The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Stop EasyApache from updating mod_security database?

Discussion in 'EasyApache' started by DragonByte Tech, Feb 1, 2013.

  1. DragonByte Tech

    Joined:
    Aug 7, 2012
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hey,

    Is it possible to stop EasyApache from updating the mod_security database? My .conf files in /usr/local/apache/conf/modsec_rules get either .cfsaved or .cpbackupX (where X is a number) appended to the end of them.

    I'm manually updating Atomicorp's delayed rules, so I don't need EasyApache overwriting them, as they're already compatible with mod_security 2.7.0 and above.

    Any assistance would be greatly appreciated :)


    Fillip
     
  2. Zepplin

    Zepplin Well-Known Member

    Joined:
    Oct 23, 2006
    Messages:
    93
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Blue Mountains, Australia
    cPanel Access Level:
    Root Administrator
    Its fine for EasyApache to update, I use an include line in modsec2user.conf to call the Updated ASL rules

    Theres some good info on how to setup correctly using Atomics delayed rules with cPanel over at ModSecurity Rules Updater by Sergio Cabrera

    I use it and it works fine.

    Good Luck

    Zepp
     
  3. Zepplin

    Zepplin Well-Known Member

    Joined:
    Oct 23, 2006
    Messages:
    93
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Blue Mountains, Australia
    cPanel Access Level:
    Root Administrator
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,450
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  5. DragonByte Tech

    Joined:
    Aug 7, 2012
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    It's not fine for EasyApache to update them, as it introduces deprecated notices, not prevent them. EasyApache converted rules produce "WARNING Using transformations in SecDefaultAction is deprecated" notices for about 4-5 rules.

    I'd rather not have to go through a dance of updating my rules after each time I need to recompile Apache+PHP for whatever reason, I want EasyApache to leave my rules alone and let me be responsible for keeping them up to date and free of syntax errors.

    We do use that, thanks :)

    Ah, is the solution to move the rules to a non-standard location that EasyApache doesn't see, or will EA always read the rule directory from the configuration files?

    Before EA modifies the rules, they work fine. After it modifies them, they produce deprecated notices. This is obviously sub-optimal and any solution to avoid EA from attempting to convert my rules would be appreciated :)
     
  6. cPanelJamyn

    cPanelJamyn Social Engineer
    Staff Member

    Joined:
    Jan 29, 2009
    Messages:
    105
    Likes Received:
    2
    Trophy Points:
    0
    EasyApache does parse the mod_security includes for rules, regardless of where they are.

    As far as I'm aware, cPanel does not create .cfsave files. We do create rolling .cpbackup[0-9] backups for the mod_security rules, though they should not be loaded.

    If you can file a support case, or provide some example rules that are incorrectly modified, we can correct the rule conversion logic. Additionally, an option to leave your rules alone sounds like a good feature request. The reason we don't currently offer that option it is because if there are any problems with mod_sec rules, mod_security will exit, taking Apache with it. By leaving known-broken rules in place, we end up with critical failures (Apache down at the end of an EA run).
     
Loading...

Share This Page