Skip to main content

Mod_Security DBM Question in 2018

Comments

16 comments

  • Bulent Tekcan
    Hello, This problem is gone, I think I found a solution like this way 1- Edit modsec/modsec2.cpanel.conf and put SecDataDir "/var/log/secdatadir" than save and exit 2- Make this step with SSH root access cp -R /var/cpanel/secdatadir /var/log/ chmod 1733 /var/log/secdatadir chown -R nobody:nobody /var/log/secdatadir chmod ugo+rw /var/log/secdatadir/ip.* chmod ugo+rw /var/log/secdatadir/user.* chmod ugo+rw /var/log/secdatadir/global.* And restart https deamon. Finaly my "ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied" problem is gone I hope other users happy for this solutions :)
    0
  • linuxman1
    Hello, This problem is gone, I think I found a solution like this way 1- Edit modsec/modsec2.cpanel.conf and put SecDataDir "/var/log/secdatadir" than save and exit 2- Make this step with SSH root access cp -R /var/cpanel/secdatadir /var/log/ chmod 1733 /var/log/secdatadir chown -R nobody:nobody /var/log/secdatadir chmod ugo+rw /var/log/secdatadir/ip.* chmod ugo+rw /var/log/secdatadir/user.* chmod ugo+rw /var/log/secdatadir/global.* And restart https deamon. Finaly my "ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied" problem is gone I hope other users happy for this solutions :)

    I read on a post that this solution is temporarily, as Cpanel when it runs cpup it will overwrite this change!
    0
  • cPanelMichael
    I read before at Cpanel forums that this issue should be solved when mod security version 3 is available, and as I checked online recently it's finally available, when Cpanel will use it instead of version 2.9 which is currently used by Cpanel?

    Hello, There's currently no time frame on it's inclusion with cPanel & WHM, but I encourage you to vote and add feedback to the existing feature request at:
    0
  • rclemings
    For some reason I can't get this to work. I did the following: 1. created /var/log/secdatadir and its files and set permissions and ownership 2. set SecGeoLookupDb to /var/log/secdatadir in WHM 3. restarted the web server 4. confirmed that SecGeoLookupDb "/var/log/secdatadir" is now in /etc/apache2/conf.d/modsec/modsec2.cpanel.conf and I still get this in the /usr/local/apache/error_log: ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip" It looks as if the SecGeoLookupDb setting in modsec2.cpanel.conf is not being recognized. Where did I go wrong?
    Hello, I believe the workaround you are looking for is discussed on the following thread:
    0
  • cPanelMichael
    ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip"

    Hello @rclemings, Can you confirm if your system is using either Mod_Ruid2 or MPM-ITK? Additionally, do you notice any further output in the Apache error log or the ModSecurity audit log at the time of the error? Thank you.
    0
  • rclemings
    Yes on mod_ruid2, no on mod_mpm_itk. The only thing I see in the Apache error log is what's noted above. Here's a sanitized example of the full line: [Thu Jun 21 18:48:31.576606 2018] [:error] [pid 17159] [client xxx.xxx.xxx.xx:xxxxx] [client xxx.xxx.xxx.xx] ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "xxx.xxx.xxx"> [uri "/xxx/xxx/xxx/xxx/xxx.xxx"> [unique_id "Wyvy-znpE5EZ5QYb1vniJAAAAAM">, referer: - Removed -'
    ... and for the corresponding request from the modsec audit log: xxx.xxx.xxx xxx.xxx.xxx.xx - - [21/Jun/2018:18:48:31 +0000] "GET /xxx/xxx/xxx/xxx/xxx.xxx?itok=odo8ZqNm HTTP/1.1" 200 3863 "-" "-" Wyvy-znpE5EZ5QYb1vniJAAAAAM "-" /xxxxxxxx/20180621/20180621-1848/20180621-184831-Wyvy-znpE5EZ5QYb1vniJAAAAAM 0 2300 md5:b74040396f83579e10ef2b633ac0c62e
    I don't understand why it's hitting /var/cpanel/secdatadir/ip in the first place, since I set SecGeoLookupDb to /var/log/secdatadir. I don't think I missed a step (famous last words) ...
    0
  • cPanelMichael
    Hello @rclemings, The workaround you used is only applicable to the Geolocation Database (SecGeoLookupDb) option. The SecDataDir configuration value still uses the /var/cpanel/secdatadir by default. You can try updating that value directly in the /etc/apache2/conf.d/modsec/modsec2.cpanel.conf file (and then restart Apache), but keep in mind these are user-submitted workarounds that are unsupported and not recommended. Thank you.
    0
  • rclemings
    OK. That would have to be redone after every update then, right?
    0
  • cPanelMichael
    Hello @rclemings, Upon testing, the modified value in the /etc/apache2/conf.d/modsec/modsec2.cpanel.conf file was not altered upon updating cPanel and downgrading/upgrading the ea-apache24-mod_security2 RPM. Thank you.
    0
  • rclemings
    great news ... thanks
    0
  • rclemings
    Spoke too soon ... ## ## ModSecurity fixed global configuration directives ## SecDataDir "/var/log/secdatadir" was reverted to ## ## ModSecurity fixed global configuration directives ## SecDataDir "/var/cpanel/secdatadir" in today's update from 70.0.48 to 70.0.51.
    0
  • cPanelMichael
    Hello, It does appear that value can be modified. You could setup a script that replaces that line in the /etc/apache2/conf.d/modsec/modsec2.cpanel.conf file and then add a hook that runs in the upcp post stage: There's an example of how to do this on the following post (it's for Roundcube, but the same concept applies): Thank you.
    0
  • Benjamin D.
    Wanted to go read and possibly upvote the feature request that you mentioned @cPanelMichael but it's gone? 404 error on your link:
    0
  • cPanelMichael
    Hello @Benjamin D., It looks like the previous feature request for ModSecurity version 3 was lost as part of the incident noted on the following link: Feature Request Site Downtime I've submitted a request to open the feature request again. Once it's approved, the new feature request URL will be:
    0

Please sign in to leave a comment.