HELP URGENT TWO ERRORS with WAF

Hi, I have 2 nasty and urgent errors with the WAF

I have installed Comodo WAF on my Ubuntu 12.04 server and now I encounter 2 problems:

This first error below happens when I try to save the EXCLUDE list:
ERROR!
can not restart httpd, delete domain exclude list

The second error below show when I want to save the general settings. For example to turn the WAF on or of
ERROR!
can not apply configuration, check permissions or mod_security syntax

Also When I restart Apache I got errors and need to uninstall WAF otherwise Apache won’t run again.

By the way, I am logged in on my server as ROOT. Also I use WEBMIN and VIRTUALMIN as adminpanels.
Mode_security is installed in Apache modules and give no errors.

I also don’t know how to test if things are working

I hope there is a simple solution for these problems. Thanks in advance !

Hi

Seems there are errors in modsecurity config.
Can you please post here result of command

# apachectl -t

And also errors Apache returning during restart.
Sorry for delay with answer, we have day off :embarassed:

With best regards, Oleg

Hello and thanks for your help!

The command you gave me give this result:

Syntax error on line 24 of /usr/local/cwaf/rules/25_Apps_Joomla.conf:
Error creating rule: Unknown variable: MULTIPART_FILENAME
Action ‘-t’ failed.
The Apache error log may have more information.

Hi

Seems you have old version of mod_security.
CWAF supports 2.7.3, 2.7.5, 2.7.7 2.8.0 2.9.0

You can compile modsecurity from sources, here is decent manual:

Also binary packages can be found here (look in Debian section for version 2.8.0, because Ubuntu have old 2.6.3 version):
http://pkgs.org/search/mod_security

With best regards, Oleg

Thanks but now I get an error.

I had to uninstall CWAF because Apache was giving an error.

Now I try to install this:

libapache2-mod-security2_2.9.0-1_i386.deb

But I get this error:

I installed it trough WEBMIN panel,

dpkg: regarding …/libapache2-mod-security2_2.9.0-1_i386.deb containing libapache2-mod-security2:i386:
libapache2-mod-security2:i386 breaks libapache2-modsecurity (<< 2.7.7-1~)
libapache2-modsecurity (version 2.6.3-1ubuntu0.2) is present and installed.
dpkg: error processing /tmp/.webmin/libapache2-mod-security2_2.9.0-1_i386.deb (–install):
installing libapache2-mod-security2:i386 would break libapache2-modsecurity, and
deconfiguration is not permitted (–auto-deconfigure might help)
Errors were encountered while processing:
/tmp/.webmin/libapache2-mod-security2_2.9.0-1_i386.deb

Hi Oleg,

I tried it once more through the command line and this is the result.
What can we do now?
Thanks in advance!
Kind regards

root@host1 ~ # dpkg -i -B libapache2-mod-security2_2.9.0-1_i386.deb
dpkg: considering deconfiguration of libapache2-modsecurity, which would be brok en by installation of libapache2-mod-security2:i386 …
dpkg: yes, will deconfigure libapache2-modsecurity (broken by libapache2-mod-sec urity2:i386).
(Reading database … 784256 files and directories currently installed.)
Unpacking libapache2-mod-security2:i386 (from libapache2-mod-security2_2.9.0-1_i 386.deb) …
De-configuring libapache2-modsecurity …
Replacing files in old package libapache2-modsecurity …
dpkg: dependency problems prevent configuration of libapache2-mod-security2:i386 :
libapache2-mod-security2:i386 depends on libxml2 (>= 2.9.0); however:
Version of libxml2:i386 on system is 2.7.8.dfsg-5.1ubuntu4.11.
libapache2-mod-security2:i386 depends on libapr1 (>= 1.2.7); however:
libapache2-mod-security2:i386 depends on libaprutil1 (>= 1.2.7+dfsg); however:
libapache2-mod-security2:i386 depends on libcurl3-gnutls (>= 7.16.2); however:
libapache2-mod-security2:i386 depends on liblua5.1-0; however:
libapache2-mod-security2:i386 depends on libpcre3 (>= 1:8.35); however:
Version of libpcre3:i386 on system is 8.12-4ubuntu0.1.
libapache2-mod-security2:i386 depends on libyajl2 (>= 2.0.4); however:
libapache2-mod-security2:i386 depends on apache2-api-20120211; however:
dpkg: error processing libapache2-mod-security2:i386 (–install):
dependency problems - leaving unconfigured
dpkg: dependency problems prevent configuration of libapache2-modsecurity:
libapache2-mod-security2:i386 (2.9.0-1) breaks libapache2-modsecurity (<< 2.7.7 -1~) and is unpacked but not configured.
Version of libapache2-modsecurity to be configured is 2.6.3-1ubuntu0.2.
dpkg: error processing libapache2-modsecurity (–install):
dependency problems - leaving unconfigured
Errors were encountered while processing:
libapache2-mod-security2:i386
libapache2-modsecurity
root@host1 ~ #

Hi

According to error output this version of mod_security compiled for newer version of Debian, with more modern libraries
Try to get for older Debian version (Debian Wheezy for example)
http://pkgs.org/debian-wheezy/debian-backports-main-i386/libapache2-mod-security2_2.8.0-2~bpo70+1_i386.deb.html

Best regards, Oleg

Hello Oleg,

I think this is a real nasty one.
Another error

Hope you have a solution!

dpkg: warning: downgrading libapache2-mod-security2:i386 from 2.9.0-1 to 2.8.0-2~bpo70+1.
(Reading database … 784273 files and directories currently installed.)
Preparing to replace libapache2-mod-security2:i386 2.9.0-1 (using …/libapache2-mod-security2_2.8.0-2-bpo70+1_i386.deb) …
Unpacking replacement libapache2-mod-security2:i386 …
dpkg: dependency problems prevent configuration of libapache2-mod-security2:i386:
libapache2-mod-security2:i386 depends on libxml2 (>= 2.8.0); however:
Version of libxml2:i386 on system is 2.7.8.dfsg-5.1ubuntu4.11.
libapache2-mod-security2:i386 depends on libapr1 (>= 1.2.7); however:
libapache2-mod-security2:i386 depends on libaprutil1 (>= 1.2.7+dfsg); however:
libapache2-mod-security2:i386 depends on libcurl3-gnutls (>= 7.16.2); however:
libapache2-mod-security2:i386 depends on liblua5.1-0; however:
dpkg: error processing libapache2-mod-security2:i386 (–install):
dependency problems - leaving unconfigured
Errors were encountered while processing:
libapache2-mod-security2:i386

Hi

No luck:(
Seems Wheezy contain different libraries. Only one solution available is to compile mod_security from source.

Hi Oleg,

That looks not so simple
What is the meaning of compile it and are there also problems to expect?
Thanks in advance!

Hi

First we have to install pre-requisites:

sudo apt-get install build-essential libxml2-dev libcurl4-openssl-dev

When download source from modsecurity.org
I’d recommend last version 2.9.0
https://www.modsecurity.org/tarball/2.9.0/modsecurity-2.9.0.tar.gz

Untar it

tar -zxf ./modsecurity-2.9.0.tar.gz

Configure:

cd modsecurity-2.9.0
./configure

This step can reveal missing libraries, look carefully on configure console output. Install missing libraries if required.

If configure successfull, run make:

make 

It will compile and create library mod_security2.so in.libs subdir.

Replace standard library with new compiled. Place where system library located can be found in Apache config.
Usualy it’s in /etc/apache2/mods_available/mod-security.load, something like

LoadModule security2_module /usr/local/lib/mod_security2.so

Just replace it with newly compiled library.

mv  /usr/local/lib/mod_security2.so /usr/local/lib/mod_security2.so.old
cp ./mod_security2.so /usr/local/lib/mod_security2.so

Restart Apache.

Regards, Oleg

Wow, Wonderfull and thanks so much for writing exact ho to do this Oleg!
Will try this and it need to work!

Hi Oleg,
I don’t know if this went well:
After .configure

root@host1 ~/modsecurity-2.9.0 # ./configure
checking for a BSD-compatible install… /usr/bin/install -c
checking whether build environment is sane… yes
checking for a thread-safe mkdir -p… /bin/mkdir -p
checking for gawk… gawk
checking whether make sets $(MAKE)… yes
checking whether make supports nested variables… yes
checking for style of include used by make… GNU
checking for gcc… gcc
checking whether the C compiler works… yes
checking for C compiler default output file name… a.out
checking for suffix of executables…
checking whether we are cross compiling… no
checking for suffix of object files… o
checking whether we are using the GNU C compiler… yes
checking whether gcc accepts -g… yes
checking for gcc option to accept ISO C89… none needed
checking whether gcc understands -c and -o together… yes
checking dependency style of gcc… gcc3
checking for ar… ar
checking the archiver (ar) interface… ar
checking build system type… x86_64-unknown-linux-gnu
checking host system type… x86_64-unknown-linux-gnu
checking how to print strings… printf
checking for a sed that does not truncate output… /bin/sed
checking for grep that handles long lines and -e… /bin/grep
checking for egrep… /bin/grep -E
checking for fgrep… /bin/grep -F
checking for ld used by gcc… /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld… yes
checking for BSD- or MS-compatible name lister (nm)… /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface… BSD nm
checking whether ln -s works… yes
checking the maximum length of command line arguments… 1572864
checking whether the shell understands some XSI constructs… yes
checking whether the shell understands “+=”… yes
checking how to convert x86_64-unknown-linux-gnu file names to x86_64-unknown-linux-gnu format… func_convert_file_noop
checking how to convert x86_64-unknown-linux-gnu file names to toolchain format… func_convert_file_noop
checking for /usr/bin/ld option to reload object files… -r
checking for objdump… objdump
checking how to recognize dependent libraries… pass_all
checking for dlltool… no
checking how to associate runtime and link libraries… printf %s\n
checking for archiver @FILE support… @
checking for strip… strip
checking for ranlib… ranlib
checking command to parse /usr/bin/nm -B output from gcc object… ok
checking for sysroot… no
checking for mt… mt
checking if mt is a manifest tool… no
checking how to run the C preprocessor… gcc -E
checking for ANSI C header files… yes
checking for sys/types.h… yes
checking for sys/stat.h… yes
checking for stdlib.h… yes
checking for string.h… yes
checking for memory.h… yes
checking for strings.h… yes
checking for inttypes.h… yes
checking for stdint.h… yes
checking for unistd.h… yes
checking for dlfcn.h… yes
checking for objdir… .libs
checking if gcc supports -fno-rtti -fno-exceptions… no
checking for gcc option to produce PIC… -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works… yes
checking if gcc static flag -static works… yes
checking if gcc supports -c -o file.o… yes
checking if gcc supports -c -o file.o… (cached) yes
checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries… yes
checking whether -lc should be explicitly linked in… no
checking dynamic linker characteristics… GNU/Linux ld.so
checking how to hardcode library paths into programs… immediate
checking for shl_load… no
checking for shl_load in -ldld… no
checking for dlopen… no
checking for dlopen in -ldl… yes
checking whether a program can dlopen itself… yes
checking whether a statically linked program can dlopen itself… no
checking whether stripping libraries is possible… yes
checking if libtool supports shared libraries… yes
checking whether to build shared libraries… yes
checking whether to build static libraries… yes
checking for gawk… (cached) gawk
checking for gcc… (cached) gcc
checking whether we are using the GNU C compiler… (cached) yes
checking whether gcc accepts -g… (cached) yes
checking for gcc option to accept ISO C89… (cached) none needed
checking whether gcc understands -c and -o together… (cached) yes
checking dependency style of gcc… (cached) gcc3
checking how to run the C preprocessor… gcc -E
checking whether ln -s works… yes
checking whether make sets $(MAKE)… (cached) yes
checking for grep that handles long lines and -e… (cached) /bin/grep
checking for perl… /usr/bin/perl
checking for env… /usr/bin/env
checking for ANSI C header files… (cached) yes
checking fcntl.h usability… yes
checking fcntl.h presence… yes
checking for fcntl.h… yes
checking limits.h usability… yes
checking limits.h presence… yes
checking for limits.h… yes
checking for stdlib.h… (cached) yes
checking for string.h… (cached) yes
checking for unistd.h… (cached) yes
checking for sys/types.h… (cached) yes
checking for sys/stat.h… (cached) yes
checking sys/utsname.h usability… yes
checking sys/utsname.h presence… yes
checking for sys/utsname.h… yes
checking for an ANSI C-conforming const… yes
checking for inline… inline
checking for C/C++ restrict keyword… __restrict
checking for pid_t… yes
checking for size_t… yes
checking whether struct tm is in sys/time.h or time.h… time.h
checking for uint8_t… yes
checking for stdlib.h… (cached) yes
checking for GNU libc compatible malloc… yes
checking for working memcmp… yes
checking for atexit… yes
checking for getcwd… yes
checking for memmove… yes
checking for memset… yes
checking for strcasecmp… yes
checking for strchr… yes
checking for strdup… yes
checking for strerror… yes
checking for strncasecmp… yes
checking for strrchr… yes
checking for strstr… yes
checking for strtol… yes
checking for fchmod… yes
checking for strcasestr… yes
Checking platform… Identified as Linux
checking for libcurl config script… no
configure: *** curl library not found.
configure: NOTE: curl library is only required for building mlogc
configure: NOTE: mlgoc compilation was disabled.
configure: looking for Apache module support via DSO through APXS
configure: error: couldn’t find APXS

Can you please check Oleg if there is something missing?
I see some things but I have not the knowledge to see what is missing and how to get it there?
Thanks already a lot!

Hi

Try to

sudo apt-get install apache2-prefork-dev

Regards, Oleg

Hi Oleg,

That went well
Can I now continue with where I was “make” ?

Regards!
Allard

I just ask before I destroy something
We are almost there Oleg!
I hope this will help others too with the same problems

Do not afraid

make just create library in your source folder.

Regards, Oleg

So sorry Oleg now we get another error:

make: *** No targets specified and no makefile found. Stop.

The contents of the DIR are:

aclocal.m4 CHANGES iis nginx tests
alp2 config.log LICENSE NOTICE tools
apache2 configure Makefile.am README.TXT unicode.mapping
authors.txt configure.ac Makefile.in README_WINDOWS.TXT
autogen.sh doc mlogc stamp-h1
build ext modsecurity.conf-recommended standalone