Apache Status page fails after 64 update

SweptSquash

• April 11, 2017 17:30

Hi, I just updated our server to cpanel 64.0.11 and noticed a few issues. In WHM accessing the Apache Status page returns "Failed to receive status information from Apache." Accessing PhpMyAdmin via a users cPanel account will either hang on "Loading..." or display a 403/404 Security Token Missing. Works ok via WHM.

• 

  fuzzylogic

  • April 12, 2017 11:10

  I had the same symptoms when mod-security rules blocked requests GET /whm-server-status/ from 127.0.0.1 The Apache Status page uses the GET /whm-server-status/ to get the info. This can be fixed with one new rule so as to turn off the offending rules for this request only from 127.0.0.1 only. The rule you need depends on which ruleset you are using, the new one or the old one. The rule to use for the new OWASP3 ruleset is...
  # Rule to allow cPanel whm-server-status requests with missing mandatory headers. # SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" \ "msg:'Matched 127.0.0.1 and matched whm-server-status. Disabling rules 920280 and 920350',\ phase:1,\ id:8888777,\ t:none,\ pass,\ nolog,\ chain" SecRule REQUEST_FILENAME "@rx ^/whm-server-status$" \ "t:none,\ ctl:ruleRemoveById=920280,\ ctl:ruleRemoveById=920350"
  To add it go to WHM=>Security Center=>Tools=>Rules=>Add Rule All the rule IDs have changed between the old CRS and the new CRS. If you still are using the old ruleset the other rule is posted here to fix that. The other PHPMyAdmin looks like it may be modsecurity related also. Look in WHM=>Security Center=>Tools Hits for more info.

  0
• 

  cPanelMichael

  • April 12, 2017 15:14

  Hello, I'm unable to reproduce the issues you have reported on a test system, but it seems similar to the issue reported on the following thread: 217220 COMODO WAF: Request Missing a Host Header Could you verify if the solution referenced on that thread helps? Thank you.

  0
• 

  fuzzylogic

  • April 12, 2017 22:45

  The cause and the resolution to this problem depend on the mod-security rule set you are using. To determine your ruleset... Go to WHM=>Security Center=>Modsecurity Vendors then post the name of the active Vendor Rule set. Then go to WHM=>Security Center=>Tools and do a search for whm-server-status Post the rule numbers that are being triggered.

  0
• 

  cuzzmunger

  • April 29, 2017 00:16

  Hi There, I have just upgraded to cPanel & WHM 64.0 (build 18) and implemented OWASP ModSecurity Core Rule Set V3.0 as well as the core OWASP ModSecurity Core Rule Set. I added the rule above but still can get apache status via WHM. I can get the status via ssh. Did I need to change anything in the rule for my server? Any help appreciated. build below.
  /etc/redhat-release:CentOS release 6.9 (Final) /usr/local/cpanel/version:11.64.0.18 /var/cpanel/envtype:standard CPANEL=release Server version: Apache/2.4.25 (cPanel) Server built: Apr 7 2017 15:35:22 ea-php-cli Copyright 2016 cPanel, Inc. PHP 7.0.18 (cli) (built: Apr 17 2017 14:19:18) ( NTS ) Copyright (c) 1997-2017 The PHP Group Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies mysql Ver 15.1 Distrib 10.0.30-MariaDB, for Linux (x86_64) using readline 5.1
  Cheers Cuzz

  0
• 

  fuzzylogic

  • April 29, 2017 03:06

  Quote. "implemented OWASP ModSecurity Core Rule Set V3.0 as well as the core OWASP ModSecurity Core Rule Set" It makes no sense to have both rule sets enabled simultaneously. Try with only the Core Rule Set V3.0 enabled. While logged into WHM try to view Server Status => Apache Status Then view Security Center => Tools and look or search for hits from 127.0.0.1 You will see the rules that have been triggered. (or an absence of triggered rules) With this setup, even without the exception rule I would expect you could view Server Status => Apache Status, but it will record a non blocking log entry for rule 920280.

  0
• 

  cuzzmunger

  • April 29, 2017 03:38

  Thanks fuzzylogic, I thought that might be the case having both running. I disabled the old rule set and enabled the above rule and now getting the results for Apache Status. Below is the result of having both running with or without the above rule.
  2017-04-29 13:30:35 127.0.0.1 CRITICAL 403 949110: Inbound Anomaly Score Exceeded (Total Score: 8) Request: GET /whm-server-status/ Action Description: Access denied with code 403 (phase 2). Justification: Operator GE matched 5 at TX:anomaly_score.
  I'm still getting a WARNING
  2017-04-29 13:39:05 127.0.0.1 WARNING 200 920280: Request Missing a Host Header Hide Request: GET /whm-server-status/ Action Description: Warning. Justification: Operator EQ matched 0 at REQUEST_HEADERS.
  Should I worry about the warning? Thanks again.

  0
• 

  fuzzylogic

  • April 29, 2017 09:39

  This is a legitimate and safe request from your server to itself, so it is nothing to worry about. My server makes similar requests for three separate reasons. 1. Loading Apache Status page as you reported 2. Every 5 minutes WHM makes request to /whm-server-status 3. Every 5 minutes WHM Plugin Munin makes 3 requests to /whm-server-status?auto These requests score 4 incoming anomaly points each time. The Default max incoming anomaly points is 5. So triggering one of these rules per request does not block that request. What does happen though is that your modsec hits logs get many events logged which are of little use for you. The exclusion rule I posted above will (for these requests only) turn off the 2 rules that are triggered. This in turn will stop the log entries for these requests.

  0
• 

  cuzzmunger

  • April 29, 2017 10:10

  Cheers, Thank you.

  0
• 

  cPanelMichael

  • May 01, 2017 15:07

  Hello, Note that as mentioned in the thread linked earlier, internal case CPANEL-1070 is open to report the false positive that appears when accessing "WHM >> Server Status >> Apache Status" with the OWASP ruleset enabled. We'll update that thread with more information on the status of that case as it becomes available. Thank you.

  0
• 

  Spork Schivago

  • June 14, 2017 16:31

  cPanelMichael, Do you know if CPANEL-1070 will add a proper header to the request to whm-server-status or if it'll just add / modify a ModSec conf file to disable the rules that show up in the log file? Thanks.

  0
• 

  cPanelMichael

  • June 14, 2017 16:33

  cPanelMichael, Do you know if CPANEL-1070 will add a proper header to the request to whm-server-status or if it'll just add / modify a ModSec conf file to disable the rules that show up in the log file? Thanks.

  
  The case is still under review, so no determination on a change has been made at this time. However, the suggestion in the case is to add the necessary headers in the HTTP GET request for /whm-server-status. Thank you.

  0
• 

  Spork Schivago

  • June 14, 2017 16:37

  The case is still under review, so no determination on a change has been made at this time. However, the suggestion in the case is to add the necessary headers in the HTTP GET request for /whm-server-status. Thank you.

  
  Thank you!!!!!

  0

Please sign in to leave a comment.