v58, EasyApache 4 and modsecurity possibly not working.

Spork Schivago

July 26, 2016 14:26

Hi. I made the switch to v58 and EasyApache 4 on or around July 23rd, 2016. To this date, /var/log/apache2/modsec_audit.log, /var/log/apache2/modsec_debug.log and the directory /var/log/apache2/modsec_audit are completely empty. I also got an e-mail from cPanel saying httpd failed the md5 checksum. Now, some real weird things are happening... These are the commands I run:


service httpd stop
httpd (no pid file) not running

service httpd start
httpd (pid 815) already running
httpd starting

service httpd stop
httpd (no pid file) not running

service httpd restart
httpd no running, trying to start
httpd (pid 815) already running
httpd started

service httpd stop
httpd (no pid file) not running

ps aux | grep httpd
root       815    0.0  0.5   196660  12136  ?    Ss   14:44    0:00 /usr/local/apache/bin/httpd -DSSL
nobody    2064    0.0  0.1   196660   3360  ?    S    15:09    0:00 /usr/local/apache/bin/httpd -DSSL
nobody    2066    0.0  0.4   803064   9948  ?    Sl   15:09    0:00 /usr/local/apache/bin/httpd -DSSL
nobody    2074    0.0  0.4   803064   9952  ?    Sl   15:09    0:00 /usr/local/apache/bin/httpd -DSSL
nobody    2143    0.0  0.4   737528   9888  ?    Sl   15:09    0:00 /usr/local/apache/bin/httpd -DSSL

Any ideas what's going on here? I see /etc/init.d/httpd was last updated on Jul 25, 21:35. I see /usr/sbin/httpd was last updated Jul 20, 14:32. The sha1sum of /etc/init.d/httpd is: fadeaf22499075d38f00ec29040530346b728304 The sha1sum of /usr/sbin/httpd is: a4d00637d576f3d683da3d7cc49a0c69a28712c7

Comments

15 comments

JacobPerkins

July 26, 2016 19:28
Hi, Can you run a /scripts/restartsrv_httpd ? This should get you back up and running. The /usr/sbin/httpd is the actual Apache binary in EA4.
0
Spork Schivago

July 26, 2016 19:34
Also, From looking at the /etc/init.d/httpd script, I see this:
# the patch to your PID file PIDFILE=/usr/local/apache/logs/httpd.pid
However, there is no /usr/local/apache/logs/httpd.pid file. The pid file is located at: /var/run/apache2/httpd.pid When I run ls -la on it:
ls -la /var/run/apache2/httpd.pid -rw-r--r-- 1 root root 4 Jul 26 15:09 /var/run/apache2/httpd.pid
To me, it'd make more since for the pid to remain in /var/run/apache2 and the script should be looking for the PID in /var/run/apache2/ not /usr/local/apache/logs. So, I guess the fix for that problem (which doesn't seem to be related to the mod_security issue like I thought it might be) would be to either update the script to point to the proper directory or have Apache create the PID in the /usr/local/apache/logs directory. Is this a bug on everyone's system or just mine?
0
Spork Schivago

July 26, 2016 19:38
Hi, Can you run a /scripts/restartsrv_httpd ? This should get you back up and running. The /usr/sbin/httpd is the actual Apache binary in EA4.

Thank you. This successfully restarted Apache. /usr/local/apache/bin/httpd is a symlink that points to /usr/sbin/httpd, so we're good there I think. The pid file is still located in /var/run/apache/ directory. Am I not supposed to run stuff like service httpd status and service httpd restart ? Should I disable that httpd init script all together? I'd of thought the /etc/init.d/httpd script would properly handle all the apache stuff. My /etc/init.d/httpd has cPanel stuff in it...
0
Spork Schivago

July 26, 2016 23:58
A ticket's been opened for me about the httpd stuff. So back to the mod_security stuff. How come I don't see anything in the modsec logs? Is there a way to verify that modsecurity2 is actually running and the rules are being processed? All modsecurity logs are empty and the audit directory is empty. EDIT** We should wait until this httpd stuff is fixed before we look anymore into modsecurity2 not working. It turns out when I went to EasyApache 4, not everything got updated. For example, my /etc/init.d/httpd script is the EasyApache 3 /etc/init.d/httpd script, not the EasyApache 4 /etc/init.d/httpd script. This makes me wonder what else didn't get switched. There's a bunch of stuff not right now. cPanel tech support's gonna log in and try to fix me up. Thanks!
0
Spork Schivago

July 28, 2016 03:01
Oh man! The OWASP rules weren't installed anymore at all! I had to install them. Hopefully, this isn't happening to everyone who made the switch to EA4 and v58.
0
brianjking

August 02, 2016 19:05
Error:API failure: The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: httpd: Syntax error on line 230 of /etc/apache2/conf/httpd.conf: Syntax error on line 32 of /etc/apache2/conf.d/modsec2.conf: Syntax error on line 27 of /etc/apache2/conf.d/modsec/modsec2.cpanel.conf: Could not open configuration file /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf: No such file or directory
[LIST]
EasyApache 4
CentOS 6.8 x86_64
cPanel 58 (build 12)
0
brianjking

August 02, 2016 19:14
Oh man! The OWASP rules weren't installed anymore at all! I had to install them. Hopefully, this isn't happening to everyone who made the switch to EA4 and v58.

Hmm - I'm thinking the same thing has happened to me. Can you tell me how you manually re-installed? I'm having this issue: Enabling ModSecurity OWASP Core Rules Generates Error on cPanel 58 Thanks!
0
Spork Schivago

August 02, 2016 19:49
Hello, I believe your problem is something completely different. For me, I just had to log into WHM, go to ModSecurity Vendors and click Install OWASP or whatever it was. I noticed I have the file that you're missing, however, when I check to see if the crs ruleset is installed by running:
yum info mod_security_crs
I see the epel repository provides the mod_security_crs. If mod_security_crs was installed on my machine though, it would list the Repo as installed. rpm -qf /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf shows the file doesn't belong to any repository. Stat shows that the file was last changed on 2016-08-02 @ 15:28:28 (3:28PM). At around 15:28:28, I had ran /scripts/upcp --cron My guess is this is what created the /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf file on my machine. To check manually to see if modsec is installed, you could run (as root):
/usr/local/cpanel/scripts/modsec_vendor list
To install the OWASP rules manually, I believe you'd run something like:
/usr/local/cpanel/scripts/modsec_vendor add http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP.yaml
To enable it (if it's not already listed as enabled via the modsec_vendor list command), you could run:
/usr/local/cpanel/scripts/modsec_vendor enable OWASP
You might just want to try running:
/scripts/upcp --force
And see if that fixes it first though. I hope this helps.
0
Spork Schivago

August 02, 2016 19:52
Also, to try and diagnose the problem a bit further, perhaps from an SSH shell, as root, you could run the following commands and tell me the results from each command:
ls -l /etc/apache2/conf.d ls -l /etc/apache2/conf.d/modsec_vendor_configs ls -l /etc/apache2/conf.d/modsec_vendor_configs/OWASP
0
cPanelMichael

August 02, 2016 19:54
Error:API failure: The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: httpd: Syntax error on line 230 of /etc/apache2/conf/httpd.conf: Syntax error on line 32 of /etc/apache2/conf.d/modsec2.conf: Syntax error on line 27 of /etc/apache2/conf.d/modsec/modsec2.cpanel.conf: Could not open configuration file /etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf: No such file or directory
Hello, Could you verify if the file referenced in that error message exists on your system? It's located at:
/etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf
Also, could you let us know the specific steps you are taking to reproduce the issue? Was this rulset enabled before converting to EasyApache 4? Thank you.
0
brianjking

August 02, 2016 20:04
39141
Hello, Could you verify if the file referenced in that error message exists on your system? It's located at:
/etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf
Also, could you let us know the specific steps you are taking to reproduce the issue? Was this rulset enabled before converting to EasyApache 4? Thank you.

I checked for the presence of
/etc/apache2/conf.d/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf
and wasn't able to locate the file. To reproduce the error I login to WHM as root --> Click on "ModSecurity Vendors" --> Click "ON" for row for OWASP Vendor --> See Error
0
cPanelMichael

August 03, 2016 18:06
Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome. Thank you.
0
brianjking

August 03, 2016 18:24
Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome. Thank you.

Thanks... Here's my support ticket #7616863
0
Spork Schivago

August 03, 2016 19:26
Brianjking, Perhaps you could keep us updated with the outcome of your problem. I'm a bit interested in knowing what happened and how your issue was fixed. Thanks.
0
HostT

June 05, 2017 18:28
For anybody reading this, it appears the error is due to the standard OWASP not being installed on the server (as it now shows the v3 version without the standard one). To fix this, run this line from root on server:
/usr/local/cpanel/scripts/modsec_vendor add http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP.yaml
That should install the required files that throw the error when trying to add a custom vendor to install the v3 vendor files
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?