Seemingly unable to disable mod_security rule

[verdon]

Hello,

I have a mod_security rule (Comodo 220030) that I don't seem to be able to disable. I have it disabled in 'Home »Security Center »ModSecurity™ Tools » Rules List' and disabled in 'ConfigServer ModSecurity Control - cmc v2.04' Whitelist, and yet hits on the rule are still showing up in 'Home »Security Center »ModSecurity™ Tools » Hits List' leading to people getting blocked by CSF firewall.

Any thoughts as to what to do to troubleshoot/verify this?

 

[cPanelMichael]

Hello,

Internal case CPANEL-7914 is open to address an issue where user-defined ModSecurity rules are not configurable in "WHM > ModSecurity Tools > Rules List". I'll update this thread with more information on the status of this case as it becomes available. You should be able to make modifications to the rules via the command line as a temporary workaround:

For EA3 - Apache Module: ModSecurity - EasyApache - cPanel Documentation

For EA4 - Apache Module: ModSecurity - EasyApache 4 - cPanel Documentation

Update:

Released with 58.0.26:

Fixed case CPANEL-7914: Fix loading of custom mod_security rules.

Thank you.

 

[verdon]

hmmm... I can verify that

SecRuleRemoveById 220030

has been added to the bottom of
/etc/apache2/conf.d/modsec/modsec2.cpanel.conf

I assume by the mod_sec tools. That should work, shouldn't it?

It is also in
/etc/apache2/conf.d/modsec2.whitelist.conf

Which is included by ConfigServer Mod_sec add-on in the file
/etc/apache2/conf.d/modsec/modsec2.user.conf

Shouldn't one of those work?

 

[quizknows]

You are right, that normally should work. Do you have the rule itself handy by chance?

 

[kernow]

If the Comodo script was installed in /var/cpanel/cwaf/scripts/ You could run this to exclude globally:

./cwaf-cli.pl -ea 220030

To view list of excluded rules:

./cwaf-cli.pl -xl

 

[verdon]

You are right, that normally should work. Do you have the rule itself handy by chance?

SecRule QUERY_STRING "[email protected] =" \
    "id:1,rev:2,chain,msg:'COMODO WAF: Vulnerability in PHP before 5.3.12 and 5.4.x before 5.4.2 (CVE-2012-1823)||%{tx.domain}|%{tx.mode}',phase:1,deny,status:403"
SecRule QUERY_STRING "@rx ^(-(a|b|C|q|T|c|n|d|e|f|h|\?|i|l|m|r|B|R|F|E|S|t|s|v|w|z)|--(interactive|bindpath|no-chdir|no-header|timing|php-ini|no-php-ini|define|profile-info|file|help|usage|info|syntax-check|modules|run|process-begin|process-code|process-file|process-end|server|docroot|syntax-highlight|syntax-highlighting|version|strip|zend-extension|ini|rfunction|rclass|rextension|rzendextension|rextinfo))" \
    "t:'none',t:'urlDecodeUni',t:'trimLeft'"