CWAF Broke Sites

markb1439 · March 31, 2015, 12:55am

Hi,

All of a sudden, after a cPanel update, all sites on our server stopped working. HTTP would not start because:

==========
[~]# service httpd restart

Syntax error on line 31 of /var/cpanel/cwaf/rules/cwaf_01.conf:

ModSecurity: Found another rule with the same id

I deleted that file for the moment and got similar errors for subsequent cwaf conf files. I finally uninstalled and reinstalled CWAF, and things look normal now.

However, it’s very concerning that a component like this can take down all of the sites on a server. How can we keep this from happening again? Do we need to add Comodo as a vendor and stop using the plugin? Or is there another solution?

Thanks,

Mark

crownhost · March 31, 2015, 7:30am

“Syntax error on line 31 of /var/cpanel/cwaf/rules/cwaf_01.conf:”
We had the same problem. We found by reverting to the previous rule ( 1.25 ) set it fixed the error. So the current rule set has same rule IDs causing the error.

vadim · March 31, 2015, 8:16am

We are sorry, it was unacceptable error in the rules.

Please update rules from the plugin now.

If you use cPanel Vendor, please update rules now from console:

# /usr/local/cpanel/scripts/modsec_vendor update --auto

crownhost · March 31, 2015, 9:33am

Thanks for quick fix

oleg.tsygany · March 31, 2015, 10:04am

Hi Mark

Plugin users is more protected from such situations because plugin check the rules before applying.

However, If you use CWAF cPanel plugin and things is broken by this update please try following from console:

`# rm -rf /var/cpanel/cwaf/rules/*

/var/cpanel/cwaf/scripts/updater.pl`

Plesk users can try this:
$ rm -rf /usr/local/cwaf/rules/* $ /usr/local/cwaf/scripts/updater.pl

UPD. Scripts changed to avoid next rules update problems

designcentre · March 31, 2015, 7:31pm

That resolved it for me - thank you

markb1439 · April 1, 2015, 4:21am

And, after fixing it last night, it happens again tonight. SERIOUSLY?

oleg.tsygany · April 1, 2015, 8:01am

Hi Mark

Did you use uninstall script to remove plugin before reinstall it again?
# cd /var/cpanel/cwaf/scripts && ./uninstall_cwaf.sh
However, there is way to clear rules without plugin reinstall.

Since plugin have legacy incremental update procedure (which would be totally removed in next release of plugin), content of previous rules update added to content of new update.
And this can lead to broken rules again.
Please try following commands:
# rm -rf /var/cpanel/cwaf/rules/* - remove rules content
# /var/cpanel/cwaf/scripts/updater.pl - update rules to latest version

markb1439 · April 1, 2015, 10:40pm

Hi Oleg,

I had uninstalled and reinstalled the plugin. Then, to be safe I had run the other set of commands to update the rules to the latest version. When it happened again, I noticed that the plugin displayed “0” (as in zero) as the current rules version. So something got lost in the shuffle. Hopefully it won’t happen again.

Thanks,

Mark

oleg.tsygany · April 2, 2015, 7:28am

Hi Mark

If you like we can take closer look at your server, to be sure all is ok.
If you interested please submit a ticket to support so we can ask sensitive info or even ssh access.
Submit a ticket - Powered by Kayako Help Desk Software (Department ‘WAF Support’)

Regards, Oleg