WHM ModSecurity Syntax error

[postcd]

Hello,
please what is this error cause?

Error: "Syntax error on line 1 of -c/-C directives: SecAction takes one argument, an action list"
its reported by WHM ModSecurity Tools

it happens on this rule:
http://forums.cpanel.net/f185/how-b...page-repeated-opening-434572.html#post1782362

or this rule too:

SecAction phase:1,initcol:ip=%{REMOTE_ADDR},pass
SecAction phase:1,initcol:user=%{REMOTE_ADDR},pass
SecRule REQUEST_URI "^/limit_exceeded.php$" \
            "phase:1,pass,ctl:ruleEngine=off"
SecAction "phase:1,setvar:ip.request_counter=+1,deprecatevar:user.count=1/600"
SecRule IP:REQUEST_COUNTER "@ge 50" \
            "phase:1,setvar:user.count=+1,setvar:ip.request_counter=0"
SecRule USER:COUNT "@ge 2" \
            "phase:1,setvar:ip.blocked=1,expirevar:ip.blocked=1800"
SecRule USER:COUNT "@ge 3" \
            "phase:1,setvar:ip.blocked=1,expirevar:ip.blocked=7200"
SecRule &IP:BLOCKED "@gt 0" \
                     "phase:1,chain,redirect:/limit_exceeded.php"
SecRule REQUEST_URI "!^/limit_exceeded.php$"

Thank you

 

[tui]

re: WHM ModSecurity Syntax error

It also happens on this other rule:

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 12 hours, more than 5 login attempts in 3 minutes.'"
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 5" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=43200,setvar:ip.bf_counter=0"
</locationmatch>

 

[tui]

No one knows ?

 

[quizknows]

If you are adding rules via WHM this sounds like an error in the new interface. Someone should open a cPanel ticket that is experiencing this problem.

 

[tui]

Done, Ticket ID: 5782829

 

[24x7ss]

mod security is third party application and I don't think cpanel will provide support for that. I will suggest you to remove mod security from the server and it's no more free.

 

[quizknows]

mod security is third party application and I don't think cpanel will provide support for that. I will suggest you to remove mod security from the server and it's no more free.

This is horrible advice.

First of all, while a lot of rule sets aren't free, ModSecurity itself is free and open source, and installed via Easy Apache.

WHM has always had limited options for working with ModSecurity, which have been expanded in 11.46 and will be expanded again in 11.48.

Removing ModSecurity from a production webserver is probably worse than removing all of your iptables rules. It's that important. You don't just go turning off your firewall whenever you have an issue with it, do you?

 

[24x7ss]

I thought you have used 3 party mod security like atomic or some other mod security tools that's why I suggested you to remove it. If you are using cpanel mod security then there is no issue with it.

Regarding the error I can see that syntax is correct and there is no error in it.

 

[Infopro]

I agree with quizknows about the earlier post, and I think this new post is just as bad.

I've warned you about this already, 24x7ss. This is the last one.

if you do not have something of value to add to a thread, don't post. Its as easy as that.

I thought you have used 3 party mod security like atomic or some other mod security tools that's why I suggested you to remove it. If you are using cpanel mod security then there is no issue with it.

Regarding the error I can see that syntax is correct and there is no error in it.

 

[mywhm]

Howdy, what happened with Ticket ID: 5782829 ?

 

[Infopro]

According to that ticket, Using the "Edit Rules" option, permitted the rule to be added successfully.

There's extra syntax checking being done when using the Add Rule option.

The case auto closed, no further response from OP.

 

[postcd]

Hello,

i still have this issue when i edit my rule from WHM
says "Syntax error on line 1 of -c/-C directives: SecRule takes"

when i click in WHM to copy that Mod. Sec. rule, WHM says:

Error: A validation error occurred in the attempt to find a new ID for the rule: The rule is invalid. Apache returned the following error: Syntax error on line 1 of -c/-C directives: SecRule takes two or three arguments, rule target, operator and optional action list rule text was: SecRule REQUEST_METHOD "POST" "deny,status:401,id:10,nolog,chain,msg:'wp-login request blocked, no referer'" SecRule &HTTP_REFERER "@eq 0" "chain" SecRule REQUEST_URI "wp-login.php"

 

[cPanelMichael]

Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[postcd]

Thx, ticket opened, and i got notiffied that this is known issue and case is opened for it: #141013

There is workaround, go to:
Home »
Security Center »
ModSecurity™ Tools
Rules list
And click Edit Rules button.
This will allow editting all rules and saving changes works there without error.

 

[cPanelMichael]

I am happy to see the issue was addressed. Thank you for updating us with the outcome.

 

[postcd]

i got notiffied that this is known issue and case is opened for it: #141013

Hello, it is almost 7 months and WHM still shows that error and do not add Mod Security Rule, this time i tried to add rule from https://forums.cpanel.net/threads/prevent-wordpress-brute-force-attacks.387861/#post-1563282

Error: "The rule is invalid. Apache returned the following error: Syntax error on line 1 of -c/-C directives: SecAction takes one argument, an action list "

When i go to Edit all rules and add rule, it then create some small rules out of it, which i dont think will work?
Image: http://s20.postimg.org/f87pnhv9n/rule_list.gif (it id not allowed me to upload there)

Michael, can You please take a look, is that case still open, what to do? Am i doing anything wrong? thanks

 

[quizknows]

postcd, you probably added the rule right. The way the rules list parses the configuration to display it, it will display several rules. Mine displays as 4 rules through WHM just like yours does, and I know it's working.

You can test it easily; go to any wordpress login hosted on that server and very quickly submit the wrong password more than 10 times. You should be blocked from wp-login.php by the 11th or 12th try.

 

[postcd]

quizknows: thank You for help, you were right. That rule block really works even its (wrongly?) spread acros several rules in WHM Mod. Sec. Interface. My IP got really blocked as you mentioned.
lfd log:
lfd[17664]: mod_security (id:5000135) triggered by MYIP
apache error log:
ModSecurity: Access denied with code 401 (phase 2). Operator GT matched 0 at IP:bf_block. [file "/usr/local/apache/conf/modsec2.user.conf"] ..

thank you for sharing nice rules, very usefull

 

[quizknows]

Always glad to help and I am glad it is working for you

Techincally each line of that rule is an individual rule (except the last line that expires the blocks over time), but of course they are useless without the others. The display is confusing, but this is a complex rule so I am not surprised it displays this way in WHM.

 

[cPanelMichael]

can You please take a look, is that case still open

Hello

Internal case number 141013 is scheduled for inclusion in cPanel version 11.50.1.

Thank you.