EasyApache4 install ModSec alongside ModRuid2?
I know that currently EA4 does not allow one to install both Ruid2 and ModSecurity, but EA3 did have support for this. Are there any plans to bring that support forward into EA4, or am I forced to roll back to EA3 and ride that out to the bitter end?
Or, does anyone know of another option that allows ModSec to install on Apache while forcing each php process to run as UID instead of as NOBODY?
-
Hi, There are some bugs with RUID2 and ModSec, both in EA3 and EA4. ModSec doesn't work well with per-user MPMs, as it can't do proper IP tracking because the DBM files aren't owned by the user, they are global. This would need work by ModSec (pretty much a rewrite on how it operates) in order to work properly. I had originally hoped we'd be able to fix this ourselves, and we added the conflict in EA4. We haven't been able to get this working, so we should probably remove that conflict, and just allow those two packages to operate side by side. I've opened case EA-4430 to tackle this, we'll hopefully have these updated RPMs ready on our next production release. I hope this helps! 0 -
It would be very helpful, actually. I've managed for a while now to operate both side by side via EA3 with no issues (I primarily use ModSec to monitor for known exploits, spam posts, and failed logins on my users sites, so I have luckily been able to avoid the problems that came about a few years ago in the whole ModSec/Ruid2/EA3 conflicts. Right now, I just feel like I'm sitting wide open asking for someone to come and mess with the sites, but I am having to chose between ModSec rules, or keeping the server at a level where PHP can't run out of control without being traceable (running as NOBODY makes finding a memory hole or exploited script a LOT harder to track down). Is there a timeline for Production Release? 0 -
Hi, Our next production release isn't scheduled, as we just did a release on Tuesday. I imagine we'll do another sync in the next few weeks. 0 -
Alrighty, I'll just ride it out. Not a fan of Russian Roulette, but I guess now is as good a time as any to practice. ;) 0 -
Good morning Jacob (and whomever else). Did this feature make the cut for the latest EA4 that was rolled out? I don't see it mentioned in the changelog, but I imagine changes often happen that aren't actually listed (keep to the major stuff, so to speak). 0 -
No, unfortunately it did not. While we were making the change, we noticed that we actually have to do a lot of other work to get this 'switch' fixed properly. While we could remove the conflict, if the DBM exists and has incorrect permissions, we need to make some changes to allow the module to properly read / write the configs. This greatly enhanced the scope of the change, and we had to hold off on it a bit longer. While I don't have an ETA, I hope we'll have it ready for next months release. 0 -
see here: modsec compatability with caching and Mod_ruid2 and mpm_itk or memcache / cache and mod_ruid2 or this rathole of a topic: Mod RUID 2 and ModSecurity cache + security + per-user apache + performance = impossible with cpanel for now. Actually, in my particular case I'm not very worried about security from a bad-actor on the server but do not want apache running everything as nobody.... 0 -
I also feel that this has to be a pretty common request and that I'm completely missing some other config that people use (suPHP which has terrible performance?) 0 -
Hello, To update, the following case is now published as part of EasyApache 4: 814b990: EA-4632 - Remove mod_mpm_itk and mod_ruid2 conflicts The full change log is documented at: EasyApache 4 Change Log - EasyApache 4 - cPanel Documentation Note the DBM issues persist, but we no longer prevent users from enabling both modules at the same time. Thank you. 0
Please sign in to leave a comment.
Comments
9 comments