CWAF Broke Sites


All of a sudden, after a cPanel update, all sites on our server stopped working. HTTP would not start because:

[~]# service httpd restart

Syntax error on line 31 of /var/cpanel/cwaf/rules/cwaf_01.conf:

ModSecurity: Found another rule with the same id

I deleted that file for the moment and got similar errors for subsequent cwaf conf files. I finally uninstalled and reinstalled CWAF, and things look normal now.

However, it’s very concerning that a component like this can take down all of the sites on a server. How can we keep this from happening again? Do we need to add Comodo as a vendor and stop using the plugin? Or is there another solution?



“Syntax error on line 31 of /var/cpanel/cwaf/rules/cwaf_01.conf:”
We had the same problem. We found by reverting to the previous rule ( 1.25 ) set it fixed the error. So the current rule set has same rule IDs causing the error.

We are sorry, it was unacceptable error in the rules.

Please update rules from the plugin now.

If you use cPanel Vendor, please update rules now from console:

# /usr/local/cpanel/scripts/modsec_vendor update --auto

Thanks for quick fix

Hi Mark

Plugin users is more protected from such situations because plugin check the rules before applying.

However, If you use CWAF cPanel plugin and things is broken by this update please try following from console:

`# rm -rf /var/cpanel/cwaf/rules/*


Plesk users can try this:
$ rm -rf /usr/local/cwaf/rules/* $ /usr/local/cwaf/scripts/

UPD. Scripts changed to avoid next rules update problems

That resolved it for me - thank you

And, after fixing it last night, it happens again tonight. SERIOUSLY?

Hi Mark

Did you use uninstall script to remove plugin before reinstall it again?
# cd /var/cpanel/cwaf/scripts && ./
However, there is way to clear rules without plugin reinstall.

Since plugin have legacy incremental update procedure (which would be totally removed in next release of plugin), content of previous rules update added to content of new update.
And this can lead to broken rules again.
Please try following commands:
# rm -rf /var/cpanel/cwaf/rules/* - remove rules content
# /var/cpanel/cwaf/scripts/ - update rules to latest version

Hi Oleg,

I had uninstalled and reinstalled the plugin. Then, to be safe I had run the other set of commands to update the rules to the latest version. When it happened again, I noticed that the plugin displayed “0” (as in zero) as the current rules version. So something got lost in the shuffle. Hopefully it won’t happen again.



Hi Mark

If you like we can take closer look at your server, to be sure all is ok.
If you interested please submit a ticket to support so we can ask sensitive info or even ssh access.
Submit a ticket - Powered by Kayako Help Desk Software (Department ‘WAF Support’)

Regards, Oleg