Author Topic: Broken update?  (Read 1239 times)

Offline snewtonge

  • Newbie
  • *
  • Posts: 18
Broken update?
« on: October 04, 2017, 02:03:54 PM »
I have multiple servers giving the error:

collection_store: Failed to write to DBM file "/var/cpanel/secdatadir/ip": Invalid argument

It seems to occur with every access, not just violations and is a recent issue.

Is there an issue with a recent update or something?

I've tried disabling the bruteforce rule set in case that was the issue, but no change.

Anyone else experiencing this?

Offline amsscott

  • Newbie
  • *
  • Posts: 7
Re: Broken update?
« Reply #1 on: October 04, 2017, 02:33:32 PM »
Yea, I'm seeing this too.

I thought this might've been some custom rules I had been using, but I've disabled those and I'm still seeing this.

Did this start with 1.140?  I'm just now noticing it, but I won't say for certain that it started with 1.140.

I may try downgrading to 1.139 and see if that fixes anything.

Offline snewtonge

  • Newbie
  • *
  • Posts: 18
Re: Broken update?
« Reply #2 on: October 04, 2017, 02:55:37 PM »
I'm not certain which version it started with, but it was definitely recent.

Offline amsscott

  • Newbie
  • *
  • Posts: 7
Re: Broken update?
« Reply #3 on: October 04, 2017, 03:11:25 PM »
Best, I can tell this did start with 1.140.  Downgrading to 1.139 seems to resolve this issue (at least in the limited time I have been watching this).

Checking this further, I believe the issue is in the 12_HTTP_HTTPDoS.conf file

Specifically the added lines:

Code: [Select]
SecRule REQUEST_FILENAME "[at]ge 0" \
      "id:217310,chain,msg:'COMODO WAF: Emergency DDoS bot protection test.||%{tx.domain}|%{tx.mode}|2',phase:4,pass,log,t:none,t:length,rev:3,severity:2,tag:'CWAF',tag:'HTTPDoS'"
SecRule &IP:COOKIE_SENT "[at]eq 0" \
      "chain,setvar:'ip.unique+%{UNIQUE_ID}'"
SecRule STREAM_OUTPUT_BODY "[at]rsub s/<head>/<head><script>document.cookie=\"jsddosbd=%{ip.unique};max-age=300;path=\/;\";<\/script>" \
      "setvar:'ip.cookie_sent=1',expirevar:'ip.cookie_sent=300',t:none"

SecRule IP:COOKIE_SENT "[at]eq 1" \
      "id:217311,chain,msg:'Client failed emergency DDoS bot protection test||%{tx.domain}|%{tx.mode}|2',phase:1,deny,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'HTTPDoS'"
SecRule &REQUEST_COOKIES:jsddosbd "![at]eq 1"

SecRule IP:COOKIE_SENT "[at]eq 1" \
      "id:217312,chain,msg:'Client failed emergency DDoS bot protection test||%{tx.domain}|%{tx.mode}|2',phase:1,deny,deny,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'HTTPDoS'"
SecRule REQUEST_COOKIES:jsddosbd "![at]streq %{ip.unique}" \
      "t:none"

(Pretty much the last 14 lines of that file)

If you comment out those lines, this seem to stop this error from flooding the error_log.

I do not know what specifically in these rules is causing this issue.

Offline garconcn

  • Newbie
  • *
  • Posts: 14
Re: Broken update?
« Reply #4 on: October 04, 2017, 03:47:56 PM »
We've seen the same issue on multiple cpanel servers, the /var/cpanel/secdatadir/ip.pag file grow to 100GB. The server had high CPU/IO usage, and caused some server down. Disabled the http rules seems fix the issue.

This is 2nd time the comodo rule update bring down our servers. We've disabled the auto-update.


Offline snewtonge

  • Newbie
  • *
  • Posts: 18
Re: Broken update?
« Reply #5 on: October 04, 2017, 04:21:54 PM »
Best, I can tell this did start with 1.140.  Downgrading to 1.139 seems to resolve this issue (at least in the limited time I have been watching this).

Checking this further, I believe the issue is in the 12_HTTP_HTTPDoS.conf file

Specifically the added lines:

Code: [Select]
SecRule REQUEST_FILENAME "[at]ge 0" \
      "id:217310,chain,msg:'COMODO WAF: Emergency DDoS bot protection test.||%{tx.domain}|%{tx.mode}|2',phase:4,pass,log,t:none,t:length,rev:3,severity:2,tag:'CWAF',tag:'HTTPDoS'"
SecRule &IP:COOKIE_SENT "[at]eq 0" \
      "chain,setvar:'ip.unique+%{UNIQUE_ID}'"
SecRule STREAM_OUTPUT_BODY "[at]rsub s/<head>/<head><script>document.cookie=\"jsddosbd=%{ip.unique};max-age=300;path=\/;\";<\/script>" \
      "setvar:'ip.cookie_sent=1',expirevar:'ip.cookie_sent=300',t:none"

SecRule IP:COOKIE_SENT "[at]eq 1" \
      "id:217311,chain,msg:'Client failed emergency DDoS bot protection test||%{tx.domain}|%{tx.mode}|2',phase:1,deny,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'HTTPDoS'"
SecRule &REQUEST_COOKIES:jsddosbd "![at]eq 1"

SecRule IP:COOKIE_SENT "[at]eq 1" \
      "id:217312,chain,msg:'Client failed emergency DDoS bot protection test||%{tx.domain}|%{tx.mode}|2',phase:1,deny,deny,log,t:none,rev:3,severity:2,tag:'CWAF',tag:'HTTPDoS'"
SecRule REQUEST_COOKIES:jsddosbd "![at]streq %{ip.unique}" \
      "t:none"

(Pretty much the last 14 lines of that file)

If you comment out those lines, this seem to stop this error from flooding the error_log.

I do not know what specifically in these rules is causing this issue.

Yes, the rules 217310, 217311 and 217312 do appear to be the culprit.

Disabled those for now.

Offline akabakov

  • Comodo's Hero
  • *****
  • Posts: 375
Re: Broken update?
« Reply #6 on: October 05, 2017, 06:41:41 AM »
I have multiple servers giving the error:

collection_store: Failed to write to DBM file "/var/cpanel/secdatadir/ip": Invalid argument

It's one of unresolved issues with Modsecurity, discussed several times even at this forum. The best way to avoid it is to exclude (not to disable) these rules.
It can be performed with CWAF plugin in Catalog.

Offline snewtonge

  • Newbie
  • *
  • Posts: 18
Re: Broken update?
« Reply #7 on: October 05, 2017, 07:04:40 AM »
It's one of unresolved issues with Modsecurity, discussed several times even at this forum. The best way to avoid it is to exclude (not to disable) these rules.
It can be performed with CWAF plugin in Catalog.

I'm using Comodo as a ModSecurity vendor in cPanel rather than the plugin. The only option is to "disable" those rules to stop this issue.

Additionally, this particular issue is not the same issue as previously getting it with other bruteforce rules enabled.

With these DDoS rules enabled, you get this error with every access, not ModSecurity violations.

Offline joaosavioli

  • Newbie
  • *
  • Posts: 7
Re: Broken update?
« Reply #8 on: October 05, 2017, 09:21:34 AM »
Hello guys,

Same problem here.

What´s the best way to disable it? I´m using comodo rules in cpanel vendors.

Best regards
Joao

Offline snewtonge

  • Newbie
  • *
  • Posts: 18
Re: Broken update?
« Reply #9 on: October 05, 2017, 09:33:12 AM »
Hello guys,

Same problem here.

What´s the best way to disable it? I´m using comodo rules in cpanel vendors.

Best regards
Joao

Go to Modsecurity Tools in cPanel, click Rules List, search for 2173 and that will bring up the 3 rules you need to disable (217310, 217311 and 217312), click Disable for each and then scroll down and click save and restart apache.

Offline joaosavioli

  • Newbie
  • *
  • Posts: 7
Re: Broken update?
« Reply #10 on: October 05, 2017, 10:01:54 AM »
Very thank you.

This solution worked fine for me.

Best
Joao


Offline snewtonge

  • Newbie
  • *
  • Posts: 18
Re: Broken update?
« Reply #12 on: October 05, 2017, 12:22:59 PM »
Updated information:

http://permalink.gmane.org/gmane.comp.apache.mod-security.user/5449
https://www.feistyduck.com/library/modsecurity-handbook-free/online/ch03-configuration.html

There is no doubt the "Failed to write to DBM file" issue is nothing new with ModSecurity and using the bruteforce rules on a server that is receiving a high rate of brute force attempts will cause the ModSecurity data file to grow and begin generating that error. That is not the point here.

The point here in this thread is that the new rules 217310, 217311 and 217312 specfically is making the ip.pag file grow at an extremely faster rate and made the issue incredibly worse to the point overall server performance is being negatively affected greatly.

Offline vadim

  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 339
Re: Broken update?
« Reply #13 on: October 05, 2017, 04:59:44 PM »
--
Vadim Lvovskiy
Development Manager
COMODO Group Inc.

Offline snewtonge

  • Newbie
  • *
  • Posts: 18
Re: Broken update?
« Reply #14 on: October 05, 2017, 05:43:21 PM »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek