Revert to mod_security 2.7.7

[Tom Risager]

Is there a safe way of reverting mod_security from 2.8.0 to 2.7.7?

We are using the paid Atomicorp ruleset, and we get a syntax error with the latest version of the rules. Looking in the Atomicorp wiki there is this: Note: Due to numerous bugs in modsecurity 2.8.0, it is not supported at this time. Do not use 2.8.0.

mod_security went from 2.7.7 to 2.8.0 on our server after we ran an EasyApache update on May 15. We would like to undo that update if possible, until Atomicorp can support the mod_security version used by cPanel. Is that possible?

 

[cPanelMichael]

Hello

Downgrading to a previous version of Mod_Security through EasyApache is not supported. The changes with Mod_Security 2.8 are documented here:

Mod_Security 2.8 Changes

Thank you.

 

[santrix]

Hi. Totally agree with the OP. This is always a bone of contention. I really wish cpanel would offer a bit more control over the ModSec version. ModSecurity 2.8 has a few bugs, and one of them has meant that anyone using Atomic Corp Realtime Rules (I'm sure we are not alone here) are finding problems as follows:

Atomicorp • View topic - Syntax error?

The fix is simply to get rid of any CIDR notations from the ipMatch parameters. This script will fix the current problem but I expect there will be more to come unless Atomic Corp either support 2.8 or cPanel allow a downgrade - between the two organisations us poor hosters are getting the rough end of the stick.

#!/bin/bash
#TEMPORARY PATCH DUE TO MODSEC 2.8 BUG
IFS=$'\n'
declare -a Files=($(egrep -l "ipMatch 127.0.0.0/8" /usr/local/apache/conf/modsec_rules/*))
unset IFS
for File in "${Files[@]}"; do
   /bin/sed -i -e 's:ipMatch 127\.0\.0\.0\/8:ipMatch 127.0.0.1:' $File
done

 

[cPanelMichael]

You are welcome to open a feature request for the ability to control which version of Mod_Security is installed:

Submit A Feature Request

Thank you.

 

[santrix]

You are welcome to open a feature request

Disappointed with this response. I am slightly less disappointed with Atomic Corp's response:

Atomicorp • View topic - Syntax error?

because I sympathise with their point of view that 2.8 is too buggy.

It begs the question - Why push out Mod Security 2.8 when there were very clearly documented problems with it:

https://github.com/SpiderLabs/ModSecurity/issues/706

...and one of the biggest players in managed Mod Security rulesets won't even touch it? This was poorly managed, poorly researched, and a bad decision that has negatively affected, I expect, a lot of customers.

 

[speckados]

Totally agree.

Not good kick ball out, "you put a ticket" "request an improvement"

The criticism is constructive, and Cpanel error is clear. He opted for a very recent version of mod_security that came with bugs and that is a problem for thousands of users running Cpanel + AtomicRules and other rules.

The reaction from Cpanel should be another, to offer the downgrade or method to execute without easyapache use the version 2.8

Should not send the user to "Submit A Feature Request"

Reaction proactive versus traditional reaction

 

[quizknows]

I don't fault cPanel or ASL here, though I did ping someone regarding https://github.com/SpiderLabs/ModSecurity/issues/706

Hopefully it gets patched soon and the updated version can get into EA.

edit: I'd also support EA just going back to 2.7.x until the major rule sets are "happy" with 2.8, or offering the choice between the two. There are some nice new features in 2.8 I'd like to use, but they're not super urgent.

 

[cPanelPeter]

Hello,

Please note, that cPanel does not provide ModSecurity. We simply install what is made available by the Apache team. What cPanelMichael mentioned was correct. Please file a feature request to allow users the ability to select which version of ModSecurity they wish to install during EasyApache.

 

[Tom Risager]

Thanks for the explanation, Peter, but I actually thought you did some amount of QA before including what the Apache team releases in EasyApache.

 

[ScottTh]

Hi everyone,

We are beginning work to revert mod_security back to version 2.7.7. Please watch the EasyApache forums and our change log for the upcoming release.

Thanks for your feedback!

 

[cPanelKenneth]

Thanks for the explanation, Peter, but I actually thought you did some amount of QA before including what the Apache team releases in EasyApache.

We only test what we know about and use. We currently provide a very narrow set of mod_security rules, which are compatible with mod_security 2.8.

As noted in the github bug report, this also eluded the mod_security developers for a similar reason: their rulesets don't use the particular notation that changed. Now that they have a unit test for it, hopefully it will prevent future issues.

 

[Tom Risager]

We are beginning work to revert mod_security back to version 2.7.7.

Excellent news, thank you

 

[ScottTh]

Hi everyone,

EasyApache 3.24.21 has been published. Please take a moment to view our change log.

This version of EasyApache addresses the issues with mod_security 2.8.0 and a particular rule set that would cause EasyApache to not function as expected. Originally a revert to mod_security 2.7.7 seemed the most likely solution to solve this problem. Thankfully we have identified a less invasive and more precise change rather than reverting back to mod_security 2.7.7. We have applied the patch that addresses the issues with the offending rule in EasyApache 3.24.21.

We were able to utilize a patch provided here. The developers have indicated that this patch will be part of the mod_security 2.8.1 release candidate. EasyApache will update mod_security to version 2.8.1 when it has been released.

Thank you all for your patience and helpful feedback. It's an been an integral part of the troubleshooting process. Please let us know if there are any additional questions.

 

[speckados]

" that cPanel does not provide ModSecurity"

Disapointted... Cpanel offer ModSecurity...
EasyApache mod_security Module

 

[ScottTh]

" that cPanel does not provide ModSecurity"

Disapointted... Cpanel offer ModSecurity...
EasyApache mod_security Module

Hi speckados,

I hope I can help address your concern. EasyApache does provide access to the ModSecurity software as you see in the documentation you found. ModSecurity is released and maintained by groups outside of cPanel. This is the same with all components of EasyApache such as PHP and Apache itself. EasyApache is a tool that helps to utilize and deploy this software in a convenient and safe manner.

cPanelPeter's comment that "cPanel does not provide ModSecurity" simply means that cPanel is not the initial developer of the software. We also carefully review and test all new updates to EasyApache. This recent issue with ModSecurity has led to improved test coverage from the ModSecurity developers themselves as seen here. This is a learning experience for not just the ModSecurity developers, but also for cPanel and EasyApache.

Please let me know if you have any other questions or have ideas how to improve our integration of ModSecurity. Thanks!

 

[cPHeekyoung]

Current ModSecurity version via EasyApache is 2.8.0 + patch for bug 706(ipMatch error)
EasyApache change log(see 3.24.21 section)