Stop EasyApache from updating mod_security database?

Aug 7, 2012
15
1
3
cPanel Access Level
Website Owner
Hey,

Is it possible to stop EasyApache from updating the mod_security database? My .conf files in /usr/local/apache/conf/modsec_rules get either .cfsaved or .cpbackupX (where X is a number) appended to the end of them.

I'm manually updating Atomicorp's delayed rules, so I don't need EasyApache overwriting them, as they're already compatible with mod_security 2.7.0 and above.

Any assistance would be greatly appreciated :)


Fillip
 
Aug 7, 2012
15
1
3
cPanel Access Level
Website Owner
Its fine for EasyApache to update, I use an include line in modsec2user.conf to call the Updated ASL rules

Theres some good info on how to setup correctly using Atomics delayed rules with cPanel over at ModSecurity Rules Updater by Sergio Cabrera

I use it and it works fine.

Good Luck

Zepp
It's not fine for EasyApache to update them, as it introduces deprecated notices, not prevent them. EasyApache converted rules produce "WARNING Using transformations in SecDefaultAction is deprecated" notices for about 4-5 rules.

I'd rather not have to go through a dance of updating my rules after each time I need to recompile Apache+PHP for whatever reason, I want EasyApache to leave my rules alone and let me be responsible for keeping them up to date and free of syntax errors.

Also of good use if you dont already use it.

ConfigServer free ConfigServer ModSecurity Control CMC
We do use that, thanks :)

There were some changes recently that would have done what you describe:
ModSecurity Changes in EasyApache 3.16 - cPanel Forums
Ah, is the solution to move the rules to a non-standard location that EasyApache doesn't see, or will EA always read the rule directory from the configuration files?

Before EA modifies the rules, they work fine. After it modifies them, they produce deprecated notices. This is obviously sub-optimal and any solution to avoid EA from attempting to convert my rules would be appreciated :)
 

cPanelJamyn

Social Engineer
Staff member
Jan 29, 2009
105
2
143
is the solution to move the rules to a non-standard location that EasyApache doesn't see, or will EA always read the rule directory from the configuration files?
EasyApache does parse the mod_security includes for rules, regardless of where they are.

My .conf files in /usr/local/apache/conf/modsec_rules get either .cfsaved or .cpbackupX (where X is a number) appended to the end of them.
As far as I'm aware, cPanel does not create .cfsave files. We do create rolling .cpbackup[0-9] backups for the mod_security rules, though they should not be loaded.

Before EA modifies the rules, they work fine. After it modifies them, they produce deprecated notices.
If you can file a support case, or provide some example rules that are incorrectly modified, we can correct the rule conversion logic. Additionally, an option to leave your rules alone sounds like a good feature request. The reason we don't currently offer that option it is because if there are any problems with mod_sec rules, mod_security will exit, taking Apache with it. By leaving known-broken rules in place, we end up with critical failures (Apache down at the end of an EA run).