Author Topic: cPanel EasyApache4 + CWAF-plugin+ModSecurity™ Tools Hit list  (Read 2171 times)

Offline akabakov

  • Comodo's Hero
  • *****
  • Posts: 364
cPanel EasyApache4 + CWAF-plugin+ModSecurity™ Tools Hit list
« on: September 05, 2016, 11:08:33 AM »
There are some issues with software pointed at topic header.
1) CWAF-plugin doesn't work;
2) After CWAF-plugin reinstall ModSecurity™ Tools Hit list doesn't work
The causes of these issues are:
1) apache configuration files path is changed from /usr/local/apache/* to /etc/apache2;
2)  apache log files path is changed from /var/log/httpd to /var/log/apache2;
3) Hit List doesn't work with symlinks.

To resolve these issues next steps could be performed:
1) reinstall CWAF-plugin;
2) copy old ModSecurity™  configuration file to a new one:

Code: [Select]
cp /usr/local/apache/conf/modsec2.conf /etc/apache2/conf.d/zzzz_cwaf_security2.conf3) in /etc/apache2/conf.d/zzzz_cwaf_security2.conf log files paths should be changed:

Code: [Select]
SecAuditLog /var/log/apache2/modsec_audit.log
 SecDebugLog /var/log/apache2/modsec_debug.log

Then apache should be restarted. After that  ModSecurity™ Tools Hit List should work.
« Last Edit: August 17, 2017, 03:44:28 AM by akabakov »

Offline thewebex

  • Newbie
  • *
  • Posts: 3
Re: cPanel EasyApache4 + CWAF-plugin+ModSecurity™ Tools Hit list
« Reply #1 on: December 12, 2016, 06:53:59 PM »
For those using a 64bit OS, I had to change the first line to read:
LoadFile /usr/lib64/libxml2.so

Hope this helps someone else. a clean install of comodo modsec did not fix this. -sigh-

Offline Hedloff

  • Comodo Loves me
  • ****
  • Posts: 149
Re: cPanel EasyApache4 + CWAF-plugin+ModSecurity™ Tools Hit list
« Reply #2 on: December 13, 2016, 04:20:01 AM »
For those using a 64bit OS, I had to change the first line to read:
LoadFile /usr/lib64/libxml2.so

Hope this helps someone else. a clean install of comodo modsec did not fix this. -sigh-

Yes, that worked for me aswell on Apache servers.
But on LiteSpeed I also had to add this symlink:
ln -s /usr/local/apache/conf/modsec2.conf /etc/apache2/conf.d/zzzz_cwaf_security2.conf

Offline thewebex

  • Newbie
  • *
  • Posts: 3
Re: cPanel EasyApache4 + CWAF-plugin+ModSecurity™ Tools Hit list
« Reply #3 on: January 21, 2017, 11:06:53 AM »
I copied put zzzz_cwaf_security2.conf in /etc/apache2/conf.d but apache is not including it. What file do I need to edit to include?

should it not go in modsec2.user.conf ?

thank you for your help

Offline akabakov

  • Comodo's Hero
  • *****
  • Posts: 364
Re: cPanel EasyApache4 + CWAF-plugin+ModSecurity™ Tools Hit list
« Reply #4 on: January 23, 2017, 03:57:34 AM »
Please, check /etc/apache2/conf/httpd.conf
It should contain:

Code: [Select]
# less /etc/apache2/conf/httpd.conf | grep Include
Include "/etc/apache2/conf.d/*.conf"
and some other includes.

Offline robertjw

  • Newbie
  • *
  • Posts: 5
Re: cPanel EasyApache4 + CWAF-plugin+ModSecurity™ Tools Hit list
« Reply #5 on: February 10, 2017, 01:54:10 PM »
I have done all of these steps, my modsec_audit.log is in /var/log/apache2, hits are being logged, but my Hits List is still not working.

Anyone have additional tips on troubleshooting.

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 357
Re: cPanel EasyApache4 + CWAF-plugin+ModSecurity™ Tools Hit list
« Reply #6 on: February 13, 2017, 05:15:44 AM »
I have done all of these steps, my modsec_audit.log is in /var/log/apache2, hits are being logged, but my Hits List is still not working.

Anyone have additional tips on troubleshooting.
Maybe you have some error logs?

Offline robertjw

  • Newbie
  • *
  • Posts: 5
Re: cPanel EasyApache4 + CWAF-plugin+ModSecurity™ Tools Hit list
« Reply #7 on: February 13, 2017, 03:56:16 PM »
I have two cpanel servers and one I was able to setup ModSecurity and the Comodo ruleset, successfully.  The other is not working, and I can't see much difference in it.

What would I look for in the logs?    Will the hits list log somewhere?   I can't find any errors at all.

Comparing the two servers I can't find any differences that might keep the Hit List from working.

Does anyone have any idea how this works?  Is it reading the logs at /var/log/apache2/modscec_audit.log?


Offline akabakov

  • Comodo's Hero
  • *****
  • Posts: 364
Re: cPanel EasyApache4 + CWAF-plugin+ModSecurity™ Tools Hit list
« Reply #8 on: February 14, 2017, 08:58:16 AM »
You are right.
Hit List is var/log/apache2/modsec_audit.log parser. So, info from it should be visible in Hit List.
Did you ask cPanel support about this issue?

Offline robertjw

  • Newbie
  • *
  • Posts: 5
Re: cPanel EasyApache4 + CWAF-plugin+ModSecurity™ Tools Hit list
« Reply #9 on: February 14, 2017, 10:34:49 AM »
The discusson on the cPanel forum suggested I look for an answer here.

Offline akabakov

  • Comodo's Hero
  • *****
  • Posts: 364
Re: cPanel EasyApache4 + CWAF-plugin+ModSecurity™ Tools Hit list
« Reply #10 on: February 16, 2017, 03:39:02 AM »
Please, check permissions on /var/logs/apache2/modsec_audit.log
Code: [Select]
-rw-r-----.  1 nobody nobody    250326 Feb 13 05:10 modsec_audit.log

Offline robertjw

  • Newbie
  • *
  • Posts: 5
Re: cPanel EasyApache4 + CWAF-plugin+ModSecurity™ Tools Hit list
« Reply #11 on: February 21, 2017, 12:42:17 PM »
It's the same as my other server

Code: [Select]
-rw-r-----. 1 root root 232M Feb 21 10:27 /var/log/apache2/modsec_audit.log

Offline thewebex

  • Newbie
  • *
  • Posts: 3
Re: cPanel EasyApache4 + CWAF-plugin+ModSecurity™ Tools Hit list
« Reply #12 on: July 02, 2017, 08:42:27 AM »
I just upgraded from ea3 to ea4 and needed to reboot the server to see the hitlist .... so recommend before spending too much time troubleshooting do a reboot after fixing the paths

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek