WHM ModSecurity Syntax error

postcd

Well-Known Member
Oct 22, 2010
717
19
68
Hello,
please what is this error cause?

Error: "Syntax error on line 1 of -c/-C directives: SecAction takes one argument, an action list"
its reported by WHM ModSecurity Tools

it happens on this rule:
http://forums.cpanel.net/f185/how-b...page-repeated-opening-434572.html#post1782362

or this rule too:
Code:
SecAction phase:1,initcol:ip=%{REMOTE_ADDR},pass
SecAction phase:1,initcol:user=%{REMOTE_ADDR},pass
SecRule REQUEST_URI "^/limit_exceeded.php$" \
            "phase:1,pass,ctl:ruleEngine=off"
SecAction "phase:1,setvar:ip.request_counter=+1,deprecatevar:user.count=1/600"
SecRule IP:REQUEST_COUNTER "@ge 50" \
            "phase:1,setvar:user.count=+1,setvar:ip.request_counter=0"
SecRule USER:COUNT "@ge 2" \
            "phase:1,setvar:ip.blocked=1,expirevar:ip.blocked=1800"
SecRule USER:COUNT "@ge 3" \
            "phase:1,setvar:ip.blocked=1,expirevar:ip.blocked=7200"
SecRule &IP:BLOCKED "@gt 0" \
                     "phase:1,chain,redirect:/limit_exceeded.php"
SecRule REQUEST_URI "!^/limit_exceeded.php$"
Thank you
 

tui

Well-Known Member
Jun 15, 2007
92
8
58
Mexico
cPanel Access Level
Root Administrator
re: WHM ModSecurity Syntax error

It also happens on this other rule:
Code:
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 12 hours, more than 5 login attempts in 3 minutes.'"
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 5" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=43200,setvar:ip.bf_counter=0"
</locationmatch>
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
If you are adding rules via WHM this sounds like an error in the new interface. Someone should open a cPanel ticket that is experiencing this problem.
 

24x7ss

Well-Known Member
Sep 30, 2014
272
17
68
India
cPanel Access Level
Root Administrator
Twitter
mod security is third party application and I don't think cpanel will provide support for that. I will suggest you to remove mod security from the server and it's no more free.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
mod security is third party application and I don't think cpanel will provide support for that. I will suggest you to remove mod security from the server and it's no more free.
This is horrible advice.

First of all, while a lot of rule sets aren't free, ModSecurity itself is free and open source, and installed via Easy Apache.

WHM has always had limited options for working with ModSecurity, which have been expanded in 11.46 and will be expanded again in 11.48.

Removing ModSecurity from a production webserver is probably worse than removing all of your iptables rules. It's that important. You don't just go turning off your firewall whenever you have an issue with it, do you?
 

24x7ss

Well-Known Member
Sep 30, 2014
272
17
68
India
cPanel Access Level
Root Administrator
Twitter
I thought you have used 3 party mod security like atomic or some other mod security tools that's why I suggested you to remove it. If you are using cpanel mod security then there is no issue with it.

Regarding the error I can see that syntax is correct and there is no error in it.
 

Infopro

Well-Known Member
May 20, 2003
17,112
513
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
I agree with quizknows about the earlier post, and I think this new post is just as bad.

I've warned you about this already, 24x7ss. This is the last one.

if you do not have something of value to add to a thread, don't post. Its as easy as that.

I thought you have used 3 party mod security like atomic or some other mod security tools that's why I suggested you to remove it. If you are using cpanel mod security then there is no issue with it.

Regarding the error I can see that syntax is correct and there is no error in it.
 

postcd

Well-Known Member
Oct 22, 2010
717
19
68
Hello,

i still have this issue when i edit my rule from WHM
says "Syntax error on line 1 of -c/-C directives: SecRule takes"

when i click in WHM to copy that Mod. Sec. rule, WHM says:

Error: A validation error occurred in the attempt to find a new ID for the rule: The rule is invalid. Apache returned the following error: Syntax error on line 1 of -c/-C directives: SecRule takes two or three arguments, rule target, operator and optional action list rule text was: SecRule REQUEST_METHOD "POST" "deny,status:401,id:10,nolog,chain,msg:'wp-login request blocked, no referer'" SecRule &HTTP_REFERER "@eq 0" "chain" SecRule REQUEST_URI "wp-login.php"
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,216
463
Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

postcd

Well-Known Member
Oct 22, 2010
717
19
68
Thx, ticket opened, and i got notiffied that this is known issue and case is opened for it: #141013

There is workaround, go to:
Home »
Security Center »
ModSecurity™ Tools
Rules list
And click Edit Rules button.
This will allow editting all rules and saving changes works there without error.
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,216
463
I am happy to see the issue was addressed. Thank you for updating us with the outcome.
 

postcd

Well-Known Member
Oct 22, 2010
717
19
68
i got notiffied that this is known issue and case is opened for it: #141013
Hello, it is almost 7 months and WHM still shows that error and do not add Mod Security Rule, this time i tried to add rule from https://forums.cpanel.net/threads/prevent-wordpress-brute-force-attacks.387861/#post-1563282

Error: "The rule is invalid. Apache returned the following error: Syntax error on line 1 of -c/-C directives: SecAction takes one argument, an action list "

When i go to Edit all rules and add rule, it then create some small rules out of it, which i dont think will work?
Image: http://s20.postimg.org/f87pnhv9n/rule_list.gif (it id not allowed me to upload there)



Michael, can You please take a look, is that case still open, what to do? Am i doing anything wrong? thanks
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
postcd, you probably added the rule right. The way the rules list parses the configuration to display it, it will display several rules. Mine displays as 4 rules through WHM just like yours does, and I know it's working.

You can test it easily; go to any wordpress login hosted on that server and very quickly submit the wrong password more than 10 times. You should be blocked from wp-login.php by the 11th or 12th try.
 
  • Like
Reactions: postcd

postcd

Well-Known Member
Oct 22, 2010
717
19
68
quizknows: thank You for help, you were right. That rule block really works even its (wrongly?) spread acros several rules in WHM Mod. Sec. Interface. My IP got really blocked as you mentioned.
lfd log:
lfd[17664]: mod_security (id:5000135) triggered by MYIP
apache error log:
ModSecurity: Access denied with code 401 (phase 2). Operator GT matched 0 at IP:bf_block. [file "/usr/local/apache/conf/modsec2.user.conf"] ..

thank you for sharing nice rules, very usefull
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Always glad to help and I am glad it is working for you :)

Techincally each line of that rule is an individual rule (except the last line that expires the blocks over time), but of course they are useless without the others. The display is confusing, but this is a complex rule so I am not surprised it displays this way in WHM.