New ModSecurity
The new intergration of ModSecurity looks great, but I see that it is possible for each account to disable ModSecurity.
Is it possible to disable this option in cPanel in WHM, so ModSecurity is not visible in cPanel.
-
Try here: WHM " Packages " Feature Manager Find and disable: Mod_Security" Domain Manager 0 -
Thanks Infopro 0 -
I can just smell the hacked accounts increasing as people turn off modsec to avoid a simple whitelist or rule fix >_< At least it seems like the feature showcase gives you the option to not turn this on in the first place, at least on boxes doing updates. As a large cPanel hosting provider, we already manage modsec2.user.conf for our customers. Giving them an easy way to disable it will only flood our abuse desk with more hacked wordpress sites. Surely in a perfect world their passwords would be strong and plugins up to date, but we all know how often that's actually the case. If this feature must be available to end users in each cPanel account to entirely strip themselves of ModSecurity protections, there should at least be a warning about it. Something should pop up and ask if they're sure they want to entirely disable it. Running a php web application without a WAF is just begging for trouble nowadays. 0 -
The ability to wholesale disable ModSecurity from the cPanel account interface on a per-domain basis was a highly requested feature for the product. However, like you, we recognize the implications of allowing this behavior. This is why the ModSecurity Domain Manager is disabled by default on all servers (both existing and new installs). The only way for the Domain Manager to show up for a user is if the server owner has explicitly enabled the Domain Manager feature when prompted for a decision via the Feature Showcase when updating, or by manually enabling it through the Feature Manager. If you are not seeing this behavior, please open a ticket so we can investigate via 0 -
So the recommended setting is [ off ] for this? 0 -
Although not directly related to the OPs original post, I have not updated any client boxes to 11.46 and do not plan to until I know positively that this is not going to break my existing AtomicCorp rules configuration and updating. I run the AtomicCorp rulesets on all servers that I maintain. I have no desire to ever disable modsecurity for a single user. And I have no desire to update to 11.46 and then find that none of my Atomic rules work / something breaks. There are specific entries in modsec2.user.conf on the machines that I maintain which should never be modified by cPanel. Can somebody from cPanel give me a clear indication as to whether I'm likely to see breakage with the update? The AtomiCorp ruleset requires specific and considerable configuration over what cPanel originally provided. I don't want any of that configuration to be blown out / rendered nonfunctional after an update. cPanel folks -- any comment? Mike 0 -
cPanel isn't going to mess with your modsec2.user.conf unless you use the interface in WHM to add rules. The exclusions and other settings set via WHM go in modsec2.cpanel.conf which is included after modsec2.user.conf in modsec2.conf. It hasn't broken my custom rule sets which I set up in a similar way to atomicorp (I update modsec2.user.conf using an RPM package) Thankfully, as long as you leave the modsec manager off in WHM feature manager, cPanel accounts won't get the option to disable modsec on their domains. I could not really advise anyone security conscious to allow their customers to disable modsec on their own domains. 0 -
]cPanel isn't going to mess with your modsec2.user.conf unless you use the interface in WHM to add rules. The exclusions and other settings set via WHM go in modsec2.cpanel.conf which is included after modsec2.user.conf in modsec2.conf. It hasn't broken my custom rule sets which I set up in a similar way to atomicorp (I update modsec2.user.conf using an RPM package) Thankfully, as long as you leave the modsec manager off in WHM feature manager, cPanel accounts won't get the option to disable modsec on their domains. I could not really advise anyone security conscious to allow their customers to disable modsec on their own domains.
Thanks, Quiz. I agree about the security aspect. I guess I might give 11.46 a try tonight on the box with the least number of squeaky wheels and see how it goes. M0 -
How to disable/desinstall the new feature Cpanel-Modsecurity in 11.46 ? i dont find in Tweack settings . 0 -
]Can somebody from cPanel give me a clear indication as to whether I'm likely to see breakage with the update? The AtomiCorp ruleset requires specific and considerable configuration over what cPanel originally provided. I don't want any of that configuration to be blown out / rendered nonfunctional after an update. cPanel folks -- any comment?
The ModSecurity features introduced in 11.46 do not automatically change/add/delete anything within modsec2.user.conf. You should experience an uneventful upgrade with nothing in modsec2.user.conf being changed. As another user mentioned, anything in modsec2.user.conf is editable via this new feature. So, if you go to WHM you'll be able to add edit/add/delete rules that exist within modsec2.user.conf. The only restriction that is enforced by us when using our tool to edit the conf is that we make sure ModSecurity itself reports back no syntax errors. That shouldn't be a problem for you, since if you had any syntax errors then Apache wouldn't be starting for you. The only change you'll see is that we've moved some of the global configs for ModSecurity (like turning the engine on/off) out of modsec2.conf to modsec2.cpanel.conf. But, even then, we'd be obeying existing settings that we had in modsec2.user.conf -- we just moved their location.]How to disable/desinstall the new feature Cpanel-Modsecurity in 11.46 ? i dont find in Tweack settings .
With 11.46, the ModSecurity interface in WHM is now considered a core feature of the product which cannot be disabled/removed. The feature will only function, however, if you also have the actual mod_security Apache module installed through EasyApache. If you do not have this installed, clicking on the feature in WHM will alert you to this fact and instruct you on how to install it if you wish to use the feature. Disabling the ModSecurity Domain Manager in the cPanel interface (for enabling/disabling ModSecurity per-domain) is done through the Feature Manager in WHM where you can enable/disabled other similar features. Again, this only affects whether users see and are able to use the ModSecurity Domain Manager within their cPanel interface. Unless you had explicitly chosen to enable this feature in the Feature Showcase that popped up when upgrading to 11.46, the default configuration for this feature is already "disabled".0 -
Thanks Brian for feedback, you say "With 11.46, the ModSecurity interface in WHM is now considered a core feature of the product which cannot be disabled/removed" and in same time, Cpanel suggest during upgrade to 11.46 to choose wether we want to install the feature or not, so it mean it is not really a core feature as we have the choice to install it or no . So i we install it by mistake there is no possibility to rollback on default configuration where this feature is disabled ? it is confusing :confused: 0 -
When you are presented the Feature Showcase option during the upgrade to enable/disable the ModSecurity Domain Manager, it is not asking you whether to install it or not. It's already installed by the time it asks you what you want to do with it. It's just asking whether you want the feature enabled or disabled for your customers by default. Regardless what option you choose, the feature is *already* installed by the time you see that choice. You are simply selecting whether it is disabled or enabled. It is always "installed" and is it is not possible to prevent its install or otherwise uninstall it. This is just like any other core feature of cPanel & WHM. As of 11.46, we've introduced the ModSecurity UI as a core feature and no longer install it as a plugin like it has been in 11.44 and earlier. Note that this is just the user interface itself, the mod_security Apache module is still able to be included or excluded from Apache using the EasyApache interface in WHM. 0 -
Ah ok it make sense now, it is clear thank you :) 0 -
I have looked at the documentation for the UI and it seems sparse at best. For example, in the tool, if it shows a triggered rule it asks if I want to enable it. The checkbox appears, but it is not clear if 1) the user was actually blocked based on severity level or it is just notifying me and 2) if the rule is enabled already or it I want to actually enable it. Something this important should be properly documented. Thanks 0 -
Hi! I have a couple questions regarding this feat ]When you are presented the Feature Showcase option during the upgrade to enable/disable the ModSecurity Domain Manager, it is not asking you whether to install it or not. It's already installed by the time it asks you what you want to do with it. It's just asking whether you want the feature enabled or disabled for your customers by default.
Ok. This is crystal clear. So, whether you decide to activate or not in the Showcase screen, you are allegedly able to check or uncheck this option in the Feature Manager under the option "ModSecurity Domain Manager". Well... I have WHM 11.44.1 (build 23) and there is no such an option. I have ModSec already installed and being managed via ConfigServer ModSec plugin. Why may this option be absent? Question #2: If I prefer to manage rules using ConfigServer ModSec manager, which provides granular control over domains, subdomains and a robust rule editing, can you confirm it won't face any incompatibilities within what may be planned in the near future for this new feature? That plugin provides a very thorough and reliable UI to control almost any ModSec thing. I wouldn't like to be forced to uninstall it because of its methods being deprecated. Hope you can answer these ones. Thanks!!0
Please sign in to leave a comment.
Comments
15 comments