You have found cryptic looking filenames in the temporary directory of your server that look similar to the following:
[16:34:22 hostname ~]cPs# ls -lah /tmp | grep "\-file\-"
-rw------- 1 cpanelusername cpanelusername 729K Feb 17 21:31 20210217-213119-YC2LJ21Cnzr-M-YfYf1iSgAAAAw-file-lKin4M
You also find that if you search the ModSecurity logs for part of the filename you can find a matching log:
[16:38:15 hostname ~]cPs# grep -R "YfYf1iSgAAAAw" /etc/apache2/logs/modsec_*
/etc/apache2/logs/modsec_audit.log:domain.tld xxx.xxx.xxx.xxx - - [17/Feb/2021:21:31:21 +0000] "POST /path/to/http/resource HTTP/1.1" 201 7995 "-" "-" YC2LJ21Cnzr-M-YfYf1iSgAAAAw "-" /cpanelusername/20210217/20210217-2131/20210217-213121-YC2LJ21Cnzr-M-YfYf1iSgAAAAw 0 749448 md5:xxxxxxxxxxxxx
Those temporary files are not automatically removed and after accumulating for a while start to take up too much disk space.
When ModSecurity evaluates a file, it has the option to remove the file immediately after the evaluation is complete or leave the file on the server for a Systems Administrator to examine in detail later on.
The directive that controls this behavior is:
ModSecurity Documentation - SecUploadKeepFiles
The options are:
- On - Keep uploaded files.
- Off - Do not keep uploaded files.
- RelevantOnly - This will keep only those files that belong to requests that are deemed relevant.
If you have SecUploadKeepFiles set to On or RelevantOnly, you'll need to come up with a way to handle those files. You could:
- Manually review and delete the files periodically
- Setup tmpwatch to clean the files: How to clean your /tmp directory with tmpwatch
- Create a custom cronjob and script to manage the files: How to edit the root crontab
Otherwise, you could change the SecUploadKeepFiles directive to Off.
In order to change the value, first, determine if the configuration has already been set with the following command:
grep -R "SecUpload" /etc/apache2/
If that command returns a configuration file that was installed by or managed by a plugin or service such as ConfigServer / etc, you should reach out to the creator of the plugin or service to ask for the appropriate way to override their configuration. If you change the configuration without consulting with the creator of the plugin, you may find that your customization is removed later on while you are not expecting it.
Otherwise, you can use the following tutorial to learn how to make edits to your ModSecurity configuration in a way that is compatible with cPanel and won't be overwritten by cPanel:
How to customize the ModSecurity 2 configuration on a cPanel server