The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

v58, EasyApache 4 and modsecurity possibly not working.

Discussion in 'EasyApache' started by Spork Schivago, Jul 26, 2016.

  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    268
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Hi.

    I made the switch to v58 and EasyApache 4 on or around July 23rd, 2016. To this date, /var/log/apache2/modsec_audit.log, /var/log/apache2/modsec_debug.log and the directory /var/log/apache2/modsec_audit are completely empty.

    I also got an e-mail from cPanel saying httpd failed the md5 checksum. Now, some real weird things are happening...

    These are the commands I run:
    Code:
    service httpd stop
    httpd (no pid file) not running
    
    service httpd start
    httpd (pid 815) already running
    httpd starting
    
    service httpd stop
    httpd (no pid file) not running
    
    service httpd restart
    httpd no running, trying to start
    httpd (pid 815) already running
    httpd started
    
    service httpd stop
    httpd (no pid file) not running
    
    ps aux | grep httpd
    root       815    0.0  0.5   196660  12136  ?    Ss   14:44    0:00 /usr/local/apache/bin/httpd -DSSL
    nobody    2064    0.0  0.1   196660   3360  ?    S    15:09    0:00 /usr/local/apache/bin/httpd -DSSL
    nobody    2066    0.0  0.4   803064   9948  ?    Sl   15:09    0:00 /usr/local/apache/bin/httpd -DSSL
    nobody    2074    0.0  0.4   803064   9952  ?    Sl   15:09    0:00 /usr/local/apache/bin/httpd -DSSL
    nobody    2143    0.0  0.4   737528   9888  ?    Sl   15:09    0:00 /usr/local/apache/bin/httpd -DSSL
    
    Any ideas what's going on here?

    I see /etc/init.d/httpd was last updated on Jul 25, 21:35. I see /usr/sbin/httpd was last updated Jul 20, 14:32.

    The sha1sum of /etc/init.d/httpd is:
    fadeaf22499075d38f00ec29040530346b728304

    The sha1sum of /usr/sbin/httpd is:
    a4d00637d576f3d683da3d7cc49a0c69a28712c7
     
  2. cPJacob

    cPJacob cPanel Product Owner
    Staff Member

    Joined:
    May 2, 2014
    Messages:
    508
    Likes Received:
    64
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi,

    Can you run a /scripts/restartsrv_httpd ?

    This should get you back up and running. The /usr/sbin/httpd is the actual Apache binary in EA4.
     
    Spork Schivago likes this.
  3. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    268
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Also,

    From looking at the /etc/init.d/httpd script, I see this:
    Code:
    # the patch to your PID file
    PIDFILE=/usr/local/apache/logs/httpd.pid
    
    However, there is no /usr/local/apache/logs/httpd.pid file.

    The pid file is located at:
    /var/run/apache2/httpd.pid

    When I run ls -la on it:
    Code:
    ls -la /var/run/apache2/httpd.pid
    
    -rw-r--r-- 1 root   root  4 Jul 26  15:09 /var/run/apache2/httpd.pid
    
    To me, it'd make more since for the pid to remain in /var/run/apache2 and the script should be looking for the PID in /var/run/apache2/ not /usr/local/apache/logs.

    So, I guess the fix for that problem (which doesn't seem to be related to the mod_security issue like I thought it might be) would be to either update the script to point to the proper directory or have Apache create the PID in the /usr/local/apache/logs directory.

    Is this a bug on everyone's system or just mine?
     
  4. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    268
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Thank you. This successfully restarted Apache. /usr/local/apache/bin/httpd is a symlink that points to /usr/sbin/httpd, so we're good there I think. The pid file is still located in /var/run/apache/ directory.

    Am I not supposed to run stuff like service httpd status and service httpd restart ? Should I disable that httpd init script all together?

    I'd of thought the /etc/init.d/httpd script would properly handle all the apache stuff. My /etc/init.d/httpd has cPanel stuff in it...
     
    #4 Spork Schivago, Jul 26, 2016
    Last edited by a moderator: Jul 28, 2016
  5. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    268
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    A ticket's been opened for me about the httpd stuff. So back to the mod_security stuff. How come I don't see anything in the modsec logs? Is there a way to verify that modsecurity2 is actually running and the rules are being processed? All modsecurity logs are empty and the audit directory is empty.

    EDIT** We should wait until this httpd stuff is fixed before we look anymore into modsecurity2 not working. It turns out when I went to EasyApache 4, not everything got updated. For example, my /etc/init.d/httpd script is the EasyApache 3 /etc/init.d/httpd script, not the EasyApache 4 /etc/init.d/httpd script.

    This makes me wonder what else didn't get switched. There's a bunch of stuff not right now. cPanel tech support's gonna log in and try to fix me up. Thanks!
     
    #5 Spork Schivago, Jul 26, 2016
    Last edited: Jul 26, 2016
  6. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    268
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Oh man! The OWASP rules weren't installed anymore at all! I had to install them. Hopefully, this isn't happening to everyone who made the switch to EA4 and v58.
     
    brianjking likes this.
  7. brianjking

    brianjking Active Member

    Joined:
    Sep 15, 2009
    Messages:
    35
    Likes Received:
    1
    Trophy Points:
    6
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    Twitter:
    Code:
    Error:API failure: The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: httpd: Syntax error on line 230 of /etc/apache2/conf/httpd.conf: Syntax error on line 32 of /etc/apache2/conf.d/modsec2.conf: Syntax error on line 27 of /etc/apache2/conf.d/modsec/modsec2.cpanel.conf: Could not open configuration file /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf: No such file or directory
    • EasyApache 4
    • CentOS 6.8 x86_64
    • cPanel 58 (build 12)
     
  8. brianjking

    brianjking Active Member

    Joined:
    Sep 15, 2009
    Messages:
    35
    Likes Received:
    1
    Trophy Points:
    6
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hmm - I'm thinking the same thing has happened to me. Can you tell me how you manually re-installed?

    I'm having this issue: Enabling ModSecurity OWASP Core Rules Generates Error on cPanel 58

    Thanks!
     
  9. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    268
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Hello,

    I believe your problem is something completely different. For me, I just had to log into WHM, go to ModSecurity Vendors and click Install OWASP or whatever it was.

    I noticed I have the file that you're missing, however, when I check to see if the crs ruleset is installed by running:
    Code:
    yum info mod_security_crs
    
    I see the epel repository provides the mod_security_crs. If mod_security_crs was installed on my machine though, it would list the Repo as installed. rpm -qf /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf shows the file doesn't belong to any repository. Stat shows that the file was last changed on 2016-08-02 @ 15:28:28 (3:28PM).

    At around 15:28:28, I had ran /scripts/upcp --cron

    My guess is this is what created the /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf file on my machine.

    To check manually to see if modsec is installed, you could run (as root):
    Code:
    /usr/local/cpanel/scripts/modsec_vendor list
    
    To install the OWASP rules manually, I believe you'd run something like:
    Code:
    /usr/local/cpanel/scripts/modsec_vendor add http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP.yaml
    
    To enable it (if it's not already listed as enabled via the modsec_vendor list command), you could run:
    Code:
    /usr/local/cpanel/scripts/modsec_vendor enable OWASP
    

    You might just want to try running:
    Code:
    /scripts/upcp --force
    
    And see if that fixes it first though. I hope this helps.
     
  10. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    268
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Also, to try and diagnose the problem a bit further, perhaps from an SSH shell, as root, you could run the following commands and tell me the results from each command:
    Code:
    ls -l /etc/apache2/conf.d
    ls -l /etc/apache2/conf.d/modsec_vendor_configs
    ls -l /etc/apache2/conf.d/modsec_vendor_configs/OWASP
    
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you verify if the file referenced in that error message exists on your system? It's located at:

    Code:
    /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf
    Also, could you let us know the specific steps you are taking to reproduce the issue? Was this rulset enabled before converting to EasyApache 4?

    Thank you.
     
  12. brianjking

    brianjking Active Member

    Joined:
    Sep 15, 2009
    Messages:
    35
    Likes Received:
    1
    Trophy Points:
    6
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    Twitter:
    screenshot8-2-1615.03.png

    I checked for the presence of
    Code:
    /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf
    and wasn't able to locate the file.

    To reproduce the error I login to WHM as root --> Click on "ModSecurity Vendors" --> Click "ON" for row for OWASP Vendor --> See Error
     
  13. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  14. brianjking

    brianjking Active Member

    Joined:
    Sep 15, 2009
    Messages:
    35
    Likes Received:
    1
    Trophy Points:
    6
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    Twitter:
    Thanks... Here's my support ticket #7616863
     
  15. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    268
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Brianjking,

    Perhaps you could keep us updated with the outcome of your problem. I'm a bit interested in knowing what happened and how your issue was fixed.

    Thanks.
     
Loading...

Share This Page