Starting from CWAF client version 2.7 all DirectAdmin users with Nginx Web Server can use Comodo WAF protection.
Just install last version of CustomBuild and choose Comodo Rules for Nginx Web Server and rebuild ModSecurity rules.
I have one request.
On FreeBSD, check if p5-Net-SSLeay is already installed, before trying to call pkg.
Quite a few admins use the ports package management and that command
pkg install -y p5-Net-SSLeay
will break things.
Also, the shebang in installer.sh should be updated to
/usr/bin/env bash
Hi interfasys
Thank you for suggestion. I will add this to next client release.
Regards, Oleg
Hello every body
after use custom build of directadmin
i’m go to directadmin cp an go to Extra Features > Comodo WAF 2.7
but have error
» Home » CWAF 2.7
can't read config /usr/local/cwaf/etc/main.conf: Permission denied at /usr/local/share/perl5/Comodo/CWAF/Main.pm line 27.
Compilation failed in require at /usr/local/directadmin/plugins/comodo_waf/admin/index.pl line 10.
BEGIN failed--compilation aborted at /usr/local/directadmin/plugins/comodo_waf/admin/index.pl line 10.
can you help me to fix it
thank you very much
^^ i’m resolv it 
chmod 644 /usr/local/cwaf/etc/main.conf
ok but have error
(Connection error: sorry, you must have a tty to run sudo)
Hello,
It seems your /etc/sudoers contains
Defaults requiretty
Link below describes how to fix it globally or for user, group or some commands
Hi Naruto_Xboy
CWAF use sudo to run high privileged command such as restart Apache etc.
Please check if sudo installed, CWAF sudoers file ( /etc/sudoers.d/cwaf ) present and included in main sudoers file (usually /etc/sudoers).
Regards, Oleg
Ok thank you after i change
Defaults !requiretty in /etc/sudoes
and add
%admin ALL=NOPASSWD: ALL
have error
Current rules version 1.28 (Latest version)
CWAF plugin version 2.7 (Connection error: )
can you help me to include /etc/sudoers.d/cwaf to /etc/sudoers
here is sudoes file
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.
## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
## Command Aliases
## These are groups of related commands...
## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb
## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe
# Defaults specification
#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
# You have to run "ssh -t hostname sudo <cmd>".
#
Defaults !requiretty
#
# Refuse to run if unable to disable echo on the tty. This setting should also be
# changed in order to be able to use sudo without a tty. See requiretty above.
#
Defaults !visiblepw
#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults always_set_home
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults env_keep += "HOME"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
%admin ALL=NOPASSWD: ALL
and here is cwaf file
Defaults:root !requiretty
Defaults:cwaf_plugin !requiretty
cwaf_plugin ALL=(ALL) NOPASSWD: /usr/local/cwaf/scripts/cwaf-wrapper.pl
/etc/sudoers.d/cwaf is included to /etc/sudoers, because
#includedir /etc/sudoers.d
is in /etc/sudoers.
is not a comment in this case.
Please, run
sudo /usr/local/cwaf/scripts/update-client.pl -v
After i remove # in #includedir /etc/sudoers.d
and run sudo /usr/local/cwaf/scripts/update-client.pl -v
so error
[root[at]sv ~]# sudo /usr/local/cwaf/scripts/update-client.pl -v
sudo: >>> /etc/sudoers: syntax error near line 118 <<<
sudo: parse error in /etc/sudoers near line 118
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
and i restore it to #includedir /etc/sudoers.d
and run sudo /usr/local/cwaf/scripts/update-client.pl -v
[root@sv ~]# sudo /usr/local/cwaf/scripts/update-client.pl -v
Plugin version=2.7
Last available version=2.7
Installed for web platform=Apache
Current rules version 1.28 (Latest version)
CWAF plugin version 2.7 (Connection error: )
and here is log
May 7 20:03:22 sv sudo: root : parse error in /etc/sudoers near line 118 ; TTY=pts/0 ; PWD=/root ;
May 7 20:06:21 sv sudo: root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/local/cwaf/scripts/update-client.pl -v
May 7 20:06:37 sv sudo: admin : TTY=unknown ; PWD=/usr/local/directadmin ; USER=root ; COMMAND=/usr/local/cwaf/scripts/cwaf-wrapper.pl da_request_modsec
May 7 20:06:37 sv sudo: admin : TTY=unknown ; PWD=/usr/local/directadmin ; USER=root ; COMMAND=/usr/local/cwaf/scripts/cwaf-wrapper.pl check_modsec_loaded
May 7 20:06:37 sv sudo: admin : TTY=unknown ; PWD=/usr/local/directadmin ; USER=root ; COMMAND=/usr/local/cwaf/scripts/cwaf-wrapper.pl da_get_domainlist
May 7 20:06:39 sv sudo: admin : TTY=unknown ; PWD=/usr/local/directadmin ; USER=root ; COMMAND=/usr/local/cwaf/scripts/cwaf-wrapper.pl da_get_version
May 7 20:06:41 sv sudo: admin : TTY=unknown ; PWD=/usr/local/directadmin ; USER=root ; COMMAND=/usr/local/cwaf/scripts/cwaf-wrapper.pl da_request_modsec
Hi
Can you please try to run this command from unprivileged user cwaf_plugin ?
Login to this account with
su - cwaf_plugin
and run
$ sudo /usr/local/cwaf/scripts/cwaf-wrapper.pl da_get_domainlist
$ sudo /usr/local/cwaf/scripts/cwaf-wrapper.pl check_modsec_loaded
$ sudo /usr/local/cwaf/scripts/cwaf-wrapper.pl da_get_version
It may require to modify your /etc/passwd changing shell setting for this user from /bin/false or /sbin/nologin to other shell
thank you for support me ^^
i’m try run command
cat /etc/passwd
result here with many account
cwaf_plugin:x:493:492::/home/cwaf_plugin:/sbin/nologin
clamav:x:492:491::/home/clamav:/bin/false
…
and run su - cwaf_plugin
so have error 
[root@sv ~]# su - cwaf_plugin
This account is currently not available.
Hi
Change this line in /etc/passwd
cwaf_plugin:x:493:492::/home/cwaf_plugin:/sbin/nologinreplacing [b]/sbin/nologin[/b] with other shell (F.e. with [b]/bin/bash[/b])
This will allow you to run su - cwaf_plugin command
Regards, Oleg
Hi,
After edit line in /etc/paswd to /bin/bash
i run command and it is result
[root@sv ~]# su - cwaf_plugin
-bash: /bin/uname: Permission denied
-bash-4.1$
-bash-4.1$ sudo /usr/local/cwaf/scripts/cwaf-wrapper.pl da_get_domainlist
techview.vn
-bash-4.1$ sudo /usr/local/cwaf/scripts/cwaf-wrapper.pl check_modsec_loaded
security2_module (shared)
-bash-4.1$ sudo /usr/local/cwaf/scripts/cwaf-wrapper.pl da_get_version
cwaf_rules:1.28:3f9ac47fd8d75878b0089bc39f526f18
-bash-4.1$
but have error :((( CWAF not connection
Current rules version 1.28 (Latest version) Restore rules
CWAF plugin version 2.7 (Connection error: )
Hi
Seems this can take a long time.
Can you please provide us ssh access to this box?
I will PM you required contact info.
Regards, Oleg
Hi Naruto_Xboy
Thank you for access provided.
Problem was because in older version of DirectAdmin CWAF plugin worked as logged in user instead of special user ‘cwaf_plugin’.
I will add required changes to installation script and next release of CWAF client will fix this problem.
Meanwhile I will send you detailed instruction what to change in current version of plugin so it will work as expected.
Best regards, Oleg
Attention to DirectAdmin users 
CWAF plugin will work wrong if your DirectAdmin version is lower than 1.45.3
For details please see this topic: Plugins to have the ability to run as a specified User
Please update your DirectAdmin to latest version (update is free of charge) if you experienced plugin problems.
We will improve CWAF plugin so it will work on older DerectAdmin versions.
I wasn’t able to upgrade from 2.7 to 2.8 from the plugin, but it worked flawlessly using custombuild.
Unfortunately I did not look at the logs before using custombuild, so I don’t have more information to submit.
on directadmin panel i get the meesage
Can't locate Comodo/CWAF/Main.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /usr/local/directadmin/plugins/comodo_waf/admin/index.pl line 10.
BEGIN failed--compilation aborted at /usr/local/directadmin/plugins/comodo_waf/admin/index.pl line 10.
Hi
Do you have custom Perl install?
Please change file /usr/local/directadmin/plugins/comodo_waf/admin/index.html to point to system Perl
Line 4:
$file = “perl /usr/local/directadmin/plugins/comodo_waf/admin/index.pl 2>&1”;
should be changed to:
$file = “/usr/bin/perl /usr/local/directadmin/plugins/comodo_waf/admin/index.pl 2>&1”;
This issue will be fixed in next version of plugin.
Regards, Oleg
Still not possible to upgrade from the DA control panel.
Nothing useful in the logs
13/06/15 10:57:49 update-client[95038] Running update command: bash /usr/local/cwaf/tmp/install/cwaf_client_install.sh -- --update --mode auto
13/06/15 10:57:49 update-client[95038] ERROR: can't run install script(error )