cPanel 11.48 plans?

wtleaver · February 4, 2015, 1:33am

cPanel 11.48 with its ModSecurity overhaul and owasp based ruleset is now in the release tier. Is Comodo planning to be listed as a rule vendor in the new setup?

I’m concerned about how we’re going to handle the update with Comodo waf installed.

Hedloff · February 4, 2015, 7:31am

Wondering the same question.
We have updated all our cPanel servers now. And would like to add Comodo WAF as a Vendor? See picture.

[attachment deleted by admin]

vadim · February 4, 2015, 7:56am

Technically, we’ll be ready to support cPanel Vendor requirements this week. But I can’t say for sure when cPanel adds Comodo as a mod_security vendor, it will depend on agreements between companies management.

crownhost · February 5, 2015, 10:52am

Hopefully very soon!
We tried out the new cpanel 11.48 OWASP rule set and it causes loads of false positives with clients unable to access or edit wordpress sites and we couldn’t access WHMCS. Have now disabled the rule set.

markb1439 · February 5, 2015, 4:48pm

If we don’t choose to use the cPanel-supplied rules, CWAF will continue to function as before, right? Or will the new Vendor stuff interfere with that?

crownhost · February 5, 2015, 5:13pm

When we disabled the cpanel OWASP rule set the CWAF rules worked as before. As I understand it, new rules add to the existing set not replace them.

oleg.tsygany · February 6, 2015, 8:59am

Hi

Yes, CWAF replace cPanel modsecurity config with its own, so cPanel-supplied rules don’t have effect on it.
This cPanel modsecurity config will be carefully restored after CWAF uninstall.
It means user should choose either CWAF or cPanel-supplied rules. They can’t work together.

columbussoft · February 8, 2015, 10:45pm

Any updates on this? I don’t think you need cPanels approval you just have to create the YAML file online?! Or maybe I am wrong, but either way can not wait for this to be added. OWASP does have a lot of false positives, about 50-100 rules may be needed to removed but the new cPanel interface makes it very easy to disable rules one by one. At the end of the day I have decided to keep OWASP and wait for Comodo to create the cPanel ModSecurity Vendor functionality.

vadim · February 9, 2015, 8:08am

Technically, we are ready to this. All this cPanel ModSecurity Vendor requirements done:

https://documentation.cpanel.net/display/CKB/How+to+Create+a+ModSecurity+Vendor

YAML files and packages has been released.

But cPanel may add or not add Comodo WAF as a ModSecurity Vendor. So, let’s wait result of conversation between business/product departments.

Varial · February 19, 2015, 8:07pm

I just found out the hard way that cPanel moved ModSec’s persistent IP storage from /tmp/ip.pag to /var/cpanel/secdatadir/ip.pag in 11.48. If you are using Comodo’s brute force protection rules, you may want to setup a cron job to delete this file every now and then. If it grows too large you’ll suddenly get hit with high server loads and poor performance. Had the file grow to 13GB during a large brute force attack that rendered ModSec ineffective.

needsomehelp · February 25, 2015, 9:49pm

Hi /var/cpanel/secdatadir/ip.pag is 47,640KB can i just delete this or it it not big enough yet

akabakov · February 26, 2015, 9:43am

Interesting article about this problem:

github.com/owasp-modsecurity/ModSecurity

IP persistence storage seems to not clean up

opened 08:24PM - 17 Oct 13 UTC

closed 09:05PM - 21 May 17 UTC

rcbarnett-zz

bug TBF by libmodsec

MODSEC-426: It seem that mod_security is not cleaning up the persistence storage… for the IP-storage I am using. Here is a simple test ruleset I am using (nothing else): SecRule IP:dos_block "@eq 1" \ "phase:2,block,msg:'IP address blocked due to high connection rate.', \ id:2003,status:403,severity:'CRITICAL',tag:'DoS'" SecRule SCRIPT_FILENAME "@rx /www/content/prod/dl/dl.php" \ "phase:5,chain,t:none,nolog,pass,id:2001,severity:'INFO',tag:'DoS',setvar:IP.dos_counter=+1,expirevar:IP.dos_counter=60" SecRule IP:dos_counter "@gt 100" \ "t:none,setvar:IP.dos_block,setvar:!IP.dos_counter,expirevar:IP.dos_block=60" The ruleset is working fine. But what I am noticing is, that the /var/tmp/ip.pag file is constantly growing. It is currently at >1GiB size. When I do a "strings" on that file, I see entries like this: __expire_KEY 1344192686 794.224.68.113_64d9d88c927c58359a3649f30a00e95070bbb8c0 TIMEOUT 3600 __key 794.224.68.113_64d9d88c927c58359a3649f30a00e95070bbb8c0 __name CREATE_TIME 1344189037 UPDATE_COUNTER dos_counter __expire_dos_counter 1344189097 LAST_UPDATE_TIME 1344189086 94.224.68.113_64d9d88c927c58359a3649f30a00e95070bbb8c0 __expire_KEY 1343169406 868.167.225.250_77150c41806fda817314ba9c40e040c598830d5d TIMEOUT 3600 __key 868.167.225.250_77150c41806fda817314ba9c40e040c598830d5d __name CREATE_TIME 1343165769 UPDATE_COUNTER dos_counter __expire_dos_counter 1343165829 LAST_UPDATE_TIME 1343165806 68.167.225.250_77150c41806fda817314ba9c40e040c598830dIR __expire_KEY 1344005533 786.132.126.93_aa739e3aaaa1fbfc8667bb26120e9930df881a82 TIMEOUT 3600 __key 786.132.126.93_aa739e3aaaa1fbfc8667bb26120e9930df881a82 __name [...] Now when I convert the UNIX time strings to UTC, it shows me dates, which are already expired since weeks. I would asume, that if an entry is expired, that the garbage collection of mod_sec would remove the entry from the ip.pag file, to keep it small. Or am I wrong? Any assistance would be highly appreciated.

Also you can try to use SecCollectionTimeout parameter to optimize ip.pag size or even try this utility
GitHub - SpiderLabs/modsec-sdbm-util: Utility to manipulate SDBM files used by ModSecurity. With that utility it is possible to _shrink_ SDBM databases. It is also possible to list the SDBM contents with filters such as: expired or invalid items only. to ‘shrink’ collection.

QOFfZUfea · February 26, 2015, 3:22pm

I have been waiting for mod_sec today and was trying to add the Comodo Rules to cPanel. I noticed that we can manually add a URL for vendor’s yaml files and to add their rules. I was going to try making my own to get the comodo rules in, but based on above it looks like this is done. Is it possible to get the yaml file so we can manually add it ourselves without waiting for cPanel to make a decision?

Ryan

vadim · February 26, 2015, 3:39pm

Sorry, but we still wait response from cPanel about this feature. We are not sure what current yaml file will be approved by cPanel, so they are possibly request us to change something, e.g. vendor names or identifiers.

I hope, next week, if we don’t have any changes on this, we’ll post a links to these yaml files and a way how-to add Comodo rules to cPanel.

pointaction · March 2, 2015, 8:54pm

Tristan J. Wallace says: [b]March 2nd, 2015 at 02:13 PM [/b] Hello,
Comodo is not being investigated yet as a possible vendor (OWASP ruleset is the provided vendor at this time). In case 171041, the discussion was made that this would be best set as a feature request instead at http://features.cpanel.net location.

I put in a feature request with cPanel posted at http://features.cpanel.net/responses/comodo-waf-as-a-modsecurity-vendor Comodo WAF as a ModSecurity Vendor

I hope this helps.

plusplus · March 4, 2015, 6:32pm

While cpanel check if add CWAF as vendor is there any chance you provide the information needed here to add you as vendor in the WHM?

https://documentation.cpanel.net/display/ALD/ModSecurity+Vendors

Sounds like with that information you can add you into WHM and activate your rules.

Thanx!

RootX · March 5, 2015, 1:50am

I would like to see the same, more variety and participation from multiple mod security rule vendors – it doesn’t even require cPanel to do anything more. Any rule provider can setup the necessary vendor URL without cPanel involvement; I don’t understand why Comodo may be delaying this under seemingly false pretenses that it somehow requires official addition to cPanel&WHM.

vadim · March 10, 2015, 10:34am

Please see last information about this question here: https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/comodo-as-a-modsecurity-vendor-in-cpanel-t110147.0.html