Verify commented out rules paths are correct?
Hi, I'm new to the forum and have registered in order to post this question, having spent the last couple of hours combing the cpanel documentation and this forum for an answer without success.
I migrated my VPS from EasyApache3 to EasyApache4 a couple of hours ago and, during the migration process, I received an email from the system that reads;
"The EasyApache 4 migration found Apache Include directives in the ModSecurity 2 user configuration file, modsec2.user.conf.To ensure that your web server continues to function correctly, the system commented out these directives.You must review your ModSecurity 2 configuration and verify your Include directive paths."
When I navigate to "WHM >> Security Center >> Mod Security Tools >> Edit Rules" I find the following;
---
SecDataDir /var/asl/data/msa
SecAuditLogStorageDir /var/asl/data/audit
SecTmpDir /tmp
# Include /opt/mod_security/whitelist.conf
# Include /opt/mod_security/hg_whitelist.conf
# Include /opt/mod_security/10_asl_rules.conf
# Include /opt/mod_security/hg_rules.conf
---
My question is; How do I verify whether or not those commented out rules paths are correct?
I have not been able to find any instructions/procedure on this forum nor in the cpanel documentation on what I need to do in order to verify the paths are correct, only that I need to manually edit them after verifying that they are correct.
My server info is:
- CENTOS 6.9 virtuozzo
- v70.0.51
-
Hi @estoresite Welcome to the cPanel forums! The easiest way to determine whether or not those paths are valid or not is to check via CLI but I can tell you that having moved from EA3->EA4 the paths are incorrect no mod_security includes should be present in /opt/ Our documentation on mod_security can be found here: Apache Module: ModSecurity - EasyApache 4 - cPanel Documentation The best place to add 3rd party vendors and rulesets would be in the WHM interface at WHM>>Security Center>>ModSecurity>>Manage Vendors and WHM>>Security Center>>ModSecurity Tools>>Rules List -> Add Rule Thanks! 0 -
Thank you for your reply Lauren, Yes, I've seen that documentation and read it through but, have not seen anywhere in there on "how" to verify the rules paths. Maybe I should have re-phrased the question; What do I need to change the paths of those rules to, in order to make them compatible with EasyApache4? Note: I'm presuming those rules will work once the paths are changed to the correct EasyApache4 paths because otherwise, rather than the provided instructions telling me to simply "verify" the paths, I would expect the instructions to read more like, "the previous EasyApache version's rules and paths are not compatible with EasyApache4 so, do _____________ to re-create the rules with the correct paths". You mentioned: WHM>>Security Center>>ModSecurity>>Manage Vendors I see a vendor ( 0 -
Additionally, I have noticed that "WHM>>Security Center>>ModSecurity>>Manage Vendors >> Hits List" stopped recording hits the moment I upgraded to EasyApache4 so, that leads me to believe that something else still "needs" to be done, with respect to editing the previous rules or, creating new rules to provide the same functions that the previous rules were providing. Thanks again. 0 -
Hello, As I mentioned previously the path to the old custom rules is invalid. The new path is listed in the easyapache4 documentation I linked though the best way to re-add your custom rules is to add the custom vendor again or re-add the custom rules using the "Add Rule" feature noted in my last response. In regard to the hitlist not working there are a few other threads with that issue as well and it can be caused by a few things: Ultimately you need to ensure that logging is enabled in tweak settings: root@server# grep skipmodseclog /var/cpanel/cpanel.config skipmodseclog=0
That tailwatchd is properly tracking the modsec logging:ps aux |grep tailwatchd |grep -v grep |awk '{print $2}' |xargs lsof -p |grep modsec_audit.log
The correct output should look something like this:tailwatch 1535 root 4r REG 253,0 2447131 2393498 /var/log/apache2/modsec_audit.log
You would also need to ensure that the log location hasn't been changed it should be at /etc/apache2/logs/modsec_audit.log and that nolog is not added to any rulesets, for example, this rule:SecRule REQUEST_HEADERS:Content-Type "text/xml" "id:'900017', phase:request, nolog, pass, t:none,t:lowercase, chain"
Thanks!0
Please sign in to leave a comment.
Comments
4 comments