WAF Stopped Working

Hi Everyone,
I have a weird issue, i had WAF installed and working successfully. A change was made to easy apache and WAF was working but has stopped now. I uninstalled WAF and re-installed it and it worked for like a day but has stopped now!

Under WAF plugin in Cpanel under the Mod Security Configuration i get his below

Custom Mod Security configuration found! It will be updated with values from this screen.
You can find backup of current configuration in: /usr/local/apache/conf/modsec2.conf.custom

WAF is not protecting my server anymore, all updates to WAF still work just does not seem it is working with ModSec anymore. Anyone have any ideas?

Thanks

ttwebhosting

Hi

Custom Mod Security configuration found! It will be updated with values from this screen.
You can find backup of current configuration in: /usr/local/apache/conf/modsec2.conf.custom

This message means plugin found custom changes in mod_security configuration file.
It warns these changes will be lost and replaced by default plugin’s configuration during update of Security Engine settings.
However custom configuration will not be lost and saved in /usr/local/apache/conf/modsec2.conf.custom

Probably your mod_security configuration file /usr/local/apache/conf/modsec2.conf was changed during Easy Apache update.
Original CWAF config file:

LoadFile /opt/xml2/lib/libxml2.so
# LoadFile /opt/lua/lib/liblua.so

<IfModule !mod_security2.c>
  LoadModule security2_module  modules/mod_security2.so
</IfModule>

<IfModule mod_security2.c>
  <IfModule mod_ruid2.c>
    SecAuditLogStorageDir /usr/local/apache/logs/modsec_audit
    SecAuditLogType Concurrent
  </IfModule>
  <IfModule itk.c>
    SecAuditLogStorageDir /usr/local/apache/logs/modsec_audit
    SecAuditLogType Concurrent
  </IfModule>

  SecRuleEngine On
  SecAuditEngine RelevantOnly
  SecAuditLog /usr/local/apache/logs/modsec_audit.log
  SecDebugLog /usr/local/apache/logs/modsec_debug.log
  SecDebugLogLevel 0
  SecRequestBodyAccess On
  SecDataDir /tmp
  SecTmpDir /tmp
  SecPcreMatchLimit 250000
  SecPcreMatchLimitRecursion 250000
  Include "/var/cpanel/cwaf/etc/cwaf.conf"
</IfModule>

Please check your /usr/local/apache/conf/modsec2.conf and replace it with original one if required (or update config in plugin’s “Security Engine” tab).

We’re investigated this case and found error happen because mod_security configuration file contained syntax error which prevent Apache from starting.
Wrong lines was added during easy Apache update. Apache config was not tested after changes, nor Apache was restarted.

Trying to save custom user changes CWAF Plugin adds wrong lines to mod_security configuration and Apache wasn’t able to start due wrong config.
We plan to fix this behavior by restoring default mod_security configuration. Fixed version of plugin will be available soon.