Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Verify commented out rules paths are correct?

Discussion in 'EasyApache' started by estoresite, Jun 24, 2018.

  1. estoresite

    estoresite Member

    Joined:
    Jun 24, 2018
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Hi, I'm new to the forum and have registered in order to post this question, having spent the last couple of hours combing the cpanel documentation and this forum for an answer without success.

    I migrated my VPS from EasyApache3 to EasyApache4 a couple of hours ago and, during the migration process, I received an email from the system that reads;

    "The EasyApache 4 migration found Apache Include directives in the ModSecurity 2 user configuration file, modsec2.user.conf.To ensure that your web server continues to function correctly, the system commented out these directives.You must review your ModSecurity 2 configuration and verify your Include directive paths."

    When I navigate to "WHM >> Security Center >> Mod Security Tools >> Edit Rules" I find the following;

    ---
    SecDataDir /var/asl/data/msa
    SecAuditLogStorageDir /var/asl/data/audit
    SecTmpDir /tmp
    # Include /opt/mod_security/whitelist.conf
    # Include /opt/mod_security/hg_whitelist.conf
    # Include /opt/mod_security/10_asl_rules.conf
    # Include /opt/mod_security/hg_rules.conf
    ---

    My question is; How do I verify whether or not those commented out rules paths are correct?

    I have not been able to find any instructions/procedure on this forum nor in the cpanel documentation on what I need to do in order to verify the paths are correct, only that I need to manually edit them after verifying that they are correct.

    My server info is:
    • CENTOS 6.9 virtuozzo
    • v70.0.51

    Thanks.
     
    #1 estoresite, Jun 24, 2018
    Last edited by a moderator: Jun 24, 2018
  2. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,517
    Likes Received:
    251
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @estoresite

    Welcome to the cPanel forums! The easiest way to determine whether or not those paths are valid or not is to check via CLI but I can tell you that having moved from EA3->EA4 the paths are incorrect no mod_security includes should be present in /opt/

    Our documentation on mod_security can be found here: Apache Module: ModSecurity - EasyApache 4 - cPanel Documentation

    The best place to add 3rd party vendors and rulesets would be in the WHM interface at

    WHM>>Security Center>>ModSecurity>>Manage Vendors
    and
    WHM>>Security Center>>ModSecurity Tools>>Rules List -> Add Rule


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. estoresite

    estoresite Member

    Joined:
    Jun 24, 2018
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Thank you for your reply Lauren,

    Yes, I've seen that documentation and read it through but, have not seen anywhere in there on "how" to verify the rules paths.

    Maybe I should have re-phrased the question;

    What do I need to change the paths of those rules to, in order to make them compatible with EasyApache4?

    Note: I'm presuming those rules will work once the paths are changed to the correct EasyApache4 paths because otherwise, rather than the provided instructions telling me to simply "verify" the paths, I would expect the instructions to read more like, "the previous EasyApache version's rules and paths are not compatible with EasyApache4 so, do _____________ to re-create the rules with the correct paths".

    You mentioned: WHM>>Security Center>>ModSecurity>>Manage Vendors

    I see a vendor (OWASP ModSecurity Core Rule Set V3.0) there that is not installed.
    Is it safe to assume you are suggesting that I install it?

    ..and will doing so provide me with the answers I'm looking for?

    Thanks again.
     
  4. estoresite

    estoresite Member

    Joined:
    Jun 24, 2018
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Additionally, I have noticed that "WHM>>Security Center>>ModSecurity>>Manage Vendors >> Hits List" stopped recording hits the moment I upgraded to EasyApache4 so, that leads me to believe that something else still "needs" to be done, with respect to editing the previous rules or, creating new rules to provide the same functions that the previous rules were providing.

    Thanks again.
     
  5. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,517
    Likes Received:
    251
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,


    As I mentioned previously the path to the old custom rules is invalid. The new path is listed in the easyapache4 documentation I linked though the best way to re-add your custom rules is to add the custom vendor again or re-add the custom rules using the "Add Rule" feature noted in my last response.

    In regard to the hitlist not working there are a few other threads with that issue as well and it can be caused by a few things:

    Modsecurity Tools hitlist is empty / not working
    ModSecurity Tools Hits List is empty

    Ultimately you need to ensure that logging is enabled in tweak settings:

    Code:
    root@server# grep skipmodseclog /var/cpanel/cpanel.config
    skipmodseclog=0
    That tailwatchd is properly tracking the modsec logging:

    Code:
    ps aux |grep tailwatchd |grep -v grep |awk '{print $2}' |xargs lsof -p |grep modsec_audit.log
    
    The correct output should look something like this:
    Code:
    tailwatch 1535 root    4r   REG  253,0  2447131   2393498 /var/log/apache2/modsec_audit.log
    
    You would also need to ensure that the log location hasn't been changed it should be at /etc/apache2/logs/modsec_audit.log and that nolog is not added to any rulesets, for example, this rule:
    Code:
    SecRule REQUEST_HEADERS:Content-Type "text/xml" "id:'900017', phase:request, nolog, pass, t:none,t:lowercase, chain"
    

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice