Modsecurity Tools hitlist is empty / not working

menathor

• April 30, 2018 10:00

Hi guys For some reason my WHM -> "Modsecurity Tools" hitlist is not working / always empty. I know modsecurity is working because hits are recorded correctly in /usr/local/apache/logs/modsec_audit.log. I don't run any WAF apps- all my rules are installed via WHM -> "Modsecurity Vendors". I've tried rules from multiple vendors and same result- they work, are logged in modsec_audit.log but the hitlist doesn't work. Any ideas on how I could fix this? Cheers!

• 

  cPanelLauren

  • May 01, 2018 12:50

  Hello @menathor This could caused by a few things. If you're able to access the server via CLI can you please run the following and provide me with the output? grep skipmodseclog /var/cpanel/cpanel.config
grep -i modsec_audit /usr/local/cpanel/logs/tailwatchd_log |tail -n5
  Where is the Audit log being output to (i.e. where are you finding it) Is there data in /usr/local/apache/conf/modsec2.user.conf

  0
• 

  dstana

  • May 29, 2018 20:50

  I'm having this same problem and I can provide outputs from those: grep skipmodseclog /var/cpanel/cpanel.config skipmodseclog=0 grep -i modsec_audit /usr/local/cpanel/logs/tailwatchd_log |tail -n5 [9772] [2018-05-29 11:48:53 -0700] [Cpanel::TailWatch] [INFO] /etc/apache2/logs/modsec_audit.log opened with inode 1561 [9772] [2018-05-29 11:48:53 -0700] [Cpanel::TailWatch] [INFO] Restored /etc/apache2/logs/modsec_audit.log (size:0) to 0 (requested 0) [9772] [2018-05-29 11:48:53 -0700] [Cpanel::TailWatch] [INFO] Caught up /etc/apache2/logs/modsec_audit.log to 0 [9772] [2018-05-29 11:48:53 -0700] [Cpanel::TailWatch] [INFO] Restoring /etc/apache2/logs/modsec_audit.log to catch up position 0 [9772] [2018-05-29 11:48:53 -0700] [Cpanel::TailWatch] [INFO] Restored /etc/apache2/logs/modsec_audit.log to position 0
  And for me, /usr/local/apache/conf/modsec2.user.conf doesn't exist.

  0
• 

  cPanelLauren

  • May 30, 2018 13:27

  Hi @dstana This shows that your modsec_audit.log has nothing in it which is why you wouldn't see any hits. Do you have any rulesets besides the OWASP ruleset that comes default? Have you made customizations to the configuration? Based on what you provided the modsec_audit log is enabled and empty since this populates the hits list it may be that you haven't had any matches. Thanks!

  0
• 

  dstana

  • May 30, 2018 16:28

  One of the rules we had in place got modified, fixing that resolved the issue.

  0
• 

  cPanelLauren

  • May 30, 2018 16:52

  Hi @dstana I'm happy to hear that you were able to identify and resolve the issue! Thanks for letting us know as well.

  0

Please sign in to leave a comment.