Centos 8 - mod_security v3 not working custom rules

vacancy

• November 07, 2020 10:11

I'm running tests on Centos 8.2 and Cpanel v92. When I install mod_security v3 and want to add custom rules from the edit rules section, I see the following error. None of the SecConnEngine, SecRuleEngine, SecRule codes are recognized. Error: The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: AH00526: Syntax error on line 1 of /etc/apache2/conf.d/modsec/modsec2.user.conf: Invalid command 'SecConnEngine', perhaps misspelled or defined by a module not included in the server configuration
Error: The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: AH00526: Syntax error on line 1 of /etc/apache2/conf.d/modsec/modsec2.user.conf: Invalid command 'SecRuleEngine', perhaps misspelled or defined by a module not included in the server configuration
Error: The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: AH00526: Syntax error on line 1 of /etc/apache2/conf.d/modsec/modsec2.user.conf: Invalid command 'SecRule', perhaps misspelled or defined by a module not included in the server configuration

• 

  fuzzylogic

  • November 07, 2020 21:01

  If I saw these errors in the circumstances you describe and if modsec was working properly with OWASP3 ruleset prior to the addition of custom rules I would be almost certain that the cause would be a syntax error in one of my custom rules. To troubleshoot this... 1) Delete (NOT disable) all your custom rules. If you disable them they remain in place continuing to feed the syntax error to the Apache configuration. 2) Add back your one of your custom rules. Select the Deploy and Restart checkbox, then click the Save button. If Apache restarts without error then the custom rule you just added does not contain the syntax error. 3) Continue adding one rule at a time then Select the Deploy and Restart checkbox, then click the Save button. Once you identify the custom rule with the syntax error then repair the syntax or stop using that rule.

  0
• 

  vacancy

  • November 07, 2020 21:34

  Hi OWASP3 rules are not installed, all of these rules are the codes I used in mod_security v2. Even though I ran the rules one by one, nothing changed. Even when I use the "SecConnEngine On" rule alone, I see the same error.

  0
• 

  fuzzylogic

  • November 07, 2020 23:26

  Sorry, I'm not yet up on the differences between setting up mod_security v3.x and mod_security v2. Is cPanel's implementation of Mod-security even aware of the different setup? It's mentioned here... Apache connector middleware says that other configuration is required. For instance... Usage libModSecurity for Apache extends your configuration directives. In order to load the module into Apache add the following directive to your Apache configuration: LoadModule security3_module modules/mod_security3.so
  And needs the following dierectives in Apache config... modsecurity on modsecurity_rules_file /etc/my_modsecurity_rules.conf;
  Your experiments are in advance of my own so I'll leave you to it from here on. Would be good to read of your pathway to success when you achieve it.

  0
• 

  vacancy

  • November 08, 2020 09:08

  Nothing has changed. Error: The "/usr/sbin/httpd -DSSL -t -f /etc/apache2/conf.d/includes/pre_main_global.conf.tmp.cfgcheck -C Include "/etc/apache2/conf.modules.d/*.conf"" command (process 6424) reported error number 1 when it ended. Configuration problem detected on line 2 of file /etc/apache2/conf.d/includes/pre_main_global.conf.tmp: Failed to open the file: /etc/my_modsecurity_rules.conf;\n --- /etc/apache2/conf.d/includes/pre_main_global.conf.tmp --- 1modsecurity on 2 ===> modsecurity_rules_file /etc/my_modsecurity_rules.conf; <=== --- /etc/apache2/conf.d/includes/pre_main_global.conf.tmp --
  

  0
• 

  cPRex Jurassic Moderator

  • November 09, 2020 14:40

  Much better reply from Dan below :D

  0
• 

  cPDan

  • November 09, 2020 14:54

  Hello @vacancy , Thank you for trying out the experiment mod sec 3.0 and beta (alpha really) Apache connector for it. To help resolve your problem there are some quirks w/ mod sec 3.0 and its apache connector that are not intuitive when first coming from mod_security2 land.

  • The use of pre_main_global.conf to load the module or enable it is a red herring. If you install ea-modsec0-connector-apache24 it puts all of that in place for you.
  • The 3.0 apache connector does not support the same config syntax as 2.9:
    • if you normally did `SecFoo bar` in the user.conf you now have to `modsecurity_rules 'SecFoo Bar'`
    • if you normally did "Include "/rulesfile.conf" you now have to `modsecurity_rules_file ""/rulesfile.conf"`
    • not all 2.9 directives are supported in 3.0
    • the ones that are may behave differently
    • its some trial and error because their documentation has only been partially updated to match reality

  HTH! For reference in case it helps anyone: cPanel docs ? Mod Security 3 repo (readme is pretty good) ? SpiderLabs/ModSecurity Mod Security wiki ?

  0
• 

  splaquet

  • January 16, 2021 06:09

  I use Imunify360, so this solution might not be for everyone... but, after installing CloudLinux, I also kept having Apache crashing on me. I had the same error messages. here was my solution... and upon completion, Apache restarted itself: yum remove ea-apache24-mod_security2 -y
  

  0

Please sign in to leave a comment.