v58, EasyApache 4 and modsecurity possibly not working.

[Spork Schivago]

Hi.

I made the switch to v58 and EasyApache 4 on or around July 23rd, 2016. To this date, /var/log/apache2/modsec_audit.log, /var/log/apache2/modsec_debug.log and the directory /var/log/apache2/modsec_audit are completely empty.

I also got an e-mail from cPanel saying httpd failed the md5 checksum. Now, some real weird things are happening...

These are the commands I run:

service httpd stop
httpd (no pid file) not running

service httpd start
httpd (pid 815) already running
httpd starting

service httpd stop
httpd (no pid file) not running

service httpd restart
httpd no running, trying to start
httpd (pid 815) already running
httpd started

service httpd stop
httpd (no pid file) not running

ps aux | grep httpd
root       815    0.0  0.5   196660  12136  ?    Ss   14:44    0:00 /usr/local/apache/bin/httpd -DSSL
nobody    2064    0.0  0.1   196660   3360  ?    S    15:09    0:00 /usr/local/apache/bin/httpd -DSSL
nobody    2066    0.0  0.4   803064   9948  ?    Sl   15:09    0:00 /usr/local/apache/bin/httpd -DSSL
nobody    2074    0.0  0.4   803064   9952  ?    Sl   15:09    0:00 /usr/local/apache/bin/httpd -DSSL
nobody    2143    0.0  0.4   737528   9888  ?    Sl   15:09    0:00 /usr/local/apache/bin/httpd -DSSL

Any ideas what's going on here?

I see /etc/init.d/httpd was last updated on Jul 25, 21:35. I see /usr/sbin/httpd was last updated Jul 20, 14:32.

The sha1sum of /etc/init.d/httpd is:
fadeaf22499075d38f00ec29040530346b728304

The sha1sum of /usr/sbin/httpd is:
a4d00637d576f3d683da3d7cc49a0c69a28712c7

 

[JacobPerkins]

Hi,

Can you run a /scripts/restartsrv_httpd ?

This should get you back up and running. The /usr/sbin/httpd is the actual Apache binary in EA4.

 

[Spork Schivago]

Also,

From looking at the /etc/init.d/httpd script, I see this:

# the patch to your PID file
PIDFILE=/usr/local/apache/logs/httpd.pid

However, there is no /usr/local/apache/logs/httpd.pid file.

The pid file is located at:
/var/run/apache2/httpd.pid

When I run ls -la on it:

ls -la /var/run/apache2/httpd.pid

-rw-r--r-- 1 root   root  4 Jul 26  15:09 /var/run/apache2/httpd.pid

To me, it'd make more since for the pid to remain in /var/run/apache2 and the script should be looking for the PID in /var/run/apache2/ not /usr/local/apache/logs.

So, I guess the fix for that problem (which doesn't seem to be related to the mod_security issue like I thought it might be) would be to either update the script to point to the proper directory or have Apache create the PID in the /usr/local/apache/logs directory.

Is this a bug on everyone's system or just mine?

 

[Spork Schivago]

Hi,

Can you run a /scripts/restartsrv_httpd ?

This should get you back up and running. The /usr/sbin/httpd is the actual Apache binary in EA4.

Thank you. This successfully restarted Apache. /usr/local/apache/bin/httpd is a symlink that points to /usr/sbin/httpd, so we're good there I think. The pid file is still located in /var/run/apache/ directory.

Am I not supposed to run stuff like service httpd status and service httpd restart ? Should I disable that httpd init script all together?

I'd of thought the /etc/init.d/httpd script would properly handle all the apache stuff. My /etc/init.d/httpd has cPanel stuff in it...

 

[Spork Schivago]

A ticket's been opened for me about the httpd stuff. So back to the mod_security stuff. How come I don't see anything in the modsec logs? Is there a way to verify that modsecurity2 is actually running and the rules are being processed? All modsecurity logs are empty and the audit directory is empty.

EDIT** We should wait until this httpd stuff is fixed before we look anymore into modsecurity2 not working. It turns out when I went to EasyApache 4, not everything got updated. For example, my /etc/init.d/httpd script is the EasyApache 3 /etc/init.d/httpd script, not the EasyApache 4 /etc/init.d/httpd script.

This makes me wonder what else didn't get switched. There's a bunch of stuff not right now. cPanel tech support's gonna log in and try to fix me up. Thanks!

 

[Spork Schivago]

Oh man! The OWASP rules weren't installed anymore at all! I had to install them. Hopefully, this isn't happening to everyone who made the switch to EA4 and v58.

 

[brianjking]

Error:API failure: The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: httpd: Syntax error on line 230 of /etc/apache2/conf/httpd.conf: Syntax error on line 32 of /etc/apache2/conf.d/modsec2.conf: Syntax error on line 27 of /etc/apache2/conf.d/modsec/modsec2.cpanel.conf: Could not open configuration file /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf: No such file or directory

• EasyApache 4
• CentOS 6.8 x86_64
• cPanel 58 (build 12)

 

[brianjking]

Oh man! The OWASP rules weren't installed anymore at all! I had to install them. Hopefully, this isn't happening to everyone who made the switch to EA4 and v58.

Hmm - I'm thinking the same thing has happened to me. Can you tell me how you manually re-installed?

I'm having this issue: Enabling ModSecurity OWASP Core Rules Generates Error on cPanel 58

Thanks!

 

[Spork Schivago]

Hello,

I believe your problem is something completely different. For me, I just had to log into WHM, go to ModSecurity Vendors and click Install OWASP or whatever it was.

I noticed I have the file that you're missing, however, when I check to see if the crs ruleset is installed by running:

yum info mod_security_crs

I see the epel repository provides the mod_security_crs. If mod_security_crs was installed on my machine though, it would list the Repo as installed. rpm -qf /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf shows the file doesn't belong to any repository. Stat shows that the file was last changed on 2016-08-02 @ 15:28:28 (3:28PM).

At around 15:28:28, I had ran /scripts/upcp --cron

My guess is this is what created the /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf file on my machine.

To check manually to see if modsec is installed, you could run (as root):

/usr/local/cpanel/scripts/modsec_vendor list

To install the OWASP rules manually, I believe you'd run something like:

/usr/local/cpanel/scripts/modsec_vendor add http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP.yaml

To enable it (if it's not already listed as enabled via the modsec_vendor list command), you could run:

/usr/local/cpanel/scripts/modsec_vendor enable OWASP

You might just want to try running:

/scripts/upcp --force

And see if that fixes it first though. I hope this helps.

 

[Spork Schivago]

Also, to try and diagnose the problem a bit further, perhaps from an SSH shell, as root, you could run the following commands and tell me the results from each command:

ls -l /etc/apache2/conf.d
ls -l /etc/apache2/conf.d/modsec_vendor_configs
ls -l /etc/apache2/conf.d/modsec_vendor_configs/OWASP

 

[cPanelMichael]

Error:API failure: The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: httpd: Syntax error on line 230 of /etc/apache2/conf/httpd.conf: Syntax error on line 32 of /etc/apache2/conf.d/modsec2.conf: Syntax error on line 27 of /etc/apache2/conf.d/modsec/modsec2.cpanel.conf: Could not open configuration file /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf: No such file or directory

Hello,

Could you verify if the file referenced in that error message exists on your system? It's located at:

/etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf

Also, could you let us know the specific steps you are taking to reproduce the issue? Was this rulset enabled before converting to EasyApache 4?

Thank you.

 

[brianjking]

Hello,

Could you verify if the file referenced in that error message exists on your system? It's located at:

/etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf

Also, could you let us know the specific steps you are taking to reproduce the issue? Was this rulset enabled before converting to EasyApache 4?

Thank you.

I checked for the presence of

/etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf

and wasn't able to locate the file.

To reproduce the error I login to WHM as root --> Click on "ModSecurity Vendors" --> Click "ON" for row for OWASP Vendor --> See Error

 

[cPanelMichael]

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[brianjking]

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.

Thanks... Here's my support ticket #7616863

 

[Spork Schivago]

Brianjking,

Perhaps you could keep us updated with the outcome of your problem. I'm a bit interested in knowing what happened and how your issue was fixed.

Thanks.

 

[HostT]

For anybody reading this, it appears the error is due to the standard OWASP not being installed on the server (as it now shows the v3 version without the standard one).

To fix this, run this line from root on server:

/usr/local/cpanel/scripts/modsec_vendor add http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP.yaml

That should install the required files that throw the error when trying to add a custom vendor to install the v3 vendor files