cPanel EasyApache4 + CWAF-plugin+ModSecurity™ Tools Hit list

There are some issues with software pointed at topic header.

  1. CWAF-plugin doesn’t work;
  2. After CWAF-plugin reinstall ModSecurity™ Tools Hit list doesn’t work
    The causes of these issues are:
  3. apache configuration files path is changed from /usr/local/apache/* to /etc/apache2;
  4. apache log files path is changed from /var/log/httpd to /var/log/apache2;
  5. Hit List doesn’t work with symlinks.

To resolve these issues next steps could be performed:

  1. reinstall CWAF-plugin;
  2. copy old ModSecurity™ configuration file to a new one:
cp /usr/local/apache/conf/modsec2.conf /etc/apache2/conf.d/zzzz_cwaf_security2.conf
  1. in /etc/apache2/conf.d/zzzz_cwaf_security2.conf log files paths should be changed:

SecAuditLog /var/log/apache2/modsec_audit.log
 SecDebugLog /var/log/apache2/modsec_debug.log

Then apache should be restarted. After that ModSecurity™ Tools Hit List should work.

For those using a 64bit OS, I had to change the first line to read:
LoadFile /usr/lib64/

Hope this helps someone else. a clean install of comodo modsec did not fix this. -sigh-

Yes, that worked for me aswell on Apache servers.
But on LiteSpeed I also had to add this symlink:
ln -s /usr/local/apache/conf/modsec2.conf /etc/apache2/conf.d/zzzz_cwaf_security2.conf

I copied put zzzz_cwaf_security2.conf in /etc/apache2/conf.d but apache is not including it. What file do I need to edit to include?

should it not go in modsec2.user.conf ?

thank you for your help

Please, check /etc/apache2/conf/httpd.conf
It should contain:

# less /etc/apache2/conf/httpd.conf | grep Include
Include "/etc/apache2/conf.d/*.conf"
and some other includes.

I have done all of these steps, my modsec_audit.log is in /var/log/apache2, hits are being logged, but my Hits List is still not working.

Anyone have additional tips on troubleshooting.

Maybe you have some error logs?

I have two cpanel servers and one I was able to setup ModSecurity and the Comodo ruleset, successfully. The other is not working, and I can’t see much difference in it.

What would I look for in the logs? Will the hits list log somewhere? I can’t find any errors at all.

Comparing the two servers I can’t find any differences that might keep the Hit List from working.

Does anyone have any idea how this works? Is it reading the logs at /var/log/apache2/modscec_audit.log?

You are right.
Hit List is var/log/apache2/modsec_audit.log parser. So, info from it should be visible in Hit List.
Did you ask cPanel support about this issue?

The discusson on the cPanel forum suggested I look for an answer here.

Please, check permissions on /var/logs/apache2/modsec_audit.log

-rw-r-----.  1 nobody nobody    250326 Feb 13 05:10 modsec_audit.log

It’s the same as my other server

-rw-r-----. 1 root root 232M Feb 21 10:27 /var/log/apache2/modsec_audit.log

I just upgraded from ea3 to ea4 and needed to reboot the server to see the hitlist … so recommend before spending too much time troubleshooting do a reboot after fixing the paths