Skip to main content

Revert to mod_security 2.7.7

Comments

15 comments

  • cPanelMichael
    Hello :) Downgrading to a previous version of Mod_Security through EasyApache is not supported. The changes with Mod_Security 2.8 are documented here: Mod_Security 2.8 Changes Thank you.
    0
  • santrix
    Hi. Totally agree with the OP. This is always a bone of contention. I really wish cpanel would offer a bit more control over the ModSec version. ModSecurity 2.8 has a few bugs, and one of them has meant that anyone using Atomic Corp Realtime Rules (I'm sure we are not alone here) are finding problems as follows: [url=http://atomicorp.com/forums/viewtopic.php?f=14&t=7682&sid=db6c92d2f5c1233292d0dd9d343136c1]Atomicorp • View topic - Syntax error? The fix is simply to get rid of any CIDR notations from the ipMatch parameters. This script will fix the current problem but I expect there will be more to come unless Atomic Corp either support 2.8 or cPanel allow a downgrade - between the two organisations us poor hosters are getting the rough end of the stick. #!/bin/bash #TEMPORARY PATCH DUE TO MODSEC 2.8 BUG IFS=$'\n' declare -a Files=($(egrep -l "ipMatch 127.0.0.0/8" /usr/local/apache/conf/modsec_rules/*)) unset IFS for File in "${Files[@]}"; do /bin/sed -i -e 's:ipMatch 127\.0\.0\.0\/8:ipMatch 127.0.0.1:' $File done
    0
  • cPanelMichael
    You are welcome to open a feature request for the ability to control which version of Mod_Security is installed: Submit A Feature Request Thank you.
    0
  • santrix
    [quote="cPanelMichael, post: 1657831">You are welcome to open a feature request
    Disappointed with this response. I am slightly less disappointed with Atomic Corp's response: [url=http://atomicorp.com/forums/viewtopic.php?f=14&t=7682]Atomicorp • View topic - Syntax error? because I sympathise with their point of view that 2.8 is too buggy. It begs the question - Why push out Mod Security 2.8 when there were very clearly documented problems with it:
    0
  • speckados
    Totally agree. Not good kick ball out, "you put a ticket" "request an improvement" The criticism is constructive, and Cpanel error is clear. He opted for a very recent version of mod_security that came with bugs and that is a problem for thousands of users running Cpanel + AtomicRules and other rules. The reaction from Cpanel should be another, to offer the downgrade or method to execute without easyapache use the version 2.8 Should not send the user to "Submit A Feature Request" Reaction proactive versus traditional reaction
    0
  • quizknows
    I don't fault cPanel or ASL here, though I did ping someone regarding
    0
  • cPanelPeter cPanel Staff
    Hello, Please note, that cPanel does not provide ModSecurity. We simply install what is made available by the Apache team. What cPanelMichael mentioned was correct. Please file a feature request to allow users the ability to select which version of ModSecurity they wish to install during EasyApache.
    0
  • Tom Risager
    Thanks for the explanation, Peter, but I actually thought you did some amount of QA before including what the Apache team releases in EasyApache.
    0
  • ScottTh
    Hi everyone, We are beginning work to revert mod_security back to version 2.7.7. Please watch the EasyApache forums and our change log for the upcoming release. Thanks for your feedback!
    0
  • cPanelKenneth
    [quote="Tom Risager, post: 1660241">Thanks for the explanation, Peter, but I actually thought you did some amount of QA before including what the Apache team releases in EasyApache.
    We only test what we know about and use. We currently provide a very narrow set of mod_security rules, which are compatible with mod_security 2.8. As noted in the github bug report, this also eluded the mod_security developers for a similar reason: their rulesets don't use the particular notation that changed. Now that they have a unit test for it, hopefully it will prevent future issues.
    0
  • Tom Risager
    [quote="cPScottT, post: 1661381"> We are beginning work to revert mod_security back to version 2.7.7.
    Excellent news, thank you :)
    0
  • ScottTh
    Hi everyone, EasyApache 3.24.21 has been published. Please take a moment to view our change log. This version of EasyApache addresses the issues with mod_security 2.8.0 and a particular rule set that would cause EasyApache to not function as expected. Originally a revert to mod_security 2.7.7 seemed the most likely solution to solve this problem. Thankfully we have identified a less invasive and more precise change rather than reverting back to mod_security 2.7.7. We have applied the patch that addresses the issues with the offending rule in EasyApache 3.24.21. We were able to utilize a patch provided here. The developers have indicated that this patch will be part of the mod_security 2.8.1 release candidate. EasyApache will update mod_security to version 2.8.1 when it has been released. Thank you all for your patience and helpful feedback. It's an been an integral part of the troubleshooting process. Please let us know if there are any additional questions.
    0
  • speckados
    " that cPanel does not provide ModSecurity" Disapointted... Cpanel offer ModSecurity... [url=http://docs.cpanel.net/twiki/bin/view/AllDocumentation/EasyapacheModsecurity]EasyApache mod_security Module
    0
  • ScottTh
    [quote="speckados, post: 1664082">" that cPanel does not provide ModSecurity" Disapointted... Cpanel offer ModSecurity... [url=http://docs.cpanel.net/twiki/bin/view/AllDocumentation/EasyapacheModsecurity]EasyApache mod_security Module
    Hi speckados, I hope I can help address your concern. EasyApache does provide access to the ModSecurity software as you see in the documentation you found. ModSecurity is released and maintained by groups outside of cPanel. This is the same with all components of EasyApache such as PHP and Apache itself. EasyApache is a tool that helps to utilize and deploy this software in a convenient and safe manner. cPanelPeter's comment that "cPanel does not provide ModSecurity" simply means that cPanel is not the initial developer of the software. We also carefully review and test all new updates to EasyApache. This recent issue with ModSecurity has led to improved test coverage from the ModSecurity developers themselves as seen here. This is a learning experience for not just the ModSecurity developers, but also for cPanel and EasyApache. Please let me know if you have any other questions or have ideas how to improve our integration of ModSecurity. Thanks!
    0
  • cPHeekyoung
    Current ModSecurity version via EasyApache is 2.8.0 + patch for (see 3.24.21 section)
    0

Please sign in to leave a comment.