HTTPD conflict with mod_security?

Hello version is 76.0.8 cPanel after update httpd goes down conflit mod_security:

[Thu Nov 15 11:05:29.690689 2018] [:error] [pid 23639:tid 47743247877888] [client 104.251.91.195:47269] [client 104.251.91.195] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"> [line "157"> [id "920180"> [rev "1"> [msg "POST request missing Content-Length Header."> [data "0"> [severity "WARNING"> [ver "OWASP_CRS/3.0.0"> [maturity "9"> [accuracy "9"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-protocol"> [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"> [tag "CAPEC-272"> [hostname "www.example.net"> [uri "/"> [unique_id "W@1E6VtQYAfCGZPFiSteqgAAAkk">, referer: http://www.example.net
[Thu Nov 15 11:02:08.993264 2018] [:error] [pid 23640:tid 47743231067904] [client 173.252.127.22:49184] [client 173.252.127.22] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"> [line "452"> [id "920440"> [rev "2"> [msg "URL file extension is restricted by policy"> [data ".com"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "9"> [accuracy "9"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-protocol"> [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"> [tag "WASCTC/WASC-15"> [tag "OWASP_TOP_10/A7"> [tag "PCI/6.5.10"> [hostname "sitechecker.example.com"> [uri "/ajax/snap/example.com"> [unique_id "W@1EIG-nM@K8X@Ra8bB7DwAAAoE">
[Thu Nov 15 10:58:30.928044 2018] [:error] [pid 23638:tid 47743338829568] [client 221.14.172.69:55516] [client 221.14.172.69] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"> [line "47"> [id "920100"> [rev "2"> [msg "Invalid HTTP Request Line"> [data "CONNECT www.domain.tld:443 HTTP/1.1"> [severity "WARNING"> [ver "OWASP_CRS/3.0.0"> [maturity "9"> [accuracy "9"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-protocol"> [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"> [tag "CAPEC-272"> [hostname "www.domain.tld"> [uri "/"> [unique_id "W@1DRnIQ-JUXoZNUrcRsPwAAAdQ">

any info how to avoid this error and turn on again mod_security/

cPanelLauren

November 21, 2018 17:19

Hello @Gojko Do you have custom mod_security rules added? The only reason I can think of that this would occur would be because you had a custom ruleset added causing an issue. The log output you're showing here doesn't appear to insinuate that there's an issue with Apache, just that there was a rule hit (meaning mod_security is doing its job). Are there specific errors related to ModSecurity when apache crashes - log entries that are not rule matches? Thanks!

rpvw

November 21, 2018 17:36

I had an error with httpd after upcp to 76.0.8 as well I had a third party modsec vendor that was not enabled for rules, but was enabled for updates. The vendor update failed in the upcp, and it crashed httpd I first deleted the vendor that was causing the problem, and tried to restart httpd with the service httpd restart command, but this didn't work. I then ran the full /usr/local/cpanel/scripts/restartsrv_apache command that seemed to sort everything out and the httpd restarted as normal. Hope this helps.

HTTPD conflict with mod_security?

Comments

Didn't find what you were looking for?