Hits List Empty

Hi,

I just checked the ModSecurity Tools in cPanel to see the attack attempts on a busy server. However, I see:

“Hits list empty.”

There’s no way there haven’t been any recent hits. How can I troubleshoot?

Thanks,

Mark

Hello,
just try to get link ‘http://you-virrtual-host/?a=b AND 1=1’ with browser.

You should get an “error 403” and a record in Hits list.

Hi,

I had already done similar tests and I did get the 403 error as expected. But the hits list remains empty. We see this on multiple servers while others show entries in the hits list.

Thanks,

Mark

The similar situation was with cPanel ModSecurity Tools and LiteSpeed.

Please, tell me, what kind of web-servers you use.

We use Apache with the mod_lsapi Apache module from CloudLinux (which is based on the open source core of LiteSpeed). So, even though we are running Apache, I wonder if this module is causing the issue.

Is there a solution?

Thanks,

Mark

It’s possible, that your apache build is not fully compatible with cPanel ModSecurity™ Tools.
Please, check log-level in your configuration files. It should be similar to this:

$VH_ROOT/logs/lsws.error.log NOTICE

If logLevel is NOTICE, Mod_security work should be visible in log and respectively in Hits List.
Also check your modsec_audit.log.

Thank you. I will pass this info on to CloudLinux in case it is helpful too.

Also, on a cPanel server, which config file should this be located in (Apache vs. mod_security)?

Thanks.

Also, the test you mentioned (just try to get link ‘http://you-virrtual-host/?a=b AND 1=1’ with browser.) does not result in a 403.

So at this point I’m not even sure if it’s just a logging error or if CWAF just isn’t working at all? Are there any other tests you recommend, to be sure whether the protection is actually in place?

Configuration file I’ve written above is related to LiteSpeed.
But you said that you use apache.
Please, run:

ps axu | grep httpd

If you get:
root 6889 0.0 1.6 57188 31020 ? S Jul30 0:20 litespeed (lshttpd)
root 6890 0.0 0.0 6392 504 ? S Jul30 0:02 httpd (lscgid)
nobody 6891 0.0 1.5 73260 29956 ? Sl Jul30 0:47 litespeed (lshttpd)
nobody 6892 0.0 1.6 139216 31384 ? Sl Jul30 0:47 litespeed (lshttpd)
root 7648 0.0 0.0 112640 960 pts/2 R+ 11:32 0:00 grep --color=auto httpd
you use LiteSpeed,
if you get:
daemon 1852 0.0 0.1 185152 3372 ? S Jul21 0:00 /usr/sbin/httpd
root 19494 0.0 2.5 421404 68960 ? Ss Jul30 0:03 /usr/sbin/httpd
daemon 20322 0.0 2.1 318692 58884 ? S 03:48 0:00 /usr/sbin/httpd
daemon 20324 0.0 3.1 753284 84876 ? Sl 03:48 0:05 /usr/sbin/httpd
daemon 20352 0.0 3.1 753284 84596 ? Sl 03:48 0:05 /usr/sbin/httpd
you use apache.
For apache conf-files are in /usr/local/apache/conf
ModSecurity configuration: modsec2.conf. Recommended config:

#########################################################
<IfModule !mod_unique_id.c>
LoadModule unique_id_module /etc/httpd/modules/mod_unique_id.so

<IfModule !mod_security2.c>
LoadModule security2_module /etc/httpd/modules/mod_security2.so

SecAuditLogStorageDir /var/log/httpd/modsec_audit SecAuditLogType Concurrent SecAuditLogStorageDir /var/log/httpd/modsec_audit SecAuditLogType Concurrent

SecRuleEngine On
SecAuditEngine On
SecAuditLog /var/log/httpd/modsec_audit.log
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
SecRequestBodyAccess On
SecDataDir /tmp
SecTmpDir /tmp
SecPcreMatchLimit 250000
SecPcreMatchLimitRecursion 250000
Include “/usr/local/cwaf/etc/cwaf.conf”

#########################################################
where
SecAuditLog /var/log/httpd/modsec_audit.log
SecDebugLog /var/log/httpd/modsec_debug.log
are paths to log files.

Sorry for the confusion, we actually kind of run both! We run Apache but we use mod_lsapi, an Apache module built on the LiteSpeed API.

The output shows Apache, though.

The problem seems to be going away with an update from CloudLinux, fortunately.

Hmm, the issue is back on one server. What could be causing this? I’m assuming it’s some glitch in the plugin architecture. Should we just switch to the cPanel vendor approach?

Hi

I’m sure this will not help.
As far as I know ModSecurity™ Hits List is created by some cPanel software which analyzing and parsing Apache mod_security logs.

So this stop of logging in Hits List can be caused by:

  • Changes in Apache’s logs format (did you make changes in mod_security logging options recently?)
  • Changes in cPanel logs analyzer software or
  • Changes in some of system components which used by mod_security/cPanel to produce/parse logs (libraries etc)

Regards, Oleg

Please check if ‘Audit Log Type’ set to ‘Serial’ in Security Engine tab.
This also can lead to problem with Hits List in ModSecurity™ Tools

Regards, Oleg