Comodo as a ModSecurity Vendor in cPanel

[vadim]

Comodo Free ModSecurity Rules for cPanel Documentation is now available by the link:

https://help.comodo.com/topic-212-1-670-8348-Comodo-Free-ModSecurity-Rules-for-cPanel--Introduction.html

[plusplus]

I have disabled a rule last week and today the client contacted me because was being blocked...checking looks like the rule was enabled? Could be that if you have "Updates" On in the vendor settings is being updated but also disabled rules enabled again? Thanx!

[akabakov]

Disabled rules shouldn't be enabled again in updates.

[pointaction]

So far I have switched all the server the Vendor mode. It has been running for a week now with no issues.

Like to say thank you to the Comodo team in getting this to work as a vendor in cPanel.

[xanubi]

With comodo vendor rules, i've used sometimes the button of report to vendor, some false positive blocks.

Do Comodo receives this?

[vadim]

With comodo vendor rules, i've used sometimes the button of report to vendor, some false positive blocks.

Do Comodo receives this?

Yes, of course. We got a feed of cPanel vendors feed-backs and Comodo rule-writers and client developers review all of them.

But it's a one-direction channel, we reply to the feedback owner only in some critical cases. Full support we provide through Comodo Support System: https://support.comodo.com/index.php?/Tickets/Submit

Here is example of feed-backs we received:
         
Rule set version: 1.27
Source: Apache
Reason: The rule generates false positive hit entries
Status: new
E-mail: ******[at]******
Rule ID: 220830

      Requested URI:
      HTTP/1.1|METHOD: POST|RESP: 403
      Virtual Host:www.******
      Rules File: /usr/local/apache/conf/modsec_vendor_configs/comodo_apache/cwaf_05.conf
      Line number of the rule: 1783
      Action: Access denied with code 403 (phase 2).
      ModSecurity Message: COMODO WAF: Blocking XSS attack
      User comments: ******

[oleg.tsygany]

Released new COMODO ModSecurity rules with improved files structure.
Now you can disable not required protection by pressing 'Edit' button in Security Center -> ModSecurity™ Vendors (Home »Security Center »Select Vendor Rule Sets)
Switch config file status from 'On' to 'Off' to disable this rules group.

Here is groups description:

Init_Initialization.conf - ModSecurity Initialization. Please do not disable this group.
Global_Generic.conf - Generic protection
Global_Agents.conf - Detecting bots and scanners
Global_Domains.conf - Detecting malicious domains
Global_Exceptions.conf - Protocol violation attacks
Global_Incoming.conf - Attacks targeting OSVDB flagged resource
Global_Backdoor.conf - Access backdoor/trojans possibly injected
XSS_XSS.conf - Detecting Cross Site Scripting vulnerabilities
Global_Other.conf - Various checks without group
Bruteforce_Bruteforce.conf - Bruteforce protection
HTTP_HTTP.conf - Generic HTTP protection
HTTP_HTTPDoS.conf - Denial-of-service attacks protection
HTTP_Protocol.conf - Detecting protocol violations
HTTP_Request.conf - Checking HTTP request

Outgoing_FilterGen.conf - Generic information reveal
Outgoing_FilterASP.conf - ASP/JSP source code leakage
Outgoing_FilterPHP.conf - PHP information disclosure
Outgoing_FilterIIS.conf - Microsoft's IIS information leakage
Outgoing_FilterSQL.conf - SQL information reveal
Outgoing_FilterOther.conf - Other apps information disclosure
Outgoing_FilterInFrame.conf - Various 'iframe' cheсks
Outgoing_FiltersEnd.conf - Checking traffic points
PHP_PHPGen.conf - Generic PHP protection
SQL_SQLi.conf - SQL Injection protection

Init_AppsInitialization.conf - Initialization Web Applications variables. Do not disable this group.
Apps_Joomla.conf - Joomla! protection
Apps_JComponent.conf - Joomla! components protection
Apps_WordPress.conf - WordPress protection
Apps_WPPlugin.conf - WordPress Plugins protection
Apps_WHMCS.conf - WHMCS protection
Apps_Drupal.conf - Drupal protection
Apps_OtherApps.conf - Other Web Applications protection

[designcentre]

Hi Yah,

Very little that I can find about this...

In the "Configure Global Directives" what's the recommended setting for "Connections Engine SecConnEngine"
Process the rules.
Do not process the rules. (this is set as default)
Process the rules in verbose mode, but do not execute disruptive actions.

Many thanks in advance

[oleg.tsygany]

Hi designcentre

I believe SecConnEngine along with SecConnReadStateLimit and SecConnWriteStateLimit is directives for preventing slow DoS attacks performed by hijacking server threads in a READ/WRITE state.
Here is little reference I found about this: http://permalink.gmane.org/gmane.comp.apache.mod-security.user/11744
However ModSecurity Reference Manual is a little obscured about this topic  .

Regards, Oleg

[xanubi]

Released new COMODO ModSecurity rules with improved files structure.
Now you can disable not required protection by pressing 'Edit' button in Security Center -> ModSecurity™ Vendors (Home »Security Center »Select Vendor Rule Sets)
Switch config file status from 'On' to 'Off' to disable this rules group.

Here is groups description:

Init_Initialization.conf - ModSecurity Initialization. Please do not disable this group.
Global_Generic.conf - Generic protection
Global_Agents.conf - Detecting bots and scanners
Global_Domains.conf - Detecting malicious domains
Global_Exceptions.conf - Protocol violation attacks
Global_Incoming.conf - Attacks targeting OSVDB flagged resource
Global_Backdoor.conf - Access backdoor/trojans possibly injected
XSS_XSS.conf - Detecting Cross Site Scripting vulnerabilities
Global_Other.conf - Various checks without group
Bruteforce_Bruteforce.conf - Bruteforce protection
HTTP_HTTP.conf - Generic HTTP protection
HTTP_HTTPDoS.conf - Denial-of-service attacks protection
HTTP_Protocol.conf - Detecting protocol violations
HTTP_Request.conf - Checking HTTP request

Outgoing_FilterGen.conf - Generic information reveal
Outgoing_FilterASP.conf - ASP/JSP source code leakage
Outgoing_FilterPHP.conf - PHP information disclosure
Outgoing_FilterIIS.conf - Microsoft's IIS information leakage
Outgoing_FilterSQL.conf - SQL information reveal
Outgoing_FilterOther.conf - Other apps information disclosure
Outgoing_FilterInFrame.conf - Various 'iframe' cheсks
Outgoing_FiltersEnd.conf - Checking traffic points
PHP_PHPGen.conf - Generic PHP protection
SQL_SQLi.conf - SQL Injection protection

Init_AppsInitialization.conf - Initialization Web Applications variables. Do not disable this group.
Apps_Joomla.conf - Joomla! protection
Apps_JComponent.conf - Joomla! components protection
Apps_WordPress.conf - WordPress protection
Apps_WPPlugin.conf - WordPress Plugins protection
Apps_WHMCS.conf - WHMCS protection
Apps_Drupal.conf - Drupal protection
Apps_OtherApps.conf - Other Web Applications protection

After the cpanel automatic update this night, this configuration disappeared, and we are back again to 8 central files.
If i do /usr/local/cpanel/scripts/modsec_vendorpdate --auto :

Code: [Select]

info [modsec_vendor] Updates are in progress for all of the installed ModSecurity vendors with automatic updates enabled.
warn [modsec_vendor] The system could not add the vendor: The update for vendor âcomodo_apacheâcomodo-apache-125â
                                                                                                                  at /usr/local/cpanel/Cpanel/Exception.pm line 127.
        Cpanel::Exception::new("Cpanel::Exception::ModSecurity::VendorUpdateUnnecessary", HASH(0x1adb8f0)) called at /usr/local/cpanel/Cpanel/Exception.pm line 57
        Cpanel::Exception::create("ModSecurity::VendorUpdateUnnecessary", HASH(0x1adb8f0)) called at /usr/local/cpanel/Whostmgr/ModSecurity/VendorList.pm line 260
        Whostmgr::ModSecurity::VendorList::__ANON__(Whostmgr::ModSecurity::Vendor=HASH(0x7eefd0)) called at /usr/local/cpanel/Whostmgr/ModSecurity/VendorList.pm line 172
        eval {...} called at /usr/local/cpanel/Whostmgr/ModSecurity/VendorList.pm line 131
        Whostmgr::ModSecurity::VendorList::add("https://waf.comodo.com/doc/meta_comodo_apache.yaml", CODE(0x7ef240)) called at /usr/local/cpanel/Whostmgr/ModSecurity/VendorList.pm line 263
        eval {...} called at /usr/local/cpanel/Whostmgr/ModSecurity/VendorList.pm line 256
        Whostmgr::ModSecurity::VendorList::update("https://waf.comodo.com/doc/meta_comodo_apache.yaml") called at /usr/local/cpanel/scripts/modsec_vendor line 160
        eval {...} called at /usr/local/cpanel/scripts/modsec_vendor line 160
        scripts::modsec_vendor::update("--auto") called at /usr/local/cpanel/scripts/modsec_vendor line 35
        scripts::modsec_vendor::run("update", "--auto") called at /usr/local/cpanel/scripts/modsec_vendor line 23

info [modsec_vendor] Restored modsec_cpanel_conf_datastore backup
info [modsec_vendor] The vendor âcomodo_apacheâ

What is happenning?

[oleg.tsygany]

Hi

Seems data restored from old backup server.
We will check this issue and fix it asap.

Regards, Oleg

[artcore]

Hello,

I've been using Comodo Waf for almost a year now and it's been excellent! I've recommended it on forums and to friends alike

Now when I try to install the vendor on one of my servers the API Request fails, curl: (7) couldn't connect to host.

Code: [Select]

Error: API failure: The system could not download the file “https://waf.comodo.com/doc/meta_comodo_apache.yaml”: curl: (7) couldn't connect to host
It worked on other servers but not on this particular one. I can access the .yaml from the browser so I know it's not on your side.
Is my IP(will give privately) blocked? Or do you have any suggestions?

Currently it's still working using custom rules from Comodo but the auto-update would be awesome...

Thanks

edit: solved. whitelisted the comodo IP:91.209.196.88 

[markb1439]

Now that the Comodo cPanel vendor support keeps getting better, I'm wondering if the best method is to continue using the CWAF plugin or switch to vendor mode using Comodo's rules.

We have had periodic issues with the plugin, for example today on multiple servers the plugin version was listed as 2.5, even though the latest version was shown as 2.12. We also get connection errors sometimes, and just hangs other times. (Not sure if anyone else is seeing these things.)

So we always like to minimize the number of third-party components.

I'd be interested to hear opinions from both Comodo staff and others as to the best approach.

Thanks!

Mark

[vadim]

 At first, we are sorry for inconvenience you had today. It was because of hardware issue in the data-center and incorrect switching of the server to the backup machine.

 We didn't get negative feedback about plugin/rules updating issues in the past, so it's a bad news for us. I am working with Comodo Infra to make load and performance analysis of CWAF servers.

 To your question about switching to cPanel Vendor Tools. For cPanel we provide a full version of CWAF rules and we release them in the same time as for CWAF plugin customers. We also receive feedbacks and false positives from  the customers with cPanel Tools. So, basic mechanisms the same.

 But our plugin includes some useful tools, like Configuration Wizard which are absent in cPanel Tools. And we are working on plugin improvements. We have a lot of plans and wishes from the customers for the future plugin development, e.g.

https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/wish-list-please-post-your-wishes-here-t100660.0.html;msg813808#msg813808

Since March, when we released a full-compliance Comodo cPanel version, a lot of customers switched to cPanel Tools. Maybe some of them will share his experience and post here his opinion.

[topwebs]

I am using WAF plugin in CPanel. Recently, the audit logs stopped being written. The error_log reports: [Sat Dec 26 20:28:02.065669 2015] [:error] [pid 26949] [client 46.177.144.230] ModSecurity: Audit log: Failed to create subdirectories: /usr/local/apache/logs/nobody/20151226/20151226-2028 (Permission denied) [hostname "www.my-radioshow.gr"] [uri "/online-services/EL_RADIO/dsp_stereo_tool.ini"] [unique_id "Vn9MsmAeAlwAAGlFCZYAAAAF"]

I don't know what changed, nor why it can't create subdirectories. All used to work yesterday. Any ideas how to fix?