Tom Risager

Well-Known Member
Jul 10, 2012
116
6
18
Copenhagen, Denmark
cPanel Access Level
Root Administrator
Is there a safe way of reverting mod_security from 2.8.0 to 2.7.7?

We are using the paid Atomicorp ruleset, and we get a syntax error with the latest version of the rules. Looking in the Atomicorp wiki there is this: Note: Due to numerous bugs in modsecurity 2.8.0, it is not supported at this time. Do not use 2.8.0.

mod_security went from 2.7.7 to 2.8.0 on our server after we ran an EasyApache update on May 15. We would like to undo that update if possible, until Atomicorp can support the mod_security version used by cPanel. Is that possible?
 

santrix

Well-Known Member
Nov 30, 2008
225
2
68
Hi. Totally agree with the OP. This is always a bone of contention. I really wish cpanel would offer a bit more control over the ModSec version. ModSecurity 2.8 has a few bugs, and one of them has meant that anyone using Atomic Corp Realtime Rules (I'm sure we are not alone here) are finding problems as follows:

Atomicorp • View topic - Syntax error?

The fix is simply to get rid of any CIDR notations from the ipMatch parameters. This script will fix the current problem but I expect there will be more to come unless Atomic Corp either support 2.8 or cPanel allow a downgrade - between the two organisations us poor hosters are getting the rough end of the stick.

Code:
#!/bin/bash
#TEMPORARY PATCH DUE TO MODSEC 2.8 BUG
IFS=$'\n'
declare -a Files=($(egrep -l "ipMatch 127.0.0.0/8" /usr/local/apache/conf/modsec_rules/*))
unset IFS
for File in "${Files[@]}"; do
   /bin/sed -i -e 's:ipMatch 127\.0\.0\.0\/8:ipMatch 127.0.0.1:' $File
done
 

santrix

Well-Known Member
Nov 30, 2008
225
2
68
You are welcome to open a feature request
Disappointed with this response. I am slightly less disappointed with Atomic Corp's response:

Atomicorp • View topic - Syntax error?

because I sympathise with their point of view that 2.8 is too buggy.

It begs the question - Why push out Mod Security 2.8 when there were very clearly documented problems with it:

https://github.com/SpiderLabs/ModSecurity/issues/706

...and one of the biggest players in managed Mod Security rulesets won't even touch it? This was poorly managed, poorly researched, and a bad decision that has negatively affected, I expect, a lot of customers.
 
  • Like
Reactions: speckados

speckados

Well-Known Member
Totally agree.

Not good kick ball out, "you put a ticket" "request an improvement"

The criticism is constructive, and Cpanel error is clear. He opted for a very recent version of mod_security that came with bugs and that is a problem for thousands of users running Cpanel + AtomicRules and other rules.

The reaction from Cpanel should be another, to offer the downgrade or method to execute without easyapache use the version 2.8

Should not send the user to "Submit A Feature Request"

Reaction proactive versus traditional reaction
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I don't fault cPanel or ASL here, though I did ping someone regarding https://github.com/SpiderLabs/ModSecurity/issues/706

Hopefully it gets patched soon and the updated version can get into EA.

edit: I'd also support EA just going back to 2.7.x until the major rule sets are "happy" with 2.8, or offering the choice between the two. There are some nice new features in 2.8 I'd like to use, but they're not super urgent.
 
Last edited:

cPanelPeter

Technical Analyst III
Staff member
Sep 23, 2013
574
17
143
cPanel Access Level
Root Administrator
Twitter
Hello,

Please note, that cPanel does not provide ModSecurity. We simply install what is made available by the Apache team. What cPanelMichael mentioned was correct. Please file a feature request to allow users the ability to select which version of ModSecurity they wish to install during EasyApache.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,608
77
458
cPanel Access Level
Root Administrator
Thanks for the explanation, Peter, but I actually thought you did some amount of QA before including what the Apache team releases in EasyApache.
We only test what we know about and use. We currently provide a very narrow set of mod_security rules, which are compatible with mod_security 2.8.

As noted in the github bug report, this also eluded the mod_security developers for a similar reason: their rulesets don't use the particular notation that changed. Now that they have a unit test for it, hopefully it will prevent future issues.
 

ScottTh

Well-Known Member
Jan 28, 2013
157
2
18
Houston, TX
cPanel Access Level
Root Administrator
Hi everyone,

EasyApache 3.24.21 has been published. Please take a moment to view our change log.

This version of EasyApache addresses the issues with mod_security 2.8.0 and a particular rule set that would cause EasyApache to not function as expected. Originally a revert to mod_security 2.7.7 seemed the most likely solution to solve this problem. Thankfully we have identified a less invasive and more precise change rather than reverting back to mod_security 2.7.7. We have applied the patch that addresses the issues with the offending rule in EasyApache 3.24.21.

We were able to utilize a patch provided here. The developers have indicated that this patch will be part of the mod_security 2.8.1 release candidate. EasyApache will update mod_security to version 2.8.1 when it has been released.

Thank you all for your patience and helpful feedback. It's an been an integral part of the troubleshooting process. Please let us know if there are any additional questions.
 

ScottTh

Well-Known Member
Jan 28, 2013
157
2
18
Houston, TX
cPanel Access Level
Root Administrator
" that cPanel does not provide ModSecurity"

Disapointted... Cpanel offer ModSecurity...
EasyApache mod_security Module
Hi speckados,

I hope I can help address your concern. EasyApache does provide access to the ModSecurity software as you see in the documentation you found. ModSecurity is released and maintained by groups outside of cPanel. This is the same with all components of EasyApache such as PHP and Apache itself. EasyApache is a tool that helps to utilize and deploy this software in a convenient and safe manner.

cPanelPeter's comment that "cPanel does not provide ModSecurity" simply means that cPanel is not the initial developer of the software. We also carefully review and test all new updates to EasyApache. This recent issue with ModSecurity has led to improved test coverage from the ModSecurity developers themselves as seen here. This is a learning experience for not just the ModSecurity developers, but also for cPanel and EasyApache.

Please let me know if you have any other questions or have ideas how to improve our integration of ModSecurity. Thanks!