This week customers with Moodle script cannot load their webpages anymore because they get error that the webserver is: Protected by COMODO WAF!
HTTP/1.1 200 OK
Date: Fri, 10 Apr 2015 12:29:46 GMT
Server: Protected by COMODO WAF
Last-Modified: Fri, 21 Nov 2014 09:33:01 GMT
ETag: “2d81d54-f7-5085b21892a6d”
Accept-Ranges: bytes
Content-Length: 247
Content-Type: text/html
When we are checking other servers they are not changed:
HTTP/1.1 200 OK
Date: Fri, 10 Apr 2015 12:29:52 GMT
Server: Apache
Last-Modified: Tue, 29 Apr 2014 12:29:31 GMT
Accept-Ranges: bytes
Content-Length: 247
Strict-Transport-Security: max-age=15768000; includeSubDomains
Content-Type: text/html
How did this happend? And how can we make it so the server respond to Apache and not Protected by Comodo WAF??
Looks like false positive.
Please check modsec_audit.log file (located at /usr/local/apache/logs/modsec_audit.log for cPanel) and add suspicious rule IDs to exclude list
(In plugin Catalog - Search by rule ID - turn off)
So far I found following rules related to Moodle: 220480, 221560, 221570
“Protected by COMODO WAF” is SecServerSignature which added to server response in new ruleset.
It have no relation to issue.
The problem on moodle is really the SecServerSignature. Moodle looks at the server name, and the SecServerSignature change the server name from apache to “protected by COMODO WAF”, which is unknown to Moodle. Use SecServerSignature to change server name, was not a good idea, when we’ve moodle installed.
This only happens on Moodle.
Yes, to disable custom server signature open file 00_Init_Initialization.conf in favorite editor, add comment - # before line
SecServerSignature "Protected by COMODO WAF"
so it turned to
# SecServerSignature "Protected by COMODO WAF"
save file and reload Apache.
File located at /var/cpanel/cwaf/rules/00_Init_Initialization.conf for cPanel plugin /usr/local/apache/conf/modsec_vendor_configs/comodo_apache/00_Init_Initialization.conf for cPanel Vendor /usr/local/cwaf/rules/00_Init_Initialization.conf for Plesk/DirectAdmin plugin
I warned rule-writers team about this issue.
We need to invent some way to turn off SecServerSignature for Moodle users.
For example include it in mod_security confing instead of rules and make it turnable from plugin interface.
Ok, great.
But we still want to fix our server so it uses Apache server signature instead of Comodo WAF.
My tech said:
Unfortunately this will need to be corrected by Comodo WAF script or the Moodle
script itself in script where it is detecting Server signature.
We can lock the file permissions by not allowing any changes to it, however
that will prevent updates of CWAF and most likely cause other issues.
Can we lock that file without causing problems on future updates on WAF?
We have around 60 servers and 5 of them are “Protected by COMODO WAF”.
Why is only 5 and not all? Litespeed servers are fine. Can it have anything to do with Apache version maybee?
No need to lock file.
We have removed SecServerSignature from today’s rules update.
It will be later added in client mod_security config and can be turned off.
About limited amount of servers affected by directive… Can it be cause of this? (Excerpt from mod_security manual)
In order for this directive to work, you must set the Apache ServerTokens directive to Full. ModSecurity will overwrite the server signature data held in this memory space with the data set in this directive. If ServerTokens is not set to Full, then the memory space is most likely not large enough to hold the new data we are looking to insert.
