Skip to main content

ModSecurity is saving files to the SecUploadDir or SecTmpDir locations on my server but is not removing them which is taking up a large amount of disk space

Austin Lowery
  • Updated

Symptoms

 

You have found cryptic looking filenames in the temporary directory of your server that look similar to the following:

[16:34:22 hostname ~]cPs# ls -lah /tmp | grep "\-file\-"
-rw------- 1 cpanelusername cpanelusername 729K Feb 17 21:31 20210217-213119-YC2LJ21Cnzr-M-YfYf1iSgAAAAw-file-lKin4M

 

You also find that if you search the ModSecurity logs for part of the filename you can find a matching log:

[16:38:15 hostname ~]cPs# grep -R "YfYf1iSgAAAAw" /etc/apache2/logs/modsec_*
/etc/apache2/logs/modsec_audit.log:domain.tld xxx.xxx.xxx.xxx - - [17/Feb/2021:21:31:21 +0000] "POST /path/to/http/resource HTTP/1.1" 201 7995 "-" "-" YC2LJ21Cnzr-M-YfYf1iSgAAAAw "-" /cpanelusername/20210217/20210217-2131/20210217-213121-YC2LJ21Cnzr-M-YfYf1iSgAAAAw 0 749448 md5:xxxxxxxxxxxxx

 

Those temporary files are not automatically removed and after accumulating for a while start to take up too much disk space.

 

Description 

 

When ModSecurity evaluates a file, it has the option to remove the file immediately after the evaluation is complete or leave the file on the server for a Systems Administrator to examine in detail later on.

 

The directive that controls this behavior is:

ModSecurity Documentation  - SecUploadKeepFiles

 

The options are:

  • On - Keep uploaded files.
  • Off - Do not keep uploaded files.
  • RelevantOnly - This will keep only those files that belong to requests that are deemed relevant.

 

Resolution

 

If you have SecUploadKeepFiles set to On or RelevantOnly, you'll need to come up with a way to handle those files. You could:

- Manually review and delete the files periodically

- Setup tmpwatch to clean the files: How to clean your /tmp directory with tmpwatch

- Create a custom cronjob and script to manage the files: How to edit the root crontab

 

Otherwise, you could change the SecUploadKeepFiles directive to Off.

 

In order to change the value, first, determine if the configuration has already been set with the following command:

grep -R "SecUpload" /etc/apache2/

 

If that command returns a configuration file that was installed by or managed by a plugin or service such as ConfigServer / etc, you should reach out to the creator of the plugin or service to ask for the appropriate way to override their configuration. If you change the configuration without consulting with the creator of the plugin, you may find that your customization is removed later on while you are not expecting it.

 

Otherwise, you can use the following tutorial to learn how to make edits to your ModSecurity configuration in a way that is compatible with cPanel and won't be overwritten by cPanel:

How to customize the ModSecurity 2 configuration on a cPanel server

Related articles