COMODO WAF broken after EA3 to EA4 update.
After updating from EA3 to EA4 I received an email from cPanel saying
"The EasyApache 4 migration found Apache Include directives in the ModSecurity 2 user configuration file, modsec2.user.conf.To ensure that your web server continues to function correctly, the system commented out these directives.You must review your ModSecurity 2 configuration and verify your Include directive paths."
I attempted to access the COMODO cPanel plugin post-update, but received a 500 error, with the message
"No response from subprocess (/usr/local/cpanel/whostmgr/docroot/cgi/addon_cwaf.cgi): The subprocess reported error number 2 when it ended".
Checking the /usr/local/cpanel/logs/error_log, the following error was displayed
"can't read config /usr/local/apache/conf/modsec2.conf at /var/cpanel/cwaf/modules/CPAN/lib/Comodo/CWAF/ModSecurity.pm"
I checked /usr/local/apache/conf, and there was no modsec2.conf file in there at all.
I thought that I'd try removing and then re-adding the COMODO rules, so removed the Vendor in cPanel. It turns out that didn't actually do anything for me at all other than no longer have COMODO listed as a Vendor. I ended up grabbing the cwaf_client_install.sh from the COMODO WAF site, and went through the installation again.
The install was "successful" and I can see (and access) the plugin again, but the Vendor also was not re-added during the install, so I hunted down the yaml file and now I have the vendor visible and the plugin accessible.
Everything should work now, but it doesn't.
In the plugin, If I enter my COMODO WAF username and password and try to schedule Rules Updates, I get an error "Error! Request to server failed". Likewise, if I try changing anything the plugin, it 'seems' to change, but if I go back in, nothing has actually changed and after all. Anything I enabled is disabled again, anything I disabled is enabled again.
So the plugin is installed, but doesn't actually seem to be interacting with modsecurity on the server.
Likewise, the Vendor tab is broken too. According to the Vendors tab only 1/34 sets are listed as being included (completely different to the 9/9 listed in the plugin). However if I try to enable them from that screen, I get an error:
"The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: AH00526: Syntax error on line 22 of /var/cpanel/cwaf/rules/00_Init_Initialization.conf:
ModSecurity: Found another rule with the same id"
Basically I seem to have two ways to modify the modsecurity rules, but neither function :(
At this point I've probably already lost the user configured rules that I had previously set up in ea3. The upgrade process apparently commented them out, but I never found where they were stored. I can live with the loss of a couple of custom rules, but really need to fix the COMODO WAF vendor and plugin.
Can somebody guide me through successfully uninstalling and cleaning all traces to a clean state with no enabled modsecurity at all, so that I can reinstall the COMODO WAF Vendor and Plugin and have them work again?
Or will I need to log a ticket?
-
You still have a valid subscription at Comodo WAF login ? Please check and confirm that First. To fix 500 error, me also ended up in removing and installing the same again but not tested the same in EA4. To uninstall properly, did you used the below steps ? ==== To uninstall CWAF for cPanel just run this script: bash /var/cpanel/cwaf/scripts/uninstall_cwaf.sh ===== If not try that and then reinstall the same and see if that works 0 -
With EasyApache 4, you can easily install Comodo WAF rules by adding them in Home " Security Center " ModSecurity" Vendors " Manage Vendors Use: https://waf.comodo.com/doc/meta_comodo_apache.yaml0 -
NixTree, I've definitely got an active COMODO WAF account, I logged in to it while I was hunting down the installation instructions, and it was required during the re-install of the plugin. Thanks for letting me know about that uninstall script. Chris, thanks, but as mentioned in the post, I already reinstalled the Vendor and it was non-functional like the plugin. Prior to migrating to EA4 both Vendor and plugin were installed and functional. ----- To get to a fresh slate, I've uninstalled the Vendor and plugin. However in "ModSecurity Tools -> Rules List" even after removing both COMODO installs, I have 63 rules listed. I'm beginning to think that the reason why neither vendor nor plugin could update the rules, is because some part of the ea3 to ea4 migration disconnected COMODO from it's own rules, and both were failing because they trying to re-add rules with the same ID as rules already in the system. I might be wrong though, those 63 rules could be default rules that come with modsecurity for all I know. I don't want to just delete them, but I'd like to get back to a default modsecurity install before I re-add the Vendor and then reinstall the plugin. I believe I'm pretty safe in my assumption that the following two rules are "default" rules that need to stay: # Deprecated due to security issues so it should be off: ModSecurity Blog: Transformation Caching Unstable, Fixed, But Deprecated SecCacheTransformations Off # Include /usr/local/apache/conf/modsec2.whitelist.conf Include /etc/apache2/conf.d/modsec2.whitelist.conf ** That link is actually a commented url that the boards have converted Can anyone point me to a list of rules that should be installed by default on cPanel, when there are no active Vendors? Either that, or take a quick peek at my leftOverRules.txt and let me know if the rest are all left overs from COMODO or not 0 -
Hello, cPanel does not include any Mod_Security rules by default. You can edit and remove any existing rules if you'd like to start fresh by removing any lines in the interface at "WHM >> ModSecurity Tools >> Rules List >> Edit Rules". Thank you. 0
Please sign in to leave a comment.
Comments
4 comments