Seemingly unable to disable mod_security rule

verdon

Well-Known Member
Nov 1, 2003
919
12
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
Hello,

I have a mod_security rule (Comodo 220030) that I don't seem to be able to disable. I have it disabled in 'Home »Security Center »ModSecurity™ Tools » Rules List' and disabled in 'ConfigServer ModSecurity Control - cmc v2.04' Whitelist, and yet hits on the rule are still showing up in 'Home »Security Center »ModSecurity™ Tools » Hits List' leading to people getting blocked by CSF firewall.

Any thoughts as to what to do to troubleshoot/verify this?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello,

Internal case CPANEL-7914 is open to address an issue where user-defined ModSecurity rules are not configurable in "WHM > ModSecurity Tools > Rules List". I'll update this thread with more information on the status of this case as it becomes available. You should be able to make modifications to the rules via the command line as a temporary workaround:

For EA3 - Apache Module: ModSecurity - EasyApache - cPanel Documentation

For EA4 - Apache Module: ModSecurity - EasyApache 4 - cPanel Documentation

Update:

Released with 58.0.26:

Fixed case CPANEL-7914: Fix loading of custom mod_security rules.


Thank you.
 

verdon

Well-Known Member
Nov 1, 2003
919
12
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
hmmm... I can verify that

SecRuleRemoveById 220030

has been added to the bottom of
/etc/apache2/conf.d/modsec/modsec2.cpanel.conf

I assume by the mod_sec tools. That should work, shouldn't it?

It is also in
/etc/apache2/conf.d/modsec2.whitelist.conf

Which is included by ConfigServer Mod_sec add-on in the file
/etc/apache2/conf.d/modsec/modsec2.user.conf

Shouldn't one of those work?
 

verdon

Well-Known Member
Nov 1, 2003
919
12
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
You are right, that normally should work. Do you have the rule itself handy by chance?
Code:
SecRule QUERY_STRING "[email protected] =" \
    "id:1,rev:2,chain,msg:'COMODO WAF: Vulnerability in PHP before 5.3.12 and 5.4.x before 5.4.2 (CVE-2012-1823)||%{tx.domain}|%{tx.mode}',phase:1,deny,status:403"
SecRule QUERY_STRING "@rx ^(-(a|b|C|q|T|c|n|d|e|f|h|\?|i|l|m|r|B|R|F|E|S|t|s|v|w|z)|--(interactive|bindpath|no-chdir|no-header|timing|php-ini|no-php-ini|define|profile-info|file|help|usage|info|syntax-check|modules|run|process-begin|process-code|process-file|process-end|server|docroot|syntax-highlight|syntax-highlighting|version|strip|zend-extension|ini|rfunction|rclass|rextension|rzendextension|rextinfo))" \
    "t:'none',t:'urlDecodeUni',t:'trimLeft'"