Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Rule processing failed mod_cgi.c - ModSecurity

Discussion in 'General Discussion' started by 007basaran, Mar 7, 2017.

Tags:
  1. 007basaran

    007basaran Active Member

    Joined:
    Feb 21, 2017
    Messages:
    40
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Turkey
    cPanel Access Level:
    DataCenter Provider
    Hello All,

    I Have a little problem,

    Log Details 1;

    /usr/local/apache/logs/error_log

    Code:
    ModSecurity: Rule processing failed (id=981138) [hostname "xxx"] 
    Log Details 2;

    /usr/local/apache/logs/modsec_audit.log

    Code:
    --dd51573f-H--
    Message: Rule processing failed (id=981138)
    Apache-Handler: cgi-script
    Stopwatch: 1488926106634085 1247972 (- - -)
    Stopwatch2: 1488926106634085 1247972; combined=3354, p1=309, p2=2703, p3=0, p4=0, p5=270, sr=38, sw=72, l=0, gc=0
    Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/3.0.0; CWAF_Apache.
    Server: Apache
    Engine-Mode: "DETECTION_ONLY"
    Thank you for help all.
    Regards.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Do you notice any additional output just before and after that entry in the Apache error log? If so, please post that output as well.

    Thank you.
     
  3. 007basaran

    007basaran Active Member

    Joined:
    Feb 21, 2017
    Messages:
    40
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Turkey
    cPanel Access Level:
    DataCenter Provider
    Hello,

    Just There;

    tail -f /usr/local/apache/logs/error_log


    Code:
    [Wed Mar 08 15:52:34.758724 2017] [:error] [pid 18615] [client 77.88.47.45] ModSecurity: Rule processing failed (id=981138) [hostname "xxx"] [uri "/"] [unique_id "WMBvEuI4u6bzIjCRXzqKcwAAAAc"]
    [Wed Mar 08 15:52:36.415060 2017] [:error] [pid 18616] [client 100.43.85.2] ModSecurity: Rule processing failed (id=981138) [hostname "xxx"] [uri "/sro-server"] [unique_id "WMBvFIH4a6ODfBvHrCJOAwAAAAg"]
    [Wed Mar 08 15:52:54.456476 2017] [:error] [pid 17567] [client 193.34.173.130] ModSecurity: Rule processing failed (id=981138) [hostname "xxx"] [uri "/instagrama-geostickers-ozelligi-geldi/"] [unique_id "WMBvJpy9Dyf0VmV6FuEVcQAAAAE"]
    [Wed Mar 08 15:53:21.874124 2017] [:error] [pid 18339] [client 66.155.5.4] ModSecurity: Rule processing failed (id=981138) [hostname "xxx"] [uri "/"] [unique_id "WMBvQTfnBnlJaC@mnMb7twAAAAI"]
    [Wed Mar 08 15:53:28.622818 2017] [:error] [pid 17567] [client 35.164.65.53] ModSecurity: Rule processing failed (id=981138) [hostname "xxx"] [uri "/"] [unique_id "WMBvSJy9Dyf0VmV6FuEVgwAAAAE"]
    [Wed Mar 08 15:53:40.028509 2017] [:error] [pid 18615] [client 13.112.204.11] ModSecurity: Rule processing failed (id=981138) [hostname "xxx"] [uri "/instagrama-geostickers-ozelligi-geldi/"] [unique_id "WMBvVOI4u6bzIjCRXzqKhAAAAAc"]
    [Wed Mar 08 15:53:45.386652 2017] [:error] [pid 18650] [client 89.145.95.69] ModSecurity: Rule processing failed (id=981138) [hostname "xxx"] [uri "/oyuntarzim-com-minecraft-premium-cekilisi-minecraft-herseyi-degisen-hesab/"] [unique_id "WMBvWTx7uZe9WEFvKUN4xwAAAAw"]
    [Wed Mar 08 15:53:51.128098 2017] [:error] [pid 17568] [client 35.154.100.103] ModSecurity: Rule processing failed (id=981138) [hostname "xxx"] [uri "/"] [unique_id "WMBvX43cz6TLFsVvPUHVBwAAAAM"]
    [Wed Mar 08 15:53:51.670023 2017] [:error] [pid 18339] [client 52.43.248.29] ModSecurity: Rule processing failed (id=981138) [hostname "xxx"] [uri "/instagrama-geostickers-ozelligi-geldi/"] [unique_id "WMBvXzfnBnlJaC@mnMb7wgAAAAI"]
    [Wed Mar 08 15:54:01.624274 2017] [:error] [pid 17568] [client 151.135.197.36] ModSecurity: Rule processing failed (id=981138) [hostname "xxxx] [uri "/MultivizyonDestek/mb4040.html"] [unique_id "WMBvaY3cz6TLFsVvPUHVCwAAAAM"]
    Thanks.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  5. John Napoletano

    Joined:
    Mar 17, 2016
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Twitter:
    Was there a solution to this problem? I am having the same issue with rule id 981138.
     
  6. 007basaran

    007basaran Active Member

    Joined:
    Feb 21, 2017
    Messages:
    40
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Turkey
    cPanel Access Level:
    DataCenter Provider
    John Napoletano

    Yes,

    Disable Selected Modsecurity Rules

    Look this image : image.prntscr.com/image/b23ab361b39e439898829da15e17bca5.png
     
    #6 007basaran, Apr 21, 2017
    Last edited by a moderator: Apr 21, 2017
    cPanelMichael likes this.
  7. John Napoletano

    Joined:
    Mar 17, 2016
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Twitter:
    Thanks for the image. Looks like you disabled major security features: Protocol, XSS, SQLI. Any thoughts on that, did you have to look or do anything else to compensate?

    I can see the one rule in WHM and it can be disabled. Why didn't you just disable the one rule?
    Code:
    #
    # Check Client IP against ProjectHoneypot's HTTP Blacklist
    # Ref: Http:BL Application Programming Interface (API) | Project Honey Pot
    #
    # Must register for an HttpBL API Key and configure SecHttpBlKey directive
    # in the modsecurity_crs_10_setup.conf file.
    # Ref: Reference Manual · SpiderLabs/ModSecurity Wiki · GitHub
    #
    SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" "id:'981138', phase:request, capture, nolog,pass,t:none, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-reputation', tag:'reputation-Malicious IP', tag:'IP_REPUTATON/MALICIOUS_CLIENT', chain, setvar:tx.httpbl_msg=%{tx.0}"
    SecRule TX:httpbl_msg "RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" "t:none, capture, setvar:tx.httpbl_msg=%{tx.1}"
    
     
    #7 John Napoletano, Apr 25, 2017
    Last edited by a moderator: Apr 26, 2017
  8. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    52
    Likes Received:
    23
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    This is a complex situation to troubleshoot. From the first post the modsec_audit.log shows...
    Code:
    Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/3.0.0; CWAF_Apache.
    This indicates that both OWASP CRS and Comodo Rules are enabled.
    While these 2 rule sets have totally different id numbering the Comodo set is essentially the OWASP rules with more production ready configuration and specific rules added for known vulnerable files and exploits.
    So when they share so much code in common when you run them simultaneously the do wasteful things like setting the same variables twice and running many near identical rules.
    I would not run these two rule sets together.

    To add to this complexity the image url posted by 007basaran of the OWASP Vendor .conf files shows that the OWASP CRS is cPanel's older version, not the newer OWASP3 now available in the Vendors section. The older version was in Traditional Blocking mode which caused a large amount of false positive blocks.

    The same image (as John pointed out) has Protocol, XSS and SQLI .confs disabled. Rule 981138 is not in any of these 3 files it is in REQUEST-10-IP-REPUTATION.conf. So disabling those 3 files could not possibly have fixed this problem.

    My recommendation would be for 007basaran to disable the OWASP ruleset and use just the Comodo rule set with all the .conf files enabled. That would have the added benefit of removing rule 981138

    All that said, I don't think any of those things are the cause of this problem.
    I suspect it has to do with the connection to dnsbl.httpbl.org
    Firstly check that you have obtained a key from dnsbl.httpbl.org and have entered it into...
    Security Center » ModSecurity Configuration » Project Honey Pot Http:BL API Key text field.
    In rule 981138 modsecurity's rbl operator is used to build a url by concatenating the...
    honeypotkey + the TX:REAL_IP + dnsbl.httpbl.org
    and ends up with something like honeypotkey.2.1.9.127.dnsbl.httpbl.org which it uses to do a nslookup.
    You can test it from the command line of your server with...
    nslookup honeypotkey.2.1.9.127.dnsbl.httpbl.org
    If the ip is in the blacklist what looks like an ip address is returned
    127.3.5.1
    The last digit indicates what kind of threat the ip poses.
    0 = Search Engine
    1 = Suspicious
    2 = Harvester
    4 = Comment Spammer

    So if you have a honeypot key and have tested from the command line and are still not getting either
    NXDOMAIN or an ip address
    as the response then you may have to look at your server's resolvers.
    dnsbl.httpbl.org rate limits requests from each ip.
    The ip appearing to dnsbl.httpbl.org as making the lookup is one of your resolvers.
    Often a google ip is used as the resolver because of their speed and reliability, but when all these requests hit dnsbl.httpbl.org then that resolvers ip gets rate limited.
    There is a few things you can do to avoid this problem.
    Use dns servers other than Google's as your Primary, Secondary and Tertiary resolvers.
     
Loading...

Share This Page