Comodo as a ModSecurity Vendor in cPanel

Comodo can now be easily installed as ModSecurity Vendor to cPanel for Apache and LiteSpeed platforms.

If your server is running cPanel 11.48 and higher you may install Comodo as ModSecurity Vendor using the next steps:

[ol]- Go to Security Center → ModSecurity Vendors.[/ol]

  • Click Add Vendor.
  • Input one of URLs depending on your web-server:

[li]Comodo ModSecurity Apache Rule Set: https://waf.comodo.com/doc/meta_comodo_apache.yaml

[/li]

  • Click Load and then Save.

See also cPanel ModSecurity Vendors Requirements

Warnings:

  • cPanel ModSecurity Vendors are not compatible with CWAF plugin. So, you can’t use both in parallel for management your protection rules.
  • Don’t activate both Comodo Rule Sets for Apache and LiteSpeed simultaneously to avoid conflicts.

Release Notes:

  • In the current version you can’t report problems with Comodo rules through cPanel ModSecurity Tools.
  • We don’t recommend to enable two ModSecurity Vendors simultaneously to avoid possibly logical conflicts and performance issues.

Please send us your feedback to improve this feature.

[attachment deleted by admin]

So you recommend removing Comodo WAF plugin in WHM if we enable it as a vendor and use your rules trough cPanel?
Does this release make it possible for users with Mod Security icon in cPanel be able to turn off/on mod_security on their account?

No, because CWAF plugin is much more functional. It’s just another way for using Comodo protection rules embedded into cPanel since version 1.48.

Yes, cPanel ModSecurity implementation allow users to turn on/off mod_security for their selected domains. So if Comodo rules enabled as vendor, user can turn rules off.

  • How much more functional are the plugin? What can you do that you cannot do in WHM vendor?
  • Ok, great news! Will you be able to provide that feature with you plugin?

great work guys!

Hi Hedloff

In CWAF Plugin you can control more mod_security options:

  • User Friendly Excludes Management: to enable/disable rules per-domain or globally
  • Protection Wizard: to turn off needless protection rules and achieve performance boost
  • Mod Security Configuration: to change mod_security parameters, disable/enable mod_security for certain domains
  • Custom User Rules: to add custom security rules
  • Console Utility: to manage protection rules from operating system shell

We don’t have enough customer requests about adding this feature.
In addition this feature can be source of security breach ( for example see this post: https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/very-serious-vulnerability-thas-was-not-stoped-t109956.0.html )

Should we remove the plugin, disable it or what? if we wish install it this way through cpanel? Any procedure?

Thanx!

Hi

Uninstall of plugin will restore your ModSecurity config (Use cd /var/cpanel/cwaf/scripts/ && ./uninstall_cwaf.sh).
This will restore Vendors functionality.

Thank you Comodo Team

It would be nice to integrate the additional Mod Security features in Comodo without have false positives.

Home »Security Center »Configure Global Directives

I have my own Project Honey Pot Http:BL API Key

See attached screenshot

[attachment deleted by admin]

So is it required to have the WAF Cpanel plugin installed in order to use the ModSecurity Vendor setup or does it just add a few nice extra features? I installed the Vendor and all works great. Just wondering if I need WAF as well since I use COnfigServer Firewall on this machine. Also, will updates happen automatically I assume for the Vendor rules?

We manage whitelisting using ConfigServer ModSecurity Control. Do we need the WAF cpanel plugin if we use that with the Vendor Rule setup?

Hi

You don’t need CWAF plugin to use the ModSecurity Vendor. Moreover it’s impossible to use Comodo rules as ModSecurity Vendor with CWAF plugin installed because it overwrites mod_security config.
We need to choose either Vendor or Plugin. So I guess ModSecurity Vendor plus ConfigServer Firewall will be enough :slight_smile:
Vendor rules updated automatically once a day by cPanel.

No, plugin is not required.

I am using Comodo Mod Security Vendor in cPanel on one server.

So far there is nothing listed in the hit list Home »Security Center »Hits List in WHM for 2 days now.

So either my server security it so good that Mod Security is not needed or Comodo Mod Security Vendor in cPanel is not working.

There is no plug is no plugin installed.

Please, check:

less /usr/local/apache/conf/modsec2.cpanel.conf

Are there cwaf_0x.conf files? Is SecRuleEngine “On” ?

I got it working now.

But now I get this error when I click on rule that shows up here Home »Security Center »Hits List below

Error: API failure: The vendor “comodo” is not set up.

How do I fix this?

Seems Comodo ModSecurity rules is not set up correctly.
Please check your ModSecurity config.
What is in /usr/local/apache/conf/modsec2.conf ?
What content of /usr/local/apache/conf/modsec2.cpanel.conf ?

Here is those files below

/usr/local/apache/conf/modsec2.conf ?


LoadFile /opt/xml2/lib/libxml2.so
# LoadFile /opt/lua/lib/liblua.so
LoadModule security2_module  modules/mod_security2.so
<IfModule mod_security2.c>
# See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf 
#  "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On 
# SecFilterForceByteRange 0 255
<IfModule mod_ruid2.c>
    SecAuditLogStorageDir /usr/local/apache/logs/modsec_audit
    SecAuditLogType Concurrent
</IfModule>
<IfModule itk.c>
    SecAuditLogStorageDir /usr/local/apache/logs/modsec_audit
    SecAuditLogType Concurrent
</IfModule>
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
Include "/usr/local/apache/conf/modsec2.user.conf"
Include "/usr/local/apache/conf/modsec2.cpanel.conf"
</IfModule>

/usr/local/apache/conf/modsec2.cpanel.conf ?


################################################################
## This file is automatically generated from the data kept in ##
## /var/cpanel/modsec_cpanel_conf_datastore.                  ##
##                                                            ##
## Manual changes made directly here will be lost when the    ##
## file is regenerated.                                       ##
################################################################

##
## ModSecurity fixed global configuration directives
##

SecDataDir "/var/cpanel/secdatadir"

##
## ModSecurity manageable global configuration directives
##

SecAuditEngine "RelevantOnly"
SecHttpBlKey "jcemzxnjvmvw"
SecRuleEngine "On"

##
## ModSecurity configuration file includes:
##

Include "/usr/local/apache/conf/modsec_vendor_configs/comodo-apache/categories.conf"
Include "/usr/local/apache/conf/modsec_vendor_configs/comodo-apache/cwaf_01.conf"
Include "/usr/local/apache/conf/modsec_vendor_configs/comodo-apache/cwaf_02.conf"
Include "/usr/local/apache/conf/modsec_vendor_configs/comodo-apache/cwaf_03.conf"
Include "/usr/local/apache/conf/modsec_vendor_configs/comodo-apache/cwaf_04.conf"
Include "/usr/local/apache/conf/modsec_vendor_configs/comodo-apache/cwaf_05.conf"
Include "/usr/local/apache/conf/modsec_vendor_configs/comodo-apache/cwaf_06.conf"
Include "/usr/local/apache/conf/modsec_vendor_configs/comodo-apache/cwaf_07.conf"

##
## ModSecurity disabled rules:
##

Same issue here if you click the Edit Rule link. It gives the API error. Error:API failure: The vendor “comodo” is not set up.

the rules do seem to be processing fine however.

Yes, we know about this limitation. However despite on this issue rules loaded and working correctly.

cPanel doesn’t fully support our vendor names: “comodo-apache” and “comodo-litespeed”, so probably we’ll need to change them. In the near weeks we plan to update our cPanel support to enable feedback reporting and fixing of this issue.