ModSecurity Changes

cPanel recently released EasyApache 3.16. This version of EasyApache contains an updated version of ModSecurity that has an important change to Rule IDs which will affect you.

In addition to the RuleID change, another change in ModSecurity that affects directive names will be incorporated into EasyApache 3.18.

Unique Rule IDs are mandatory

Unique Rule IDs are mandatory. When EasyApache runs, it tries to automatically assign unique Rule IDs to any existing rules that do not already have Rule IDs. However, you will need to manually check your ruleset to confirm that there are no Rule ID conflicts or syntactical errors.

Also, if you automatically download and import rulesets into your ModSecurity on a schedule, EasyApache will not check these rules for Rule ID conflicts or syntactical errors. If the third-party ruleset contains Rule ID conflicts or syntactical errors, ModSecurity will fail and Apache will not start.

The following is an example of a rule that does not contain a Rule ID:

 SecRule  REMOTE_ADDR  "^127.0.0.1$"  "nolog,allow"
SecAction  "phase:2,pass,nolog"

You will see an error similar to the following:

 1. Critical Error: No Rule ID

  Syntax error on line XX of /some/config/file.conf:
  ModSecurity: No action id present within the rule

The following is the same rule that has been changed to include a unique Rule ID:

 SecRule  REMOTE_ADDR  "^127.0.0.1$"  "nolog,allow,id:1234123455"
SecAction  "phase:2,pass,nolog,id:1234123456"

However, if the Rule ID duplicates another Rule ID, you will see:

 2. Critical Error: Duplicate Rule ID:

  Syntax error on line XX of /some/config/file.conf:
  ModSecurity: Found another rule with the same id

Configuration directive changes

Six configuration directives have been changed to use the word “Hash” instead of “Encryption” and they are not backwards-compatible.

EasyApache will try to convert all references within your existing ruleset from “Hash” into “Encryption.” However, if you automatically download and import rulesets into your ModSecurity on a schedule, EasyApache will not check these rules for the deprecated term “Encryption.” ModSecurity does not support the deprecated term “Encryption” and it will fail, which will make Apache fail to start.

The following is an example of a rule that used the deprecated term “Encryption”

# Validates requested URI that matches a regular expression.
SecRule REQUEST_URI "@validateEncryption product_info|product_list" "phase:1,deny,id:123456"

You will see an error similar to the following

Syntax error on line XX of /usr/local/apache/conf/modsec2.conf:
Invalid command '@validateEncryption', perhaps misspelled or defined by a module not included in the server configuration

The following is an example of the example rule that has been changed to use the new term “Hash”

# Validates requested URI that matches a regular expression.
SecRule REQUEST_URI "@validateHash product_info|product_list" "phase:1,deny,id:123456"

——-

These two changes are important because if you have any rules which ModSecurity cannot process, ModSecurity will fail and Apache will not start. This is a change from ModSecurity’s previous behavior, which was to fail with a warning, but allow Apache to start successfully.

For more information, read the ModSecurity Page.

Posted in: News, Security | Tagged: , ,