Seemingly unable to disable mod_security rule

verdon

• August 22, 2016 16:06

Hello, I have a mod_security rule (Comodo 220030) that I don't seem to be able to disable. I have it disabled in 'Home "Security Center "ModSecurity" Tools " Rules List' and disabled in 'ConfigServer ModSecurity Control - cmc v2.04' Whitelist, and yet hits on the rule are still showing up in 'Home "Security Center "ModSecurity" Tools " Hits List' leading to people getting blocked by CSF firewall. Any thoughts as to what to do to troubleshoot/verify this?

• 

  cPanelMichael

  • August 25, 2016 19:06

  Hello, Internal case CPANEL-7914 is open to address an issue where user-defined ModSecurity rules are not configurable in "WHM > ModSecurity Tools > Rules List". I'll update this thread with more information on the status of this case as it becomes available. You should be able to make modifications to the rules via the command line as a temporary workaround: For EA3 - Update: Released with 58.0.26: Fixed case CPANEL-7914: Fix loading of custom mod_security rules. Thank you.

  0
• 

  verdon

  • August 26, 2016 18:01

  hmmm... I can verify that SecRuleRemoveById 220030 has been added to the bottom of /etc/apache2/conf.d/modsec/modsec2.cpanel.conf I assume by the mod_sec tools. That should work, shouldn't it? It is also in /etc/apache2/conf.d/modsec2.whitelist.conf Which is included by ConfigServer Mod_sec add-on in the file /etc/apache2/conf.d/modsec/modsec2.user.conf Shouldn't one of those work?

  0
• 

  quizknows

  • August 26, 2016 22:08

  You are right, that normally should work. Do you have the rule itself handy by chance?

  0
• 

  kernow

  • August 27, 2016 08:08

  If the Comodo script was installed in /var/cpanel/cwaf/scripts/ You could run this to exclude globally:
  ./cwaf-cli.pl -ea 220030
  To view list of excluded rules:
  ./cwaf-cli.pl -xl
  

  0
• 

  verdon

  • August 27, 2016 11:09

  You are right, that normally should work. Do you have the rule itself handy by chance?

  
  
  SecRule QUERY_STRING "!@contains =" \ "id:1,rev:2,chain,msg:'COMODO WAF: Vulnerability in PHP before 5.3.12 and 5.4.x before 5.4.2 (CVE-2012-1823)||%{tx.domain}|%{tx.mode}',phase:1,deny,status:403" SecRule QUERY_STRING "@rx ^(-(a|b|C|q|T|c|n|d|e|f|h|\?|i|l|m|r|B|R|F|E|S|t|s|v|w|z)|--(interactive|bindpath|no-chdir|no-header|timing|php-ini|no-php-ini|define|profile-info|file|help|usage|info|syntax-check|modules|run|process-begin|process-code|process-file|process-end|server|docroot|syntax-highlight|syntax-highlighting|version|strip|zend-extension|ini|rfunction|rclass|rextension|rzendextension|rextinfo))" \ "t:'none',t:'urlDecodeUni',t:'trimLeft'"
  

  0

Please sign in to leave a comment.