Author Topic: Comodo as a ModSecurity Vendor in cPanel  (Read 21149 times)

Offline oleg.tsygany

  • Comodo's Hero
  • *****
  • Posts: 275
Re: Comodo as a ModSecurity Vendor in cPanel
« Reply #15 on: March 11, 2015, 10:16:18 AM »
Seems Comodo ModSecurity rules is not set up correctly.
Please check your ModSecurity config.
What is in /usr/local/apache/conf/modsec2.conf  ?
What content of /usr/local/apache/conf/modsec2.cpanel.conf ?

Offline pointaction

  • Newbie
  • *
  • Posts: 9
  • Programmers do not bite they just nibble a bit
Re: Comodo as a ModSecurity Vendor in cPanel
« Reply #16 on: March 11, 2015, 10:24:15 AM »
Here is those files below

/usr/local/apache/conf/modsec2.conf  ?
Code: [Select]
LoadFile /opt/xml2/lib/libxml2.so
# LoadFile /opt/lua/lib/liblua.so
LoadModule security2_module  modules/mod_security2.so
<IfModule mod_security2.c>
# See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf
#  "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On
# SecFilterForceByteRange 0 255
<IfModule mod_ruid2.c>
    SecAuditLogStorageDir /usr/local/apache/logs/modsec_audit
    SecAuditLogType Concurrent
</IfModule>
<IfModule itk.c>
    SecAuditLogStorageDir /usr/local/apache/logs/modsec_audit
    SecAuditLogType Concurrent
</IfModule>
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
Include "/usr/local/apache/conf/modsec2.user.conf"
Include "/usr/local/apache/conf/modsec2.cpanel.conf"
</IfModule>


/usr/local/apache/conf/modsec2.cpanel.conf ?
Code: [Select]
################################################################
## This file is automatically generated from the data kept in ##
## /var/cpanel/modsec_cpanel_conf_datastore.                  ##
##                                                            ##
## Manual changes made directly here will be lost when the    ##
## file is regenerated.                                       ##
################################################################

##
## ModSecurity fixed global configuration directives
##

SecDataDir "/var/cpanel/secdatadir"

##
## ModSecurity manageable global configuration directives
##

SecAuditEngine "RelevantOnly"
SecHttpBlKey "jcemzxnjvmvw"
SecRuleEngine "On"

##
## ModSecurity configuration file includes:
##

Include "/usr/local/apache/conf/modsec_vendor_configs/comodo-apache/categories.conf"
Include "/usr/local/apache/conf/modsec_vendor_configs/comodo-apache/cwaf_01.conf"
Include "/usr/local/apache/conf/modsec_vendor_configs/comodo-apache/cwaf_02.conf"
Include "/usr/local/apache/conf/modsec_vendor_configs/comodo-apache/cwaf_03.conf"
Include "/usr/local/apache/conf/modsec_vendor_configs/comodo-apache/cwaf_04.conf"
Include "/usr/local/apache/conf/modsec_vendor_configs/comodo-apache/cwaf_05.conf"
Include "/usr/local/apache/conf/modsec_vendor_configs/comodo-apache/cwaf_06.conf"
Include "/usr/local/apache/conf/modsec_vendor_configs/comodo-apache/cwaf_07.conf"

##
## ModSecurity disabled rules:
##
Thank you,

VLee

Offline bgarrant

  • Newbie
  • *
  • Posts: 6
Re: Comodo as a ModSecurity Vendor in cPanel
« Reply #17 on: March 11, 2015, 10:43:18 AM »
Same issue here if you click the Edit Rule link.  It gives the API error. Error:API failure: The vendor “comodo” is not set up.

Offline bgarrant

  • Newbie
  • *
  • Posts: 6
Re: Comodo as a ModSecurity Vendor in cPanel
« Reply #18 on: March 11, 2015, 10:46:39 AM »
the rules do seem to be processing fine however.

Offline vadim

  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 338
Re: Comodo as a ModSecurity Vendor in cPanel
« Reply #19 on: March 12, 2015, 06:09:53 AM »
Same issue here if you click the Edit Rule link.  It gives the API error. Error:API failure: The vendor “comodo” is not set up.

Yes, we know about this limitation. However despite on this issue rules loaded and working correctly.

cPanel doesn't fully support our vendor names: "comodo-apache" and "comodo-litespeed", so probably we'll need to change them. In the near weeks we plan to update our cPanel support to enable feedback reporting and fixing of this issue.
--
Vadim Lvovskiy
Development Manager
COMODO Group Inc.

Offline bgarrant

  • Newbie
  • *
  • Posts: 6
Re: Comodo as a ModSecurity Vendor in cPanel
« Reply #20 on: March 12, 2015, 07:43:30 AM »
I uninstalled the WAF cPanel plugin.  I noticed the  /var/cpanel/cwaf/ is still on the server and I am still getting the /var/cpanel/cwaf/scripts/updater.pl 2>&1 Cron notification email each evening.  Are these just left over from the WAF Plugin or are they needed for the new Vendor setup?

Offline oleg.tsygany

  • Comodo's Hero
  • *****
  • Posts: 275
Re: Comodo as a ModSecurity Vendor in cPanel
« Reply #21 on: March 12, 2015, 07:57:30 AM »
Hi

How did you uninstalled plugin?
# cd /var/cpanel/cwaf/scripts && ./uninstall_cwaf.sh  ?

This will remove scheduled update, Perl modules and restore modsecurity configuration

Offline bgarrant

  • Newbie
  • *
  • Posts: 6
Re: Comodo as a ModSecurity Vendor in cPanel
« Reply #22 on: March 12, 2015, 08:06:01 AM »
I did not uninstall the Perl module.  Thanks for that script. Now I only have the Comodo Vendor setup which is perfect.  :)

Offline pointaction

  • Newbie
  • *
  • Posts: 9
  • Programmers do not bite they just nibble a bit
Re: Comodo as a ModSecurity Vendor in cPanel
« Reply #23 on: March 12, 2015, 09:32:04 AM »
I may switch back to plugin mode until this is fixed.
Thank you,

VLee

Offline oleg.tsygany

  • Comodo's Hero
  • *****
  • Posts: 275
Re: Comodo as a ModSecurity Vendor in cPanel
« Reply #24 on: March 12, 2015, 10:19:25 AM »
I may switch back to plugin mode until this is fixed.

Your config files is correct. Error "API failure" happen because cPanel doesn't fully support our vendor names.
Fix will be available soon.
Rules working correctly, so I think you can just ignore this error for now.

Offline pointaction

  • Newbie
  • *
  • Posts: 9
  • Programmers do not bite they just nibble a bit
Re: Comodo as a ModSecurity Vendor in cPanel
« Reply #25 on: March 12, 2015, 10:29:15 AM »
Your config files is correct. Error "API failure" happen because cPanel doesn't fully support our vendor names.
Fix will be available soon.
Rules working correctly, so I think you can just ignore this error for now.

Ok...

Thank you
Thank you,

VLee

Offline vadim

  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 338
Re: Comodo as a ModSecurity Vendor in cPanel
« Reply #26 on: March 19, 2015, 04:58:46 AM »
We have released new version of cPanel ModSecurity Vendor service.

In the new version you may report problems with Comodo rules through cPanel ModSecurity Tools:









But for a full support of cPanel ModSecurity Tools, we had to change yaml links.

Input one of URLs depending on your web-server:

Please see all configuration steps here:

https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/comodo-as-a-modsecurity-vendor-in-cpanel-t110147.0.html;msg800100#msg800100

[attachment deleted by admin]
--
Vadim Lvovskiy
Development Manager
COMODO Group Inc.

Offline vadim

  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 338
Re: Comodo as a ModSecurity Vendor in cPanel
« Reply #27 on: March 19, 2015, 06:54:57 AM »
If you already use Comodo as ModSecurity Vendor for Apache with an old link:

https://waf.comodo.com/doc/meta_comodo-apache.yaml

and you want to have a full support of cPanel ModSecurity Tools including report problems to Comodo (see details here) you need to do the next steps:

  • Go to WHM 'Security Center'-'Modsecurity Vendors'
  • Turn off old security vendor 'COMODO ModSecurity Apache Rule Set' with 'Enabled' - 'Off'
  • Press 'Add Vendor' to add new vendor
  • Set new vendor URL: https://waf.comodo.com/doc/meta_comodo_apache.yaml
  • If you don't have excludes just delete old disabled vendor by 'Delete' button.

NOTE: Old vendor link will be fully supported, so switching to the new link does not necessarily.

If you have valuable excludes do the next steps before removing old disabled vendor:

  • Login to your cPanel root console
  • Delete mod_security datastore cache:

    rm -f /var/cpanel/modsec_cpanel_conf_datastore.cache

  • Edit mod_security datastore with your favorite editor (f.e. nano):

    nano /var/cpanel/modsec_cpanel_conf_datastore

     
  • Find 'disabled_rules:' section.
  • Replace tag 'comodo-apache' beside all rule IDs to new vendor name 'comodo_apache'
    For example you have disabled rules 210000, 210010 in /var/cpanel/modsec_cpanel_conf_datastore here will be section:

                disabled_rules:
                  210000: comodo-apache
                  210010: comodo-apache


    Replace 'comodo-apache' to 'comodo_apache' so it will look like:

                disabled_rules:
                  210000: comodo_apache
                  210010: comodo_apache


  • Save your changes.
  • Return to WHM 'Security Center'-'Modsecurity Vendors' and delete disabled vendor by 'Delete' button now.

--
Vadim Lvovskiy
Development Manager
COMODO Group Inc.

Offline vasily869

  • Newbie
  • *
  • Posts: 1
Re: Comodo as a ModSecurity Vendor in cPanel
« Reply #28 on: March 19, 2015, 11:21:15 AM »
Dear Comodo Support,

Recently, I have installed a cpanel comodo WAF, but for the past 3 days I saw only 4 blocking attempts. However I had a lot more with OWASP rules. Is there any way to check  any installation errors?

Thanks.
« Last Edit: March 19, 2015, 12:12:13 PM by vasily869 »

Offline akabakov

  • Comodo's Hero
  • *****
  • Posts: 375
Re: Comodo as a ModSecurity Vendor in cPanel
« Reply #29 on: March 20, 2015, 04:14:22 AM »
Hello,

you can check /tmp/ cwaf_install.log.* files, where you'll find all installation messages.  OWASP rules are more strict, so they work and also give false-positives more frequently .
Also part of our rules are not logged at all

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek