EA4 Mod security Fails

Keith007

• June 12, 2017 16:08

Hi Why do I get errors when running EA4 build even though I dont have Comodo WAF enabled or setup The directory has no files in and CPanel mod security is disabled [Mon Jun 12 17:07:26.074176 2017] [:error] [pid 13433:tid 140145126704896] [client X.X.X.X] ModSecurity: Warning. String match "Invalid URI in request" at WEBSERVER_ERROR_LOG. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/13_HTTP_Protocol.conf"> [line "14"> [id "210210"> [rev "1"> [msg "COMODO WAF: Apache Error: Invalid URI in Request.|||F|4"> [data "GET login.cgi HTTP/1.0"> [severity "WARNING"> [tag "CWAF"> [tag "Protocol"> [hostname "X.X.X.X"> [uri "/400.shtml"> [unique_id "WT68Ps3AyEFCo8M5VEEFBAAAABg"> Regards Keith

• 

  24x7server

  • June 13, 2017 06:33

  Hi, Check the Apache configuration and modsec configuration, there might have been some entries left in it that is triggering this..

  0
• 

  fuzzylogic

  • June 13, 2017 09:38

  When Apache restarts it checks the output of its error_log. If it simultaneously generates output for another reason or if it saved the error_logs it had buffered waiting to write when the restart was called then these can be included as part of the output of the restart. It is not infrequent that I see this behavior on my server. From the way you phrased your issue I assume you saw this same output more than once. If this is true I would assume that a script is hammering requests to login.cgi as part of a brute force attempt on that uri. If that is true 1,2 or 3 requests per second is not uncommon. This is why that error is repeatedly being generated when apache restarts. It is coincidental but common due to the frequency of the request. Many of these brute scripts are quite dumb and will continue even if the login.cgi script does not exist on your server if they don't get the response they were expecting. In your case your server is responding with a 400 error code. This response is natively generated by Apache as a response to a bad request. This occurs before modsecurity has even begun to execute. This means that modsecurity would not normally log this blocked request. So Modsecurity rule writers and maintainers, both Owasp and Comodo have rules to parse Apache's error log variable WEBSERVER_ERROR_LOG for the string "Invalid URI in request" Your error shows Comodo WAF rule ID 210210 as the rule as being triggered by that event. Why is a Comodo rule being triggered when you think Mod Security is disabled and Comodo rules are deleted. How did you "disable modsecurity"? How did you delete Comodo rules? You could try these. Check the contents of the /etc/apache2/conf.d/modsec_vendor_configs/comodo_apache directory for rules. Check /etc/apache2/conf.d/modsec/modsec2.cpanel.conf for Include directives to comodo rules. If you have no comodo rules and no Includes to them then try rebuilding httpd.conf wjth this... Log in to a SSH Terminal and rebuild httpd.conf with the command... /usr/local/cpanel/scripts/rebuildhttpdconf Then restart apache with the command... /usr/local/cpanel/scripts/restartsrv_httpd If you find rules and find Includes to them and still want to turn them off then try this. Firstly to be sure WHM has Comodo WAF disabled go to... WHM => Security Center => ModSecurity Vendors => COMODO ModSecurity Apache Rule Set => Enabled (turn on) wait for Success message => Then Enabled (turn off) wait for Success message. Then log in to a SSH Terminal and rebuild httpd.conf with the command... /usr/local/cpanel/scripts/rebuildhttpdconf Then restart apache with the command... /usr/local/cpanel/scripts/restartsrv_httpd

  0
• 

  cPanelMichael

  • June 13, 2017 18:04

  Why do I get errors when running EA4 build even though I dont have Comodo WAF enabled or setup The directory has no files in and CPanel mod security is disabled

  
  Hello, Could you browse to "WHM Home " Security Center " ModSecurity" Vendors " Manage Vendors" and verify no custom rule sets are enabled? Thank you.

  0

Please sign in to leave a comment.