mod_security not working

Jeff P.

• September 22, 2021 08:36

Hello, I have the below setup and mod_sec doesn't appear to be working. I tried reprovisioning and even manually removing files and reinstalling. Any help would be appreciated! OS: CENTOS 7.9 kvm cPanel Ver: v98.0.8 Apache 2.4

• config
• config-runtime
• mod_buffer
• mod_bw
• mod_bwlimited
• mod_cgi
• mod_deflate
• mod_env
• mod_expires
• mod_headers
• mod_mime_magic
• mod_mpm_prefork
• mod_proxy
• mod_proxy_http
• mod_proxy_wstunnel
• mod_security2
• mod_ssl
• mod_suexec
• mod_suphp
• mod_unique_id
• tools

PHP 8.0

• libc-client
• pear
• php80-php-fpm
• php-bcmath
• php-calendar
• php-cli
• php-common
• php-curl
• php-devel
• php-ftp
• php-gd
• php-iconv
• php-imap
• php-litespeed
• php-mbstring
• php-mysqlnd
• php-pdo
• php-posix
• php-soap
• php-sockets
• php-xml
• php-zip
• runtime

Additional Packages

• apr
• apr-util
• brotli
• cpanel-tools
• documentroot
• libargon2
• libcurl
• libnghttp2
• libxml2
• libzip
• modsec-sdbm-util
• modsec2-rules-owasp-crs
• nghttp2
• oniguruma
• oniguruma-devel
• openssl11
• php-cli
• php-cli-lsphp
• profiles-cpanel

• 

  cPRex Jurassic Moderator

  • September 22, 2021 16:24

  Hey hey! Is it possible there just isn't anything noteworthy that is tripping ModSecurity? The only way to know for sure would be to send a request to the server that is specifically designed to trip a rule.

  0
• 

  cPRex Jurassic Moderator

  • September 22, 2021 16:29

  Try something like this with one of your domains to see if this trips a rule: curl -A 'paros' https://domain.com curl -s http://domain.com/?../../../../etc/passwd
  

  0
• 

  Jeff P.

  • September 23, 2021 12:08

  I did many times, nothing happened and our server gets plenty of traffic, but I have empty logs.

  0
• 

  cPRex Jurassic Moderator

  • September 23, 2021 13:14

  It definitely sounds like something is up then. Could you submit a ticket to our team so we can check this out?

  0
• 

  Jeff P.

  • September 29, 2021 10:49

  Will do, thx

  0
• 

  cPRex Jurassic Moderator

  • September 29, 2021 12:49

  If you're able to submit a ticket, please post the number here so I can follow along and post the solution once it is resolved.

  0
• 

  kdean

  • September 30, 2021 04:31

  On the off chance this helps. About a year ago, my ModSecurity that had been previously working all of a sudden stopped working. While investigating I discovered that /etc/apache2/conf.d/modsec/modsec2.cpanel.conf was empty and I was pretty sure it wasn't supposed to be empty and I never touched it. So, I went to WHM > Security Center > ModSecurity" Configuration. I figured maybe if I just resave the config here but Save is greyed out unless you make a change. So, I changed "Connections Engine" to "Process the rules" and saved and then set it back to "Do not process the rules" and saved. Now the modsec2.cpanel.conf had content in it again and my user rules and atomicorp rules started working and logging again. So check that particular file to make sure it's not empty just in case since it can stop the whole thing from working.

  0

Please sign in to leave a comment.