modsec_vendor: The /usr/local/cpanel/scripts/modsec_vendor update failed

jeffschips

• January 30, 2023 21:39

Apparently I'm receiving this error because mod_sec providers are not providing updates. Is there a solution to this? Can I safely ignore it?

• 

  quietFinn

  • January 31, 2023 10:26

  What ModSecurity Vendor(s) do you have enabled?

  0
• 

  cPRex Jurassic Moderator

  • January 31, 2023 12:21

  What @quietFinn said - we'll need some more details, or you can also manually run the command to see if you get additional output.

  0
• 

  jeffschips

  • February 01, 2023 00:46

  COMODO ModSecurity Apache Rule Set and OWASP CRS v3.x for ModSec 2.9 (via pkg) What are the commands for manual?

  0
• 

  cPRex Jurassic Moderator

  • February 01, 2023 11:19

  You'll want to run this command to get the vendor_id field for each provider: /usr/local/cpanel/scripts/modsec_vendor list
  That will give you output similar to this: [root@host ~]# /usr/local/cpanel/scripts/modsec_vendor list [OWASP3] OWASP CRS v3.x for ModSec 2.9 configs (33) cpanel_provided 1 description OWASP ModSecurity 2.9 Core Rule Set v3.3.4 enabled 1 in_use 33 installed 1 installed_from https://httpupdate.cpanel.net/fake-URL-to-show-vendor-correctly-with-pkg/with-pkgs-this-field-is-irrelevant/meta_OWASP3.yaml is_pkg ea-modsec2-rules-owasp-crs name OWASP CRS v3.x for ModSec 2.9 path /etc/apache2/conf.d/modsec_vendor_configs/OWASP3 supported_versions (0) update 1 vendor_id OWASP3 vendor_url https://go.cpanel.net/modsecurityowasp
  Then, take that vendor_id and run the update command and see if there is any helpful output. Here is an example: # /usr/local/cpanel/scripts/modsec_vendor update OWASP3 Dependencies resolved. Nothing to do. Complete!
  

  0
• 

  jeffschips

  • February 02, 2023 03:47

  Thank you. Results below: [root@xxxx ~]# /usr/local/cpanel/scripts/modsec_vendor update OWASP3 No packages marked for update [root@xxxx ~]# /usr/local/cpanel/scripts/modsec_vendor update comodo_apache warn [modsec_vendor] The system could not add the vendor: The vendor metadata does not contain an entry for your version of ModSecurity, "2.9.6". The only versions of ModSecurity this rule set supports are "2.7.5", "2.7.7", "2.8.0", "2.9.0", "2.9.1", "2.9.2", and "2.9.3". info [modsec_vendor] Restored modsec_cpanel_conf_datastore backup The system failed to update the vendor from the URL ": The vendor metadata does not contain an entry for your version of ModSecurity, "2.9.6". The only versions of ModSecurity this rule set supports are "2.7.5", "2.7.7", "2.8.0", "2.9.0", "2.9.1", "2.9.2", and "2.9.3". warn [modsec_vendor] The system failed to update the vendor from the URL ": The vendor metadata does not contain an entry for your version of ModSecurity, "2.9.6". The only versions of ModSecurity this rule set supports are "2.7.5", "2.7.7", "2.8.0", "2.9.0", "2.9.1", "2.9.2", and "2.9.3".

  0
• 

  cPRex Jurassic Moderator

  • February 02, 2023 15:10

  There you go - it seems like removing that vendor is the beset approach since they haven't applied an update in a while.

  0
• 

  jeffschips

  • February 02, 2023 22:10

  I see. But wouldn't disabling it affect security because although the server hasn't received updates, there are still threats out there which could still be caught nevertheless by keeping it enabled?

  0
• 

  cPRex Jurassic Moderator

  • February 03, 2023 13:08

  I suppose it's possible, but it would be even better to switch to a provider that offers support ad updates.

  0
• 

  jeffschips

  • February 06, 2023 00:44

  Any suggestions on where to find these vendors that are current and compatible with mod_sec?

  0
• 

  quietFinn

  • February 06, 2023 00:52

  What vendors do you have in WHM -> Security Center -> ModSecurity Vendors ?

  0
• 

  jeffschips

  • February 06, 2023 01:04

  Comodo and on their website they say they have an updated rules set. They advertise on their website: "Modsecurity Rules - Free from Comodo. Sign up free." So I login in with my previous account credentials. They show - correctly - that my current rule set has expired. Great - glad ot know they are on top of that - but they don't offer any way to get the *new* rules set. At least I couldn't find it.

  0
• 

  jeffschips

  • February 06, 2023 01:26

  I must say it seems a bit misleading for cpanel to offer the toggle on/off feature in whm for mod_security without any notice for the COMODO ModSecurity Apache Rule Set as being outdated. And further, when I click on the link in that entry to

  0
• 

  quietFinn

  • February 06, 2023 01:30

  cPanel has nothing to do with Comodo ModSecurity rules, but it allows you to install 3rd party rules. cPanel provides OWASP ModSecurity rules.

  0
• 

  jeffschips

  • February 06, 2023 01:43

  Okay thanks for that. I guess what I'm asking is it redundant to have two rule sets - the OWASP's and Comodo? Are either one of them acting on different attack surfaces or are they both all about web interactions with the server, albeit with code that fills in where the other one lacks?

  0
• 

  quietFinn

  • February 06, 2023 01:51

  You can have more than one rule set installed, but as far as I know you must not have more than one enabled. Comodo and OWASP ModSecurity rules & ModSecurity itself are doing the same job, as a Web Application Firewall.

  0
• 

  jeffschips

  • February 06, 2023 02:03

  Thank you @quietFinn that's helpful. SOLVED

  0

Please sign in to leave a comment.