Comodo as a ModSecurity Vendor in cPanel

oleg.tsygany · April 13, 2015, 3:18pm

Hi

Seems data restored from old backup server.
We will check this issue and fix it asap.

Regards, Oleg

artcore · May 22, 2015, 2:28pm

Hello,

I’ve been using Comodo Waf for almost a year now and it’s been excellent! I’ve recommended it on forums and to friends alike

Now when I try to install the vendor on one of my servers the API Request fails, curl: (7) couldn’t connect to host.

Error: API failure: The system could not download the file “https://waf.comodo.com/doc/meta_comodo_apache.yaml”: curl: (7) couldn't connect to host

It worked on other servers but not on this particular one. I can access the .yaml from the browser so I know it’s not on your side.
Is my IP(will give privately) blocked? Or do you have any suggestions?

Currently it’s still working using custom rules from Comodo but the auto-update would be awesome…

Thanks

edit: solved. whitelisted the comodo IP:91.209.196.88 88)

markb1439 · July 29, 2015, 3:30am

Now that the Comodo cPanel vendor support keeps getting better, I’m wondering if the best method is to continue using the CWAF plugin or switch to vendor mode using Comodo’s rules.

We have had periodic issues with the plugin, for example today on multiple servers the plugin version was listed as 2.5, even though the latest version was shown as 2.12. We also get connection errors sometimes, and just hangs other times. (Not sure if anyone else is seeing these things.)

So we always like to minimize the number of third-party components.

I’d be interested to hear opinions from both Comodo staff and others as to the best approach.

Thanks!

Mark

vadim · July 29, 2015, 7:34am

At first, we are sorry for inconvenience you had today. It was because of hardware issue in the data-center and incorrect switching of the server to the backup machine.

We didn’t get negative feedback about plugin/rules updating issues in the past, so it’s a bad news for us. I am working with Comodo Infra to make load and performance analysis of CWAF servers.

To your question about switching to cPanel Vendor Tools. For cPanel we provide a full version of CWAF rules and we release them in the same time as for CWAF plugin customers. We also receive feedbacks and false positives from the customers with cPanel Tools. So, basic mechanisms the same.

But our plugin includes some useful tools, like Configuration Wizard which are absent in cPanel Tools. And we are working on plugin improvements. We have a lot of plans and wishes from the customers for the future plugin development, e.g.

https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/wish-list-please-post-your-wishes-here-t100660.0.html;msg813808#msg813808

Since March, when we released a full-compliance Comodo cPanel version, a lot of customers switched to cPanel Tools. Maybe some of them will share his experience and post here his opinion.

topwebs · December 27, 2015, 4:05am

I am using WAF plugin in CPanel. Recently, the audit logs stopped being written. The error_log reports: [Sat Dec 26 20:28:02.065669 2015] [:error] [pid 26949] [client 46.177.144.230] ModSecurity: Audit log: Failed to create subdirectories: /usr/local/apache/logs/nobody/20151226/20151226-2028 (Permission denied) [hostname “www.my-radioshow.gr”] [uri “/online-services/EL_RADIO/dsp_stereo_tool.ini”] [unique_id “Vn9MsmAeAlwAAGlFCZYAAAAF”]

I don’t know what changed, nor why it can’t create subdirectories. All used to work yesterday. Any ideas how to fix?

akabakov · January 4, 2016, 9:29am

/usr/local/apache/logs/
When I reproduced this issue I found that permission on /usr/local/apache/logs/nobody should be changed from root to apache user (usually user “nobody”).

Hedloff · January 4, 2016, 9:56am

We’re using your plugin and I had the same issue on one server that I just checked. I will check more now.
But it seems to be working if I create the nobody folder and give nobody permissions, but that will fill up that folder quickly.

So what I did was Audit Log Type from concurrent to serial and then mod_security started working again and I can see them in WHM.

So my big question is, what and who did change this? Comodo or cPanel?

akabakov · January 4, 2016, 1:45pm

I suppose that is a cPanel issue. What you see in WHM depends on how cPanel processes ModSecurity Logs.

grantdb · January 14, 2016, 1:19am

I use Comodo ssl and now the vendor for ModSecurity thank you!

I am wondering if I still need to use cPHulk brute force protection at the same time as the Comodo vender enabled for ModSecurity?

oleg.tsygany · January 14, 2016, 7:17am

Hi

I’d rather recommend to use cPHulk protection because modsecurity have persistent storage issues.
(For reference see here: https://github.com/SpiderLabs/ModSecurity/issues/574)

Regards, Oleg

grantdb · January 14, 2016, 8:32am

ok I disabled these:

05_Global_Incoming.conf
09_Bruteforce_Bruteforce.conf
11_HTTP_HTTPDoS.conf
14_Outgoing_FilterGen.conf
15_Outgoing_FilterASP.conf
16_Outgoing_FilterPHP.conf
17_Outgoing_FilterIIS.conf
18_Outgoing_FilterSQL.conf
19_Outgoing_FilterOther.conf
20_Outgoing_FilterInFrame.conf
21_Outgoing_FiltersEnd.conf

Enabled cPHulk, so should be good now?

oleg.tsygany · January 14, 2016, 9:49am

Yes, should be OK

Regards, Oleg

grantdb · January 14, 2016, 6:27pm

Thank you Oleg

sasa4uk · January 21, 2016, 12:27pm

Hey @grantdb and @Oleg,
Sorry, but what cPhulk has to do with Modsecurity ? They protect different applications, or am I missing something ?

oleg.tsygany · January 21, 2016, 3:05pm

cPhulk is brute force protection for cPanel web server or services.
Modsecurity have brute force protection for cPanel web server but it works not good due persistent storage issue.
So I’d not recommend to use Modsecurity for this purpose.

cPhulk can be used to protect cPanel host, other software (for example ConfigServer Security & Firewall ConfigServer Security and Firewall (csf) – ConfigServer Services ) to protect your web applications.

Regards, Oleg

H0sseiN · April 22, 2016, 4:08pm

Hi,
I have a server with running litespeed webserver but using Apache configuration file now which rule set should I install Apache or litespeed?

vadim · August 16, 2017, 6:25am

New rule set for ModSecurity v.2.9.2 has been added for Comodo ModSecurity Vendor in cPanel:

2.9.2: MD5: fc9b07c45d55db64a097d5fbf63b6f9c SHA512: 0b91ee55427f9bfa0aa4d918187926b3a04a1d966525cdcd9046ab4cc877d79591980deb88f9cd58f58fd0f2b1e8d5067a6c4cf681b2b3cbb22e6ca179cd3dc5 distribution: comodo-apache-1133 url: https://waf.comodo.com/api/cpanel_apache_vendor

sdzzds · September 2, 2017, 11:18am

How add bulk exceptions to Comodo WAF working like vendor in Cpanel? Some months ago I used the file:

/etc/apache2/conf.d/modsec/modsec2.cpanel.conf

Adding the rule id to:

ModSecurity disabled rules:

But now it’s not working.

I have tried to add to:

/var/cpanel/modsec_cpanel_conf_datastore

or

/var/cpanel/cwaf/etc/httpd/global/zzz_exclude_global.conf

But in the rules lis in WHM - Modsecurity Tools - Rules lists always are activated!!!

Thanks

akabakov · September 4, 2017, 7:34am

Hello,

when you use Comodo ModSecurity vendor in cPanel you cannot use /var/cpanel/cwaf/etc/httpd/global/zzz_exclude_global.conf
This file works with CWAF-plugin only. You can turn off the configuration file with rule(s).

sdzzds · September 4, 2017, 7:48am

Hello

A how add bulk exceptions to Comodo WAF working like vendor in Cpanel?

If I have a server with 50 rules exception and I want to copy all exceptions instead of configure one by one, how should do it?

Thanks