CPanel Modsecurity does not work

copernic2006 · **Posted:** Sat Dec 01, 2012 3:36 pm

Hello,
Modsecurity does not work on my server, I encounter this problem several times since the update to asl (version 3.2), Honestly, this problem has already been solved by the Support asl, but it reappeared today.

asl-s-f returns me the following error:

[Sat Dec 01 20:22:22 2012] [warn] module sed_module is already loaded, skipping
[Sat Dec 01 20:22:22 2012] [warn] module security2_module is already loaded, skipping
Syntax error on line 38 of /usr/local/apache/modsecurity.d/00_asl_x_searchengines.conf:
ModSecurity: Found another rule with the same id

All help is welcome and especially users asl 3.2 with cpanel

mikeshinn · **Posted:** Sat Dec 01, 2012 3:53 pm

Quote:

ModSecurity: Found another rule with the same id

https://www.atomicorp.com/wiki/index.ph ... he_same_id

So that means your rules are being loaded twice. Have you enabled or installed modsecurity from easyapache, or setup modsecurity manually or via some other tool in the past (Configserver modsec tools, etc.)?

copernic2006 · **Posted:** Sat Dec 01, 2012 4:07 pm

Hello Mike,
Thank you for your response
No, modsecurity is no longer installed, ConfigServer modsec is not installed on my server.
At the beginning, modescurity was installed but not configured, no rules, the update to asl 3.2 has completely removed from the server.
I hesitate to rebuild apache, it will break every time (since update ASL 3.2)
Can you please help me?

mikeshinn · **Posted:** Sat Dec 01, 2012 4:17 pm

easyapache causes apache to break? Whats the error that occurs during the easyapache build? You may want to ask Cpanel to look into this as well if easyapache is causing the apache build to fail.

Normally I would tell you to do just that, but if easyapache isnt working you'll definitely want cpanel to take a look at what is wrong with easyapache. We, and Cpanel, will definitely need to know the error from the build, so if you can run a build, please send us the output of these commands:

yum clean all
asl -v
aum -uf
/scripts/easyapache --build
asl -s -f

Also, do you have any third party add ons to cpanel installed? Some of those do not use easyapaches pre and post scripts correctly, and will definitely break apache builds if any other products are installed with cpanel. We follow cpanels standards, but I know some cpanel third party addons do not, and break easyapache.

copernic2006 · **Posted:** Sat Dec 01, 2012 4:35 pm

I already had this problem and effectively cpanel fixed the problem (November 27, 2012)
Here is the answer I got:

Quote:

This issue was initially cause by mod_security settings for a single user. We commented out that whole file.
/usr/local/apache/conf/userdata/std/2/username/domain.com/modsec.conf

Then a custom mod_security conf file caused easyapache to fail so we commented out the whole file again.
/etc/httpd/conf.d/00_mod_security.conf

After this mod_evasive caused easyapache to fail so we renamed the conf file to .bak and replaced it with an empty file.
[root@alger ~]# mv /etc/httpd/conf.d/mod_evasive.conf /etc/httpd/conf.d/mod_evasive.conf.bak
[root@alger ~]# touch /etc/httpd/conf.d/mod_evasive.conf

This allowed us to get easyapache to run without any errors. As we do not assist in troubleshooting custom files you or your server administrator will need to look into these issues if you wish to still use them.

Also another isssue fixed by cpanel (November 29, 2012):

Quote:

The first problem you have is a corrupted httpd.conf; as described in the error message you posted, there is an extra </Directory> directive in the file.
Attempting to rebuild your config with /scripts/rebuildhttpdconf exposes another error:

Syntax error on line 38 of /usr/local/apache/modsecurity.d/00_asl_x_searchengines.conf:
ModSecurity: Found another rule with the same id

The rule on line 38 has an ID of 318744.

Commenting out the modsecurity.d/* rules you have included in modsec2.conf allows /scripts/rebuildhttpdconf to complete successfully; you now have a valid httpd.conf file and apache is running normally.

You will want to address any rule conflicts in /usr/local/apache/modsecurity.d/*.conf before uncommenting them again in /usr/local/apache/conf/modsec2.conf

To be honest, I really need your help to permanently fix this problem, because since I did the update to 3.2, my server suffered hugely problem (the previous version asl worked perfectly).

copernic2006 · **Posted:** Sat Dec 01, 2012 7:05 pm

Hello,
Can you please tell me where asl stores configuration files and directories?
I find the following files:
00_mod_security.conf
folder modsecurty.d
modules folder (mod_security2.so, mod_sed.so, mod_evasive20.so) `
conf.d folder

in the directory /etc/httpd and also in usr/local/apache?

srpurdy · **Posted:** Sun Dec 02, 2012 4:13 am

If it helps any,

I found Easyapache right now with ASL 3.2 doesn't actually install mod_security at all. I always have to goto my archived backup of my last apache install and copy over the mod_security.so file.

I also had these errors with mod_sed, because I didn't have mod_sed installed at all. So I just commented that file, but it seems like the ASL post and pre scripts don't do anything from what I can tell during an easyapache build.

Also I'm assuming this is ASL related cause I can't seem to find where this happens, and I have another cPanel server without ASL and this doesn't happen on it. but a file is created here.
/var/cpanel/templates/apache2/main.local

and there is an extra /conf.d/* in there at the top of the file, and that is creating a duel loading of rule sets. I always have to make sure this is commented out and it keeps getting replaced with the "broken" version that has that line in there. This also seems to happen only after an ASL update. or maybe it's generated after ASL -s -f is run not sure really, but I haven't been able to figure out where this file is coming from as deleting it doesn't help. Since it's only a custom template file deleting it is not a big deal, but it re-creates itself somehow, and this file is "custom" so it doesn't come with cPanel normally.

All I know is the primary main.default on a normal cPanel install does not have the /conf.d/* on the top and on my ASL it does. Later down the configuration after the comments there is already a conf.d/* that cPanel generates. So the first one is not needed.

For example the first line, and last line. on normal cPanel install neither conf.d/*.conf are there actually now that I look.

Code:

#Include /etc/httpd/conf.d/*.conf
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#   Direct modifications to the Apache configuration file may be lost upon subsequent regeneration of the       #
#   configuration file. To have modifications retained, all modifications must be checked into the              #
#   configuration system by running:                                                                            #
#       /usr/local/cpanel/bin/apache_conf_distiller --update                                                    #
#   To see if your changes will be conserved, regenerate the Apache configuration file by running:              #
#       /usr/local/cpanel/bin/build_apache_conf                                                                 #
#   and check the configuration file for your alterations. If your changes have been ignored, then they will    #
#   need to be added directly to their respective template files.                                               #
#                                                                                                               #
#   It is also possible to add custom directives to the various "Include" files loaded by this httpd.conf       #
#   For detailed instructions on using Include files and the apache_conf_distiller with the new configuration   #
#   system refer to the documentation at: http://www.cpanel.net/support/docs/ea/ea3/customdirectives.html       #
#                                                                                                               #
#   This configuration file was built from the following templates:                                             #
#     /var/cpanel/templates/apache2/main.default                                                                #
#     /var/cpanel/templates/apache2/main.local                                                                  #
#     /var/cpanel/templates/apache2/vhost.default                                                               #
#     /var/cpanel/templates/apache2/vhost.local                                                                 #
#     /var/cpanel/templates/apache2/ssl_vhost.default                                                           #
#     /var/cpanel/templates/apache2/ssl_vhost.local                                                             #
#                                                                                                               #
#  Templates with the '.local' extension will be preferred over templates with the '.default' extension.        #
#  The only template updated by the apache_conf_distiller is main.default.                                      #
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #


Include "/usr/local/apache/conf/includes/pre_main_global.conf"
Include "/usr/local/apache/conf/includes/pre_main_2.conf"



LoadModule qos_module modules/mod_qos.so
LoadModule bw_module modules/mod_bw.so
LoadModule bwlimited_module modules/mod_bwlimited.so
LoadModule fastinclude_module modules/mod_fastinclude.so




Include /etc/httpd/conf.d/*.conf

So I'm not sure why I have two of them. The only reason I choose to comment on the first one and not the last one, is I can't seem to find where it's getting put in. I have code in that location in the main.local file.
[% FOREACH dir IN main.include.items -%]
Include [% dir.include %]
[% END -%]

if I remove that code it removes 4 lines of include statements including the *.conf so the other 3 are needed.

for example this is starting from the last line from the above.

Code:

Include /etc/httpd/conf.d/*.conf
Include "/usr/local/apache/conf/mod_bandwidth.conf"
Include "/usr/local/apache/conf/php.conf"
Include "/usr/local/apache/conf/includes/errordocument.conf"

So that foreach loop is getting those 4 lines from somewhere just not sure where.

wrender · **Posted:** Wed Dec 05, 2012 8:54 pm

I had the same issue on my system. It was reporting:

Code:

httpd: Syntax error on line 1 of /usr/local/apache/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.d/000_mod_sed.conf: Cannot load /usr/local/apache/modules/mod_sed.so into server: /usr/local/apache/modules/mod_sed.so: cannot open shared object file: No such file or directory

I commented out the mod_sed.so loading line in /etc/httpd/conf.d/000_mod_sed.conf, and then re-ran "/var/asl/bin/asl -s -f". After this mod security with ASL started working agian.

I was able to verify this by typing: "wget http://localhost/foo.php?foo=http://www.example.com", and it responded with Error 403 as expected if mod security is loaded properly.

jbourque · **Joined:** Thu Jul 15, 2010 9:42 am **Posts:** 27

Mike,

I'm having the same issue with 3.2 I can't seem to locate the other instance of Modsecurity that is causing this conflict. So I'm unable to restart apache without completely disabling modsecurity

So I found more rules in /var/asl/rules/modsec however I don't know what's calling those rules is it required or not?

I believe the correct rules are in /usr/local/apache/modsecurity.d correct?

jbourque · **Joined:** Thu Jul 15, 2010 9:42 am **Posts:** 27

I just tried to rerun easy apache without mod security and now I get the following

/scripts/preeasyapache: line 5: /var/asl/data/templates/template-cpanel-posteasyapache-hook: No such file or directory
/scripts/preeasyapache: line 6: /var/asl/data/templates/template-cpanel-posteasyapache-hook: No such file or directory
/scripts/preeasyapache: line 7: /var/asl/data/templates/template-cpanel-posteasyapache-hook: No such file or directory
/scripts/preeasyapache: line 8: /var/asl/data/templates/template-cpanel-posteasyapache-hook: No such file or directory
/scripts/preeasyapache: line 9: /var/asl/data/templates/template-cpanel-posteasyapache-hook: No such file or directory
/scripts/preeasyapache: line 10: /var/asl/data/templates/template-cpanel-posteasyapache-hook: No such file or directory
/scripts/preeasyapache: line 11: /var/asl/data/templates/template-cpanel-posteasyapache-hook: No such file or directory

copernic2006 · **Posted:** Thu Jan 10, 2013 2:29 pm

Hello,
I think this thread will help you since it discusses the same issue:
https://atomicorp.com/forums/viewtopic.php?f=3&t=6484

jbourque · **Joined:** Thu Jul 15, 2010 9:42 am **Posts:** 27

Thanks for that tip I see the reference.

Have you had any problems with the duplicate rules and mod security?

Joe

copernic2006 · **Posted:** Thu Jan 10, 2013 3:05 pm

Yes, I had this problem, I asked a cpanel which helped me to solve the problem.
Apparently, they found the corrupted file which prevented apache to rebuild.
But first, check that modsecurity is not selected when compiling apache.

jbourque · **Joined:** Thu Jul 15, 2010 9:42 am **Posts:** 27

So I was able to rebuild apache by removing the references however it does not appear mod security is working I run the following and I get 404 instead of 403 http:///mysite.com/foo.php?foo=http://www.example.com

mikeshinn · **Posted:** Thu Jan 10, 2013 4:07 pm

Whats the output of the upgrade process:

Step 1)

/var/asl/bin/aum -uf

Step 2)

service ossec-hids restart

Step 3) (Cpanel Only)

/scripts/easyapache --build

Step 4)

/var/asl/bin/asl -s -f

CPanel Modsecurity does not work

Who is online