Skip to main content

ModSecurity + MPM ITK compatibility

Comments

33 comments

  • JacobPerkins
    Hi, In EasyApache 4, we're ensured there's a conflict with the RPMs because there are a couple of issues with DBM and the like that are still issues in EA3 that we'd like to fix in EA4 before we declare them 'compatible'. In EA3, they are able to be used together, in EA4 though, not quite yet. I hope this helps!
    0
  • sonicthoughts
    Ok, what I want is caching (memcache) + modsec + PHP 5.6 or 5.5 + uid for apache (ruid2 or itk) this should give good mem/performance trade-offs. To confirm, on EA3 that should all be compatible (yeah!) now I'm on ruid2. are there issues/guides/concerns switching to itk? BTW - I'm noticing more support for itk than
    0
  • sonicthoughts
    Ok, On EA3 I just discovered that ITK will ONLY work with apache 2.2 - that is really disappointing. There is really no good option here for performance and it is really hard to follow the what works wit h which version.
    0
  • Andrew Gritsuk
    Are there any plans in the near future to ensure compatibility mod_ruid2 - mod_security ea4?
    0
  • Todd DeSantis
    I am also wondering this about mod_ruid2 and mod_security! I have just updated to EA4, and I was using ruid2 and modsecurity on EA3. I didn't realize they aren't compatible. Will they be at some point? Also, this makes me make a decision right now: What is more important for security? A. ruid2 and the way it prevents apache processes from running as 'nobody' B. Modsecurity
    0
  • cPanelMichael
    Hello, Internal case EA-4430 will allow for the combined use of Mod_Security and Mod_Ruid2/mod_mpm_itk, despite the minor bugs currently associated with using them together. Thank you.
    0
  • Andrew Gritsuk
    Hello, Internal case EA-4430 will allow for the combined use of Mod_Security and Mod_Ruid2/mod_mpm_itk, despite the minor bugs currently associated with using them together. Thank you.

    The following conflicts are installed on this machine or selected in this profile: ea-apache24-mod_mpm_itk The following dependencies are not installed on this machine or not selected in this profile: ea-apache24-mod_unique_id I ignore this warning?
    0
  • cPanelMichael
    You should not ignore that warning message if you are using Mod_Ruid2. EA-4430 is not yet implemented. Thank you.
    0
  • sonicthoughts
    I have to believe this is an important request. see cross post: Please backport to EA3. thx
    0
  • JacobPerkins
    I have to believe this is an important request. see cross post: Please backport to EA3. thx

    Hi! While that patch may work for you, there's major risk in patching a WAF system like this, and that's not an easy decision to make. We don't know what consequences that may arise from the patch, and if the patch hasn't been accepted upstream in 2 years that it's been in that thread, there may be a good reason why it's not in the main line of code. I'd recommend requesting that patch to be considered for their mainline branch, and to be officially reviewed / accepted by ModSecurity before we sent it out to millions of websites. At this time though, I feel the unknowns and risks outweigh the benefits.
    0
  • sonicthoughts
    Seriously? Here is another point of view:
      ]
    • That's a pretty simple answer to a problem that has been repeatedly reported
    • Is Cpanel taking any action or are you saying that I should push for a patch - i don't even know how to do that.
    • The alternative - ie. turning off modsec seems a bit more sever
    • You are using a lot of anecdotes to make this determination
    • Please actually look at the code and you can see if changes the file permission for mod_ruid2
    • Please make it really clear why this isn't supported in the docs.
    This has appeared in multiple forums in various ways and its a big deal to a lot of folks so please be explicit in limitations / workarounds and actions being taken. Thanks for hearing me out.
    0
  • JacobPerkins
    Seriously? Here is another point of view:
      ]
    • That's a pretty simple answer to a problem that has been repeatedly reported
    • Is Cpanel taking any action or are you saying that I should push for a patch - i don't even know how to do that.
    • The alternative - ie. turning off modsec seems a bit more sever
    • You are using a lot of anecdotes to make this determination
    • Please actually look at the code and you can see if changes the file permission for mod_ruid2
    • Please make it really clear why this isn't supported in the docs.
    This has appeared in multiple forums in various ways and its a big deal to a lot of folks so please be explicit in limitations / workarounds and actions being taken. Thanks for hearing me out.

    Hi! This problem has been around for years. cPanel is not able to take any action on this. We are not keen enough on the internals of ModSecurity to patch and ensure we didn't break anything else. This is why I feel we need to push on the ModSec development team to get this fixed, as this bug lies with them, not with cPanel or RUID2/ITK.
    0
  • sonicthoughts
    I'd like to know if Cpanel is actively "pushing" the ModSec development team or just posting for us to do that. Also I found another item in the docs - is there an implicit workaround by not using persistance storaage? Persistant Storage with the initcol, setuid, or setsid directives in the ModSecurity rules, Apache will fail to track that rule. Apache will also log errors to its error_log file. For example, the IP Reputation rule in the OWASP core ruleset may give this error. So is there a way to implement without persistent storage and not have to chose between the two? The point of this thread (there are several on this topic) is that the documentation is not clear. Thanks for clarifying.
    0
  • sonicthoughts
    Spiderlabs say they resolved this in modsec 3 - are there plans to use that? Geo Lookup: Failed to lock proc mutex " Issue #1168 " SpiderLabs/ModSecurity " GitHub Also, yet again the docs are confusing: Current Status of EasyApache 4 - EasyApache 4 - cPanel Documentation says In EasyApache 3, an existing bug with ModSecurity2 and the mod_ruid2 and mod_mpm_itk Apache modules causes some tracking functionality to not work properly with per-user MPMs. We added a conflict to the RPMS in EasyApache 4, so that you cannot install the mod_ruid2 or mod_mpm_itk Apache modules with ModSecurity2. cPanel cannot fix this bug, as this is a ModSecurity2 issue. So if I upgrade to EA4 you will force the disable? Others say it will work? Again confused and frustrated that this does not seem to be taken seriously.
    0
  • JacobPerkins
    Hi, ModSec3 is not ready for production, as stated on their github: "Notice: This project is under development and it is NOT ready to be placed in production yet. It currently does not support all the operators and/or actions of the SecRules language, yet." We're not going to send out non-stable modules, especially for a WAF that's as popular as ModSecurity. As of June 15th, we have removed the RPM conflict between RUID2/ITK and ModSec, so you can use them again, however the bug still persists. Thanks for letting us know about the Current Status page, I updated it this morning, but it's in the queue to be published. That will get updated shortly.
    0
  • olie Murphy
    Ok, On EA3 I just discovered that ITK will ONLY work with apache 2.2 - that is really disappointing. There is really no good option here for performance and it is really hard to follow the what works wit h which version.
    0
  • sonicthoughts
    There are dozens of posts on this - want to make sure someone is looking into this. Cross post: modsec compatability with caching and Mod_ruid2 and mpm_itk Please have your team contact Filipe and discuss approaches.
    0
  • JacobPerkins
    Hi, I'm not sure what we can do by contacting Felipe. These are not issues we can solve, and we are not going to use ModSec 3 until it's production ready. I would recommend having Felipe backport those fixes into ModSec 2.9 so it can be used by those who are using ModSec.
    0
  • Marius
    @cPJacob - Can you please watch the logs provided in first post here: Easyapache 4 + Modsecurity + Mod_ruid2 errors I was redirected to this topic and I've read here "We are not going to use ModSec 3, because it is not ready for production environments". My question is: when will be solved the conflict between Easyapache 4 + Modsecurity + Mod_ruid2? Security should be first cPanel concern! PS Mod_ruid2 is still experimental in 2017? - The only solution for symlink attacks available at 1 click install via WHM(not advanced sys admins).
    0
  • cPanelMichael
    Hello @mariusfv, Mod Security 3 isn't developed by cPanel and is not yet production ready. There's no specific time frame to offer on it's inclusion at this time.
    Mod_ruid2 is still experimental in 2017? - The only solution for symlink attacks available at 1 click install via WHM(not advanced sys admins).

    You may want to consider using the cPanel Hardened Kernel if you are using CentOS 6.x: Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation Thank you.
    0
  • Marius
    Hello @mariusfv, Mod Security 3 isn't developed by cPanel and is not yet production ready. There's no specific time frame to offer on it's inclusion at this time.

    @cPanelMichael my mistake: I was referring to Modsecurity 2! Mod Security 2 & mod_ruid2 is installed by default in Easyapache 4 -> cPanel default package and process the rules 3.0.0 that confuse me to say Modsecurity 3 :) vi /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf
    SecComponentSignature "OWASP_CRS/3.0.0"
    So in prefork MPM(not ITK) cPanel install Modsecurity 2 + mod_ruid2 and have a lot of conflicts(was solved prefork + modsecurity 2 + mod_ruid2). See few of them: tail -f /usr/local/apache/logs/error_log
    [Wed Feb 15 05:00:21.491873 2017] [:error] [pid 20211] [client 66.xxx.xxx.xxx] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "www.example.com"> [uri "/hazo/yglx.php"> [unique_id "WKPSVS9n@Qre-tOcMOWD-AAAAAM"> [Wed Feb 15 05:00:21.661856 2017] [:error] [pid 20211] [client 66.xxx.xxx.xxx] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "www.example.com"> [uri "/index.php"> [unique_id "WKPSVS9n@Qre-tOcMOWD-AAAAAM">
    So, as long is default cPanel Easyapache 4 package can someone investigate and open a case? Thanks!
    0
  • cPanelMichael
    Hello, This isn't an issue we can fix. Here's a quote from earlier on this thread explaining why: This problem has been around for years. cPanel is not able to take any action on this. We are not keen enough on the internals of ModSecurity to patch and ensure we didn't break anything else. This is why I feel we need to push on the ModSec development team to get this fixed, as this bug lies with them, not with cPanel or RUID2/ITK.
    Thank you.
    0
  • Marius
    @cPanelMichael do you have the official Modsecurity github or forum link where to report / discuss bugs? Thanks.
    0
  • cPanelMichael
    @cPanelMichael do you have the official Modsecurity github or forum link where to report / discuss bugs? Thanks.

    Hello, ModSecurity: Open Source Web Application Firewall ModSecurity GitHub ModSecurity / Mailing Lists Thank you.
    0
  • Marius
    Can somebody from cPanel team or anyone else who use Modsecurity + mod_ruid2 to support this issue on Modsecurity Github as long as cPanel confirm this bug as Modsecurity side? Link: cPanel confirmed - Modsecurity incompatibility with Mod_ruid2 " Issue #1334 " SpiderLabs/ModSecurity " GitHub Thanks!
    0
  • Jan-Paul Kleijn
    Hello, This issue will still occur when using Mod_Ruid2 and Mod_Security. The topic is discussed in more detail on the URL referenced in the earlier response: ModSecurity + MPM ITK compatibility - inconsistent documentation Note that the title references MPM ITK, but the same issue applies to Ruid2. Thank you.

    I have read the posts on the page with the URL you provided above but this is not enough I am afraid. Please answer the following questions as correctly and realistic as you can. - Will there be a solution from your side (cPanel) on this before Januari 1 2018? - If not what is your professional advice for me (your client) on how to solve this? Regards
    0
  • cPanelMichael
    Hello, Internal case EA-4093 is currently in-progress with the aim of offering support for MPM-ITK and Mod_Ruid2 with Mod_Security. We'll update this thread with more information on the status of this case as it becomes available. Thank you.
    0
  • keat63
    I'd totally forgotten that this issue existed. I disabled RUID2 due to some incompatibilities with a PHP version. I've since updated PHP and re-enabled RUID2 to find this this issue is still ongoing. Maybe 3 years now. What sort of realistic timescale is there for a fix please.
    0
  • Anoop P Alias
    PHP-FPM is better than mod_ruid . If you wish to use modsec and use mod_ruid ..you can install a good nginx web server alternative with mod_sec support .Mod_sec is processing the request so having a frontend web server act as WAF is equally fine as the web server doing both WAF and PHP processing
    0
  • cPanelMichael
    What sort of realistic timescale is there for a fix please.

    It's tentatively excepted for cPanel version 66. Thank you. Update: This is no longer planned for cPanel 66 due to some issues encountered during testing. A resolution will likely come with a production release of ModSecurity 3.x (no ETA on that at this time).
    0

Please sign in to leave a comment.