The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Seemingly unable to disable mod_security rule

Discussion in 'Security' started by verdon, Aug 22, 2016.

Tags:
  1. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    Hello,

    I have a mod_security rule (Comodo 220030) that I don't seem to be able to disable. I have it disabled in 'Home »Security Center »ModSecurity™ Tools » Rules List' and disabled in 'ConfigServer ModSecurity Control - cmc v2.04' Whitelist, and yet hits on the rule are still showing up in 'Home »Security Center »ModSecurity™ Tools » Hits List' leading to people getting blocked by CSF firewall.

    Any thoughts as to what to do to troubleshoot/verify this?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Internal case CPANEL-7914 is open to address an issue where user-defined ModSecurity rules are not configurable in "WHM > ModSecurity Tools > Rules List". I'll update this thread with more information on the status of this case as it becomes available. You should be able to make modifications to the rules via the command line as a temporary workaround:

    For EA3 - Apache Module: ModSecurity - EasyApache - cPanel Documentation

    For EA4 - Apache Module: ModSecurity - EasyApache 4 - cPanel Documentation

    Thank you.
     
  3. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    hmmm... I can verify that

    SecRuleRemoveById 220030

    has been added to the bottom of
    /etc/apache2/conf.d/modsec/modsec2.cpanel.conf

    I assume by the mod_sec tools. That should work, shouldn't it?

    It is also in
    /etc/apache2/conf.d/modsec2.whitelist.conf

    Which is included by ConfigServer Mod_sec add-on in the file
    /etc/apache2/conf.d/modsec/modsec2.user.conf

    Shouldn't one of those work?
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You are right, that normally should work. Do you have the rule itself handy by chance?
     
  5. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    If the Comodo script was installed in /var/cpanel/cwaf/scripts/ You could run this to exclude globally:
    Code:
    ./cwaf-cli.pl -ea 220030
    To view list of excluded rules:
    Code:
    ./cwaf-cli.pl -xl
     
  6. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    Code:
    SecRule QUERY_STRING "!@contains =" \
        "id:1,rev:2,chain,msg:'COMODO WAF: Vulnerability in PHP before 5.3.12 and 5.4.x before 5.4.2 (CVE-2012-1823)||%{tx.domain}|%{tx.mode}',phase:1,deny,status:403"
    SecRule QUERY_STRING "@rx ^(-(a|b|C|q|T|c|n|d|e|f|h|\?|i|l|m|r|B|R|F|E|S|t|s|v|w|z)|--(interactive|bindpath|no-chdir|no-header|timing|php-ini|no-php-ini|define|profile-info|file|help|usage|info|syntax-check|modules|run|process-begin|process-code|process-file|process-end|server|docroot|syntax-highlight|syntax-highlighting|version|strip|zend-extension|ini|rfunction|rclass|rextension|rzendextension|rextinfo))" \
        "t:'none',t:'urlDecodeUni',t:'trimLeft'"
    
     
Loading...

Share This Page