v58, EasyApache 4 and modsecurity possibly not working.

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Hi.

I made the switch to v58 and EasyApache 4 on or around July 23rd, 2016. To this date, /var/log/apache2/modsec_audit.log, /var/log/apache2/modsec_debug.log and the directory /var/log/apache2/modsec_audit are completely empty.

I also got an e-mail from cPanel saying httpd failed the md5 checksum. Now, some real weird things are happening...

These are the commands I run:
Code:
service httpd stop
httpd (no pid file) not running

service httpd start
httpd (pid 815) already running
httpd starting

service httpd stop
httpd (no pid file) not running

service httpd restart
httpd no running, trying to start
httpd (pid 815) already running
httpd started

service httpd stop
httpd (no pid file) not running

ps aux | grep httpd
root       815    0.0  0.5   196660  12136  ?    Ss   14:44    0:00 /usr/local/apache/bin/httpd -DSSL
nobody    2064    0.0  0.1   196660   3360  ?    S    15:09    0:00 /usr/local/apache/bin/httpd -DSSL
nobody    2066    0.0  0.4   803064   9948  ?    Sl   15:09    0:00 /usr/local/apache/bin/httpd -DSSL
nobody    2074    0.0  0.4   803064   9952  ?    Sl   15:09    0:00 /usr/local/apache/bin/httpd -DSSL
nobody    2143    0.0  0.4   737528   9888  ?    Sl   15:09    0:00 /usr/local/apache/bin/httpd -DSSL
Any ideas what's going on here?

I see /etc/init.d/httpd was last updated on Jul 25, 21:35. I see /usr/sbin/httpd was last updated Jul 20, 14:32.

The sha1sum of /etc/init.d/httpd is:
fadeaf22499075d38f00ec29040530346b728304

The sha1sum of /usr/sbin/httpd is:
a4d00637d576f3d683da3d7cc49a0c69a28712c7
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Also,

From looking at the /etc/init.d/httpd script, I see this:
Code:
# the patch to your PID file
PIDFILE=/usr/local/apache/logs/httpd.pid
However, there is no /usr/local/apache/logs/httpd.pid file.

The pid file is located at:
/var/run/apache2/httpd.pid

When I run ls -la on it:
Code:
ls -la /var/run/apache2/httpd.pid

-rw-r--r-- 1 root   root  4 Jul 26  15:09 /var/run/apache2/httpd.pid
To me, it'd make more since for the pid to remain in /var/run/apache2 and the script should be looking for the PID in /var/run/apache2/ not /usr/local/apache/logs.

So, I guess the fix for that problem (which doesn't seem to be related to the mod_security issue like I thought it might be) would be to either update the script to point to the proper directory or have Apache create the PID in the /usr/local/apache/logs directory.

Is this a bug on everyone's system or just mine?
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Hi,

Can you run a /scripts/restartsrv_httpd ?

This should get you back up and running. The /usr/sbin/httpd is the actual Apache binary in EA4.
Thank you. This successfully restarted Apache. /usr/local/apache/bin/httpd is a symlink that points to /usr/sbin/httpd, so we're good there I think. The pid file is still located in /var/run/apache/ directory.

Am I not supposed to run stuff like service httpd status and service httpd restart ? Should I disable that httpd init script all together?

I'd of thought the /etc/init.d/httpd script would properly handle all the apache stuff. My /etc/init.d/httpd has cPanel stuff in it...
 
Last edited by a moderator:

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
A ticket's been opened for me about the httpd stuff. So back to the mod_security stuff. How come I don't see anything in the modsec logs? Is there a way to verify that modsecurity2 is actually running and the rules are being processed? All modsecurity logs are empty and the audit directory is empty.

EDIT** We should wait until this httpd stuff is fixed before we look anymore into modsecurity2 not working. It turns out when I went to EasyApache 4, not everything got updated. For example, my /etc/init.d/httpd script is the EasyApache 3 /etc/init.d/httpd script, not the EasyApache 4 /etc/init.d/httpd script.

This makes me wonder what else didn't get switched. There's a bunch of stuff not right now. cPanel tech support's gonna log in and try to fix me up. Thanks!
 
Last edited:

brianjking

Active Member
Sep 15, 2009
35
1
58
Chicago, IL
cPanel Access Level
Root Administrator
Twitter
Code:
Error:API failure: The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: httpd: Syntax error on line 230 of /etc/apache2/conf/httpd.conf: Syntax error on line 32 of /etc/apache2/conf.d/modsec2.conf: Syntax error on line 27 of /etc/apache2/conf.d/modsec/modsec2.cpanel.conf: Could not open configuration file /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf: No such file or directory
  • EasyApache 4
  • CentOS 6.8 x86_64
  • cPanel 58 (build 12)
 

brianjking

Active Member
Sep 15, 2009
35
1
58
Chicago, IL
cPanel Access Level
Root Administrator
Twitter

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Hello,

I believe your problem is something completely different. For me, I just had to log into WHM, go to ModSecurity Vendors and click Install OWASP or whatever it was.

I noticed I have the file that you're missing, however, when I check to see if the crs ruleset is installed by running:
Code:
yum info mod_security_crs
I see the epel repository provides the mod_security_crs. If mod_security_crs was installed on my machine though, it would list the Repo as installed. rpm -qf /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf shows the file doesn't belong to any repository. Stat shows that the file was last changed on 2016-08-02 @ 15:28:28 (3:28PM).

At around 15:28:28, I had ran /scripts/upcp --cron

My guess is this is what created the /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf file on my machine.

To check manually to see if modsec is installed, you could run (as root):
Code:
/usr/local/cpanel/scripts/modsec_vendor list
To install the OWASP rules manually, I believe you'd run something like:
Code:
/usr/local/cpanel/scripts/modsec_vendor add http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP.yaml
To enable it (if it's not already listed as enabled via the modsec_vendor list command), you could run:
Code:
/usr/local/cpanel/scripts/modsec_vendor enable OWASP

You might just want to try running:
Code:
/scripts/upcp --force
And see if that fixes it first though. I hope this helps.
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Also, to try and diagnose the problem a bit further, perhaps from an SSH shell, as root, you could run the following commands and tell me the results from each command:
Code:
ls -l /etc/apache2/conf.d
ls -l /etc/apache2/conf.d/modsec_vendor_configs
ls -l /etc/apache2/conf.d/modsec_vendor_configs/OWASP
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Error:API failure: The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: httpd: Syntax error on line 230 of /etc/apache2/conf/httpd.conf: Syntax error on line 32 of /etc/apache2/conf.d/modsec2.conf: Syntax error on line 27 of /etc/apache2/conf.d/modsec/modsec2.cpanel.conf: Could not open configuration file /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf: No such file or directory
Hello,

Could you verify if the file referenced in that error message exists on your system? It's located at:

Code:
/etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf
Also, could you let us know the specific steps you are taking to reproduce the issue? Was this rulset enabled before converting to EasyApache 4?

Thank you.
 

brianjking

Active Member
Sep 15, 2009
35
1
58
Chicago, IL
cPanel Access Level
Root Administrator
Twitter
screenshot8-2-1615.03.png
Hello,

Could you verify if the file referenced in that error message exists on your system? It's located at:

Code:
/etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf
Also, could you let us know the specific steps you are taking to reproduce the issue? Was this rulset enabled before converting to EasyApache 4?

Thank you.

I checked for the presence of
Code:
/etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf
and wasn't able to locate the file.

To reproduce the error I login to WHM as root --> Click on "ModSecurity Vendors" --> Click "ON" for row for OWASP Vendor --> See Error
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

HostT

Member
Dec 7, 2010
17
2
53
For anybody reading this, it appears the error is due to the standard OWASP not being installed on the server (as it now shows the v3 version without the standard one).

To fix this, run this line from root on server:
Code:
/usr/local/cpanel/scripts/modsec_vendor add http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP.yaml
That should install the required files that throw the error when trying to add a custom vendor to install the v3 vendor files