Hi, there was a facebook post for a new product called WAF, Web application Firewall.
I have called Sales, and tried to login and register for this product, but i can not get on to the site, i know it being the holidays and this is a very new product, (Sales had not herd of it) that there still may be issues with registering and such.
Any Help on how i can get my hands on this new product would be very helpful. The advertised URL is https://waf.comodo.com/
One last thing, sorry, does anyone know anything about this new product, other than what is said on the web site? We run Apache, is there really any other choice…
Just so I understand it correctly. There are two firewalls that get supported by one rule system. WAF is still alive after having been reworked to have Mod-Security type of signature/rule generation.
I tried to install the CWAF cPanel Plugin on a fresh cPanel server last night but had some problems.
I managed to solve them with some code editing, so I thought I mention the changes I did here - so that they can be fixed in future versions.
Documentation doesn’t mention that some particular Perl modules are required for the installer to work.
JSON, JSON:XS, and Crypt::SSLeay are not installed by default on a fresh cPanel server, so one has to install them by hand.
A small how-to would be nice.
After installation completes, the plugin won’t load due to AppConfig restrictions. You either need to disable AppConfig checks from Tweak Settings or create your own .conf file to register the application.
I created a new file named: /var/cpanel/apps/addon_cwaf.conf
with the following contents:
# name
name=addon_cwaf
# Service that will serve this app
service=whostmgr
# Physical path: /usr/local/cpanel/3rdparty/Foo.php
# Literal URL path: $server:$port/$cpsession/3rdparty/Foo.php
url=/usr/local/cpanel/whostmgr/docroot/cgi/addon_cwaf.cgi
# System user to run process as
user=root
# Required acls
acls=any
# Display name as show in the service ui
displayname=addon_cwaf
and ran: /usr/local/cpanel/bin/register_appconfig /var/cpanel/apps/addon_cwaf.conf
Now that the application is registered with AppConfig, it won’t load:
Software error:
Can't locate Comodo/CWAF/Cpanel.pm in [at]INC ([at]INC contains: /usr/local/cpanel /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /usr/local/cpanel/whostmgr/docroot/cgi/addon_cwaf.cgi line 23.
BEGIN failed--compilation aborted at /usr/local/cpanel/whostmgr/docroot/cgi/addon_cwaf.cgi line 23.
To fix this I added the following line to /usr/local/cpanel/whostmgr/docroot/cgi/addon_cwaf.cgi
BEGIN { unshift [at]INC, '/var/cpanel/cwaf/modules'; }
after line 1.
Now the plugin loads fine, but we haven’t got any rules yet. Let’s click the “Update Rules” button… unfortunately nothing shows up in the Updater Status window.
To fix this I went into /var/cpanel/cwaf/scripts/updater.pl and replaced the first line (#!/usr/bin/perl) with:
#!/bin/sh
eval 'if [ -x /usr/bin/local/cpanel/3rdparty/bin/perl ]; then exec /usr/local/cpanel/3party/bin/local -x --$0
${1+”$[at]”}; else exex /usr/bin/perl -x $0 ${1+”$[at]”}; fi;'
if 0;
#!/usr/bin/perl
BEGIN { unshift [at]INC, '/var/cpanel/cwaf/modules'; }
and the rules start to download.
The first time I clicked “Update Rules” the latest ruleset got downloaded (v0.30 as of writing).
However there are two problems:
a) the ownership of the /var/cpanel/cwaf/rules folder and files inside has been altered and is now owned by 1011:users
b) if I click the “Update Rules” button again, it will download some random other version of the rules - and overwrite v0.30 potentially even breaking Apache.
“Configuration” Tab
If I go to the Configuration tab, I can see that the Debug log is “utils.log”. Now if for example I go the Debug slider to the right, say to “5” and hit “Update Config”, and reload the app, the Debug log filename is gone. And I can’t get it back anymore either. Only way is to edit /var/cpanel/cwaf/etc/main.conf
The Excludes editor does not work. I can add a rule, but clicking the “Save configuration” button does nothing.
First of all, thank you very much for the feedback. We will most definitely take all this in and improve and release another version. With each version the product will get better.
Please work with us so that the whole community can benefit from the good work you do.
From your description is clear that CWAF plugin is not work correctly. Please provide us more information about your server to review and fix these issues:
Cpanel version and version of Operating System.
Did you use our installation script (“cwaf_client_install.sh”) for installing cPanel plugin and checking of all system dependencies?
If so, have you got some console output of this script?
Could you please provide us information from CPanel errors log (“/usr/local/cpanel/logs/error_log”) for the period of time you are tried to use our plugin?
The first time I ran it I received a message that I needed to install some perl modules, JSON, JSON::XS and Crypt::SSLeay.
I did so from within WHM, and then tried to run the script again. This time it worked and I was prompted to chose between the cPanel plugin or Standalone scripts (option 1 or 2). I entered 1 and the installation continued until I got prompted to do enter my CWAF username/password. Finally the installation finished and I had to enter:
Second attempt after having installed the perl modules:
root@hydrogen [~]# bash cwaf_client_install.sh
Choose type of installation:
1) Cpanel installation
2) Standalone scripts
Choose [1|2]: 1
Try to install scripts for CPANEL
Enter CWAF connection data
--------------------------
Enter CWAF user: xxxxxx@xxxxxxx
Enter CWAF password: xxxxxxx
Run this command to load mod_security module & load rules:
echo "Include \"/var/cpanel/cwaf/etc/cwaf.conf\" ">>/usr/local/apache/conf/modsec2.conf
And reload Apache HTTPD.
Installation complete!
Thank you Vadim, great to know! We’re really excited about the new release.
cPanel changed a lot of stuff since v11.36 regarding WHM plugins in terms of Perl support and security (AppConfig) so all those errors are not really your fault. You just need to make it compatible with the new way cPanel handles plugins.