messages:
    291
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Acequias :: Granada :: España
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Totally agree.

    Not good kick ball out, "you put a ticket" "request an improvement"

    The criticism is constructive, and Cpanel error is clear. He opted for a very recent version of mod_security that came with bugs and that is a problem for thousands of users running Cpanel + AtomicRules and other rules.

    The reaction from Cpanel should be another, to offer the downgrade or method to execute without easyapache use the version 2.8

    Should not send the user to "Submit A Feature Request"

    Reaction proactive versus traditional reaction
     
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I don't fault cPanel or ASL here, though I did ping someone regarding https://github.com/SpiderLabs/ModSecurity/issues/706

    Hopefully it gets patched soon and the updated version can get into EA.

    edit: I'd also support EA just going back to 2.7.x until the major rule sets are "happy" with 2.8, or offering the choice between the two. There are some nice new features in 2.8 I'd like to use, but they're not super urgent.
     
    #7 quizknows, Jun 6, 2014
    Last edited: Jun 6, 2014
  8. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    569
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Please note, that cPanel does not provide ModSecurity. We simply install what is made available by the Apache team. What cPanelMichael mentioned was correct. Please file a feature request to allow users the ability to select which version of ModSecurity they wish to install during EasyApache.
     
  9. Tom Risager

    Tom Risager Well-Known Member

    Joined:
    Jul 10, 2012
    Messages:
    107
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Copenhagen, Denmark, Denmark
    cPanel Access Level:
    Root Administrator
    Thanks for the explanation, Peter, but I actually thought you did some amount of QA before including what the Apache team releases in EasyApache.
     
  10. ScottTh

    ScottTh Well-Known Member

    Joined:
    Jan 28, 2013
    Messages:
    157
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Hi everyone,

    We are beginning work to revert mod_security back to version 2.7.7. Please watch the EasyApache forums and our change log for the upcoming release.

    Thanks for your feedback!
     
  11. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    We only test what we know about and use. We currently provide a very narrow set of mod_security rules, which are compatible with mod_security 2.8.

    As noted in the github bug report, this also eluded the mod_security developers for a similar reason: their rulesets don't use the particular notation that changed. Now that they have a unit test for it, hopefully it will prevent future issues.
     
  12. Tom Risager

    Tom Risager Well-Known Member

    Joined:
    Jul 10, 2012
    Messages:
    107
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Copenhagen, Denmark, Denmark
    cPanel Access Level:
    Root Administrator
    Excellent news, thank you :)
     
  13. ScottTh

    ScottTh Well-Known Member

    Joined:
    Jan 28, 2013
    Messages:
    157
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Hi everyone,

    EasyApache 3.24.21 has been published. Please take a moment to view our change log.

    This version of EasyApache addresses the issues with mod_security 2.8.0 and a particular rule set that would cause EasyApache to not function as expected. Originally a revert to mod_security 2.7.7 seemed the most likely solution to solve this problem. Thankfully we have identified a less invasive and more precise change rather than reverting back to mod_security 2.7.7. We have applied the patch that addresses the issues with the offending rule in EasyApache 3.24.21.

    We were able to utilize a patch provided here. The developers have indicated that this patch will be part of the mod_security 2.8.1 release candidate. EasyApache will update mod_security to version 2.8.1 when it has been released.

    Thank you all for your patience and helpful feedback. It's an been an integral part of the troubleshooting process. Please let us know if there are any additional questions.
     
  14. speckados

    speckados Well-Known Member

    Joined:
    May 21, 2003
    Messages:
    291
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Acequias :: Granada :: España
    cPanel Access Level:
    DataCenter Provider
    Twitter:
  15. ScottTh

    ScottTh Well-Known Member

    Joined:
    Jan 28, 2013
    Messages:
    157
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Hi speckados,

    I hope I can help address your concern. EasyApache does provide access to the ModSecurity software as you see in the documentation you found. ModSecurity is released and maintained by groups outside of cPanel. This is the same with all components of EasyApache such as PHP and Apache itself. EasyApache is a tool that helps to utilize and deploy this software in a convenient and safe manner.

    cPanelPeter's comment that "cPanel does not provide ModSecurity" simply means that cPanel is not the initial developer of the software. We also carefully review and test all new updates to EasyApache. This recent issue with ModSecurity has led to improved test coverage from the ModSecurity developers themselves as seen here. This is a learning experience for not just the ModSecurity developers, but also for cPanel and EasyApache.

    Please let me know if you have any other questions or have ideas how to improve our integration of ModSecurity. Thanks!
     
  16. cPHeekyoung

    cPHeekyoung Quality Assurance Analyst
    Staff Member

    Joined:
    Aug 7, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page