The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WHM ModSecurity Syntax error

Discussion in 'Security' started by postcd, Dec 2, 2014.

  1. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    619
    Likes Received:
    6
    Trophy Points:
    18
    Hello,
    please what is this error cause?

    Error: "Syntax error on line 1 of -c/-C directives: SecAction takes one argument, an action list"
    its reported by WHM ModSecurity Tools

    it happens on this rule:
    http://forums.cpanel.net/f185/how-b...page-repeated-opening-434572.html#post1782362

    or this rule too:
    Code:
    SecAction phase:1,initcol:ip=%{REMOTE_ADDR},pass
    SecAction phase:1,initcol:user=%{REMOTE_ADDR},pass
    SecRule REQUEST_URI "^/limit_exceeded.php$" \
                "phase:1,pass,ctl:ruleEngine=off"
    SecAction "phase:1,setvar:ip.request_counter=+1,deprecatevar:user.count=1/600"
    SecRule IP:REQUEST_COUNTER "@ge 50" \
                "phase:1,setvar:user.count=+1,setvar:ip.request_counter=0"
    SecRule USER:COUNT "@ge 2" \
                "phase:1,setvar:ip.blocked=1,expirevar:ip.blocked=1800"
    SecRule USER:COUNT "@ge 3" \
                "phase:1,setvar:ip.blocked=1,expirevar:ip.blocked=7200"
    SecRule &IP:BLOCKED "@gt 0" \
                         "phase:1,chain,redirect:/limit_exceeded.php"
    SecRule REQUEST_URI "!^/limit_exceeded.php$"
    Thank you
     
  2. tui

    tui Active Member

    Joined:
    Jun 15, 2007
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Mexico
    cPanel Access Level:
    Root Administrator
    re: WHM ModSecurity Syntax error

    It also happens on this other rule:
    Code:
    SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
    <Locationmatch "/wp-login.php">
    SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 12 hours, more than 5 login attempts in 3 minutes.'"
    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
    SecRule ip:bf_counter "@gt 5" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=43200,setvar:ip.bf_counter=0"
    </locationmatch>
     
  3. tui

    tui Active Member

    Joined:
    Jun 15, 2007
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Mexico
    cPanel Access Level:
    Root Administrator
    No one knows ?
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    If you are adding rules via WHM this sounds like an error in the new interface. Someone should open a cPanel ticket that is experiencing this problem.
     
  5. tui

    tui Active Member

    Joined:
    Jun 15, 2007
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Mexico
    cPanel Access Level:
    Root Administrator
    Done, Ticket ID: 5782829
     
  6. 24x7ss

    24x7ss Well-Known Member

    Joined:
    Sep 30, 2014
    Messages:
    271
    Likes Received:
    16
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    mod security is third party application and I don't think cpanel will provide support for that. I will suggest you to remove mod security from the server and it's no more free.
     
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    This is horrible advice.

    First of all, while a lot of rule sets aren't free, ModSecurity itself is free and open source, and installed via Easy Apache.

    WHM has always had limited options for working with ModSecurity, which have been expanded in 11.46 and will be expanded again in 11.48.

    Removing ModSecurity from a production webserver is probably worse than removing all of your iptables rules. It's that important. You don't just go turning off your firewall whenever you have an issue with it, do you?
     
  8. 24x7ss

    24x7ss Well-Known Member

    Joined:
    Sep 30, 2014
    Messages:
    271
    Likes Received:
    16
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    I thought you have used 3 party mod security like atomic or some other mod security tools that's why I suggested you to remove it. If you are using cpanel mod security then there is no issue with it.

    Regarding the error I can see that syntax is correct and there is no error in it.
     
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I agree with quizknows about the earlier post, and I think this new post is just as bad.

    I've warned you about this already, 24x7ss. This is the last one.

    if you do not have something of value to add to a thread, don't post. Its as easy as that.

     
  10. mywhm

    mywhm Active Member

    Joined:
    Jan 15, 2014
    Messages:
    27
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Howdy, what happened with Ticket ID: 5782829 ?
     
  11. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    According to that ticket, Using the "Edit Rules" option, permitted the rule to be added successfully.

    There's extra syntax checking being done when using the Add Rule option.

    The case auto closed, no further response from OP.
     
  12. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    619
    Likes Received:
    6
    Trophy Points:
    18
    Hello,

    i still have this issue when i edit my rule from WHM
    says "Syntax error on line 1 of -c/-C directives: SecRule takes"

    when i click in WHM to copy that Mod. Sec. rule, WHM says:

    Error: A validation error occurred in the attempt to find a new ID for the rule: The rule is invalid. Apache returned the following error: Syntax error on line 1 of -c/-C directives: SecRule takes two or three arguments, rule target, operator and optional action list rule text was: SecRule REQUEST_METHOD "POST" "deny,status:401,id:10,nolog,chain,msg:'wp-login request blocked, no referer'" SecRule &HTTP_REFERER "@eq 0" "chain" SecRule REQUEST_URI "wp-login.php"
     
  13. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  14. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    619
    Likes Received:
    6
    Trophy Points:
    18
    Thx, ticket opened, and i got notiffied that this is known issue and case is opened for it: #141013

    There is workaround, go to:
    Home »
    Security Center »
    ModSecurity™ Tools
    Rules list
    And click Edit Rules button.
    This will allow editting all rules and saving changes works there without error.
     
    #14 postcd, Apr 9, 2015
    Last edited by a moderator: Apr 13, 2015
  15. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  16. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    619
    Likes Received:
    6
    Trophy Points:
    18
    Hello, it is almost 7 months and WHM still shows that error and do not add Mod Security Rule, this time i tried to add rule from https://forums.cpanel.net/threads/prevent-wordpress-brute-force-attacks.387861/#post-1563282

    Error: "The rule is invalid. Apache returned the following error: Syntax error on line 1 of -c/-C directives: SecAction takes one argument, an action list "

    When i go to Edit all rules and add rule, it then create some small rules out of it, which i dont think will work?
    Image: http://s20.postimg.org/f87pnhv9n/rule_list.gif (it id not allowed me to upload there)

    [​IMG]

    Michael, can You please take a look, is that case still open, what to do? Am i doing anything wrong? thanks
     
  17. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    postcd, you probably added the rule right. The way the rules list parses the configuration to display it, it will display several rules. Mine displays as 4 rules through WHM just like yours does, and I know it's working.

    You can test it easily; go to any wordpress login hosted on that server and very quickly submit the wrong password more than 10 times. You should be blocked from wp-login.php by the 11th or 12th try.
     
    postcd likes this.
  18. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    619
    Likes Received:
    6
    Trophy Points:
    18
    quizknows: thank You for help, you were right. That rule block really works even its (wrongly?) spread acros several rules in WHM Mod. Sec. Interface. My IP got really blocked as you mentioned.
    lfd log:
    lfd[17664]: mod_security (id:5000135) triggered by MYIP
    apache error log:
    ModSecurity: Access denied with code 401 (phase 2). Operator GT matched 0 at IP:bf_block. [file "/usr/local/apache/conf/modsec2.user.conf"] ..

    thank you for sharing nice rules, very usefull
     
  19. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Always glad to help and I am glad it is working for you :)

    Techincally each line of that rule is an individual rule (except the last line that expires the blocks over time), but of course they are useless without the others. The display is confusing, but this is a complex rule so I am not surprised it displays this way in WHM.
     
  20. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Internal case number 141013 is scheduled for inclusion in cPanel version 11.50.1.

    Thank you.
     
    postcd likes this.
Loading...

Share This Page