I uninstalled the WAF cPanel plugin. I noticed the /var/cpanel/cwaf/ is still on the server and I am still getting the /var/cpanel/cwaf/scripts/updater.pl 2>&1 Cron notification email each evening. Are these just left over from the WAF Plugin or are they needed for the new Vendor setup?
Hi
How did you uninstalled plugin?
cd /var/cpanel/cwaf/scripts && ./uninstall_cwaf.sh ?
This will remove scheduled update, Perl modules and restore modsecurity configuration
I did not uninstall the Perl module. Thanks for that script. Now I only have the Comodo Vendor setup which is perfect. 
I may switch back to plugin mode until this is fixed.
Your config files is correct. Error “API failure” happen because cPanel doesn’t fully support our vendor names.
Fix will be available soon.
Rules working correctly, so I think you can just ignore this error for now.
Ok…
Thank you
We have released new version of cPanel ModSecurity Vendor service.
In the new version you may report problems with Comodo rules through cPanel ModSecurity Tools:
But for a full support of cPanel ModSecurity Tools, we had to change yaml links.
Input one of URLs depending on your web-server:
- Comodo ModSecurity Apache Rule Set: https://waf.comodo.com/doc/meta_comodo_apache.yaml
- Comodo ModSecurity LiteSpeed Rule Set: https://waf.comodo.com/doc/meta_comodo_litespeed.yaml
Please see all configuration steps here:
[attachment deleted by admin]
If you already use Comodo as ModSecurity Vendor for Apache with an old link:
https://waf.comodo.com/doc/meta_comodo-apache.yaml
and you want to have a full support of cPanel ModSecurity Tools including report problems to Comodo (see details here) you need to do the next steps:
[ol]- Go to WHM ‘Security Center’-‘Modsecurity Vendors’
- Turn off old security vendor ‘COMODO ModSecurity Apache Rule Set’ with ‘Enabled’ - ‘Off’
- Press ‘Add Vendor’ to add new vendor
- Set new vendor URL: https://waf.comodo.com/doc/meta_comodo_apache.yaml
- If you don’t have excludes just delete old disabled vendor by ‘Delete’ button.[/ol]
NOTE: Old vendor link will be fully supported, so switching to the new link does not necessarily.
If you have valuable excludes do the next steps before removing old disabled vendor:
[ol]- Login to your cPanel root console
- Delete mod_security datastore cache:
rm -f /var/cpanel/modsec_cpanel_conf_datastore.cache
- Edit mod_security datastore with your favorite editor (f.e. nano):
nano /var/cpanel/modsec_cpanel_conf_datastore
-
Find ‘disabled_rules:’ section.
-
Replace tag ‘comodo-apache’ beside all rule IDs to new vendor name ‘comodo_apache’
For example you have disabled rules 210000, 210010 in /var/cpanel/modsec_cpanel_conf_datastore here will be section:` disabled_rules: 210000: comodo-apache 210010: comodo-apache`
Replace ‘comodo-apache’ to ‘comodo_apache’ so it will look like:
` disabled_rules:
210000: comodo_apache
210010: comodo_apache`
- Save your changes.
- Return to WHM ‘Security Center’-‘Modsecurity Vendors’ and delete disabled vendor by ‘Delete’ button now.[/ol]
Dear Comodo Support,
Recently, I have installed a cpanel comodo WAF, but for the past 3 days I saw only 4 blocking attempts. However I had a lot more with OWASP rules. Is there any way to check any installation errors?
Thanks.
Hello,
you can check /tmp/ cwaf_install.log.* files, where you’ll find all installation messages. OWASP rules are more strict, so they work and also give false-positives more frequently .
Also part of our rules are not logged at all
Comodo Free ModSecurity Rules for cPanel Documentation is now available by the link:
I have disabled a rule last week and today the client contacted me because was being blocked…checking looks like the rule was enabled? Could be that if you have “Updates” On in the vendor settings is being updated but also disabled rules enabled again? Thanx!
Disabled rules shouldn’t be enabled again in updates.
So far I have switched all the server the Vendor mode. It has been running for a week now with no issues.
Like to say thank you to the Comodo team in getting this to work as a vendor in cPanel.
With comodo vendor rules, i’ve used sometimes the button of report to vendor, some false positive blocks.
Do Comodo receives this?
Yes, of course. We got a feed of cPanel vendors feed-backs and Comodo rule-writers and client developers review all of them.
But it’s a one-direction channel, we reply to the feedback owner only in some critical cases. Full support we provide through Comodo Support System: Submit a ticket - Powered by Kayako Help Desk Software
Here is example of feed-backs we received:
Rule set version: 1.27
Source: Apache
Reason: The rule generates false positive hit entries
Status: new
E-mail: @
Rule ID: 220830
Requested URI:
HTTP/1.1|METHOD: POST|RESP: 403
Virtual Host:www.******
Rules File: /usr/local/apache/conf/modsec_vendor_configs/comodo_apache/cwaf_05.conf
Line number of the rule: 1783
Action: Access denied with code 403 (phase 2).
ModSecurity Message: COMODO WAF: Blocking XSS attack
User comments: ******
Released new COMODO ModSecurity rules with improved files structure.
Now you can disable not required protection by pressing ‘Edit’ button in Security Center → ModSecurity™ Vendors (Home »Security Center »Select Vendor Rule Sets)
Switch config file status from ‘On’ to ‘Off’ to disable this rules group.
Here is groups description:
Init_Initialization.conf - ModSecurity Initialization. Please do not disable this group.
Global_Generic.conf - Generic protection
Global_Agents.conf - Detecting bots and scanners
Global_Domains.conf - Detecting malicious domains
Global_Exceptions.conf - Protocol violation attacks
Global_Incoming.conf - Attacks targeting OSVDB flagged resource
Global_Backdoor.conf - Access backdoor/trojans possibly injected
XSS_XSS.conf - Detecting Cross Site Scripting vulnerabilities
Global_Other.conf - Various checks without group
Bruteforce_Bruteforce.conf - Bruteforce protection
HTTP_HTTP.conf - Generic HTTP protection
HTTP_HTTPDoS.conf - Denial-of-service attacks protection
HTTP_Protocol.conf - Detecting protocol violations
HTTP_Request.conf - Checking HTTP request
Outgoing_FilterGen.conf - Generic information reveal
Outgoing_FilterASP.conf - ASP/JSP source code leakage
Outgoing_FilterPHP.conf - PHP information disclosure
Outgoing_FilterIIS.conf - Microsoft’s IIS information leakage
Outgoing_FilterSQL.conf - SQL information reveal
Outgoing_FilterOther.conf - Other apps information disclosure
Outgoing_FilterInFrame.conf - Various ‘iframe’ cheсks
Outgoing_FiltersEnd.conf - Checking traffic points
PHP_PHPGen.conf - Generic PHP protection
SQL_SQLi.conf - SQL Injection protection
Init_AppsInitialization.conf - Initialization Web Applications variables. Do not disable this group.
Apps_Joomla.conf - Joomla! protection
Apps_JComponent.conf - Joomla! components protection
Apps_WordPress.conf - WordPress protection
Apps_WPPlugin.conf - WordPress Plugins protection
Apps_WHMCS.conf - WHMCS protection
Apps_Drupal.conf - Drupal protection
Apps_OtherApps.conf - Other Web Applications protection
Hi Yah,
Very little that I can find about this…
In the “Configure Global Directives” what’s the recommended setting for “Connections Engine SecConnEngine”
Process the rules.
Do not process the rules. (this is set as default)
Process the rules in verbose mode, but do not execute disruptive actions.
Many thanks in advance
Hi designcentre
I believe SecConnEngine along with SecConnReadStateLimit and SecConnWriteStateLimit is directives for preventing slow DoS attacks performed by hijacking server threads in a READ/WRITE state.
Here is little reference I found about this: http://permalink.gmane.org/gmane.comp.apache.mod-security.user/11744
However ModSecurity Reference Manual is a little obscured about this topic :-.
Regards, Oleg
After the cpanel automatic update this night, this configuration disappeared, and we are back again to 8 central files.
If i do /usr/local/cpanel/scripts/modsec_vendorpdate --auto :
info [modsec_vendor] Updates are in progress for all of the installed ModSecurity vendors with automatic updates enabled.
warn [modsec_vendor] The system could not add the vendor: The update for vendor âcomodo_apacheâcomodo-apache-125â
at /usr/local/cpanel/Cpanel/Exception.pm line 127.
Cpanel::Exception::new("Cpanel::Exception::ModSecurity::VendorUpdateUnnecessary", HASH(0x1adb8f0)) called at /usr/local/cpanel/Cpanel/Exception.pm line 57
Cpanel::Exception::create("ModSecurity::VendorUpdateUnnecessary", HASH(0x1adb8f0)) called at /usr/local/cpanel/Whostmgr/ModSecurity/VendorList.pm line 260
Whostmgr::ModSecurity::VendorList::__ANON__(Whostmgr::ModSecurity::Vendor=HASH(0x7eefd0)) called at /usr/local/cpanel/Whostmgr/ModSecurity/VendorList.pm line 172
eval {...} called at /usr/local/cpanel/Whostmgr/ModSecurity/VendorList.pm line 131
Whostmgr::ModSecurity::VendorList::add("https://waf.comodo.com/doc/meta_comodo_apache.yaml", CODE(0x7ef240)) called at /usr/local/cpanel/Whostmgr/ModSecurity/VendorList.pm line 263
eval {...} called at /usr/local/cpanel/Whostmgr/ModSecurity/VendorList.pm line 256
Whostmgr::ModSecurity::VendorList::update("https://waf.comodo.com/doc/meta_comodo_apache.yaml") called at /usr/local/cpanel/scripts/modsec_vendor line 160
eval {...} called at /usr/local/cpanel/scripts/modsec_vendor line 160
scripts::modsec_vendor::update("--auto") called at /usr/local/cpanel/scripts/modsec_vendor line 35
scripts::modsec_vendor::run("update", "--auto") called at /usr/local/cpanel/scripts/modsec_vendor line 23
info [modsec_vendor] Restored modsec_cpanel_conf_datastore backup
info [modsec_vendor] The vendor âcomodo_apacheâ
What is happenning?