cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

modsec compatability with caching and Mod_ruid2 and mpm_itk

sonicthoughts shared this idea 5 years ago
Not Planned

Modsec is defacto method of security. Needs to support Mod_ruid2 and mpm_itk but documentation claims it does not: https://documentation.cpanel.net/display/EA4/Apache+Module%3A+ModSecurity#ApacheModule:ModSecurity-Mod_ruid2andmpm_itk . Note in EA3 mpm_itk is not supported with apache 2.4

Best Answer
photo

Hey all! It looks like my update here was lost in our data loss earlier this year. Unfortunately, we were unable to resolve the security issues that caused us concern in this, so we're back to square one on it. If that changes, we'll be back here with more updates.

Comments (7)

photo
1

I'm going through some of our historical requests and wanted to clarify this one a bit. This is currently a limitation in ModSecurity, which isn't managed by cPanel. We have considered getting our hands into it, but we haven't seen enough of a need for us to devote resources to it at this time. Here's a quick breakdown of how one might solve the problems that ModSec has when using any of the per-user MPMs, though we don't have this on our roadmap at this time:


https://forums.cpanel.net/threads/mod-ruid-2-and-modsecurity.385712/page-2#post-1682052

photo
1

This is a fix. @benny - please lets try and solve this. I think it is a very common scenario. see: https://github.com/SpiderLabs/ModSecurity/issues/712#issuecomment-48206694

photo
1

Hey there! Thanks for that. It looks like this forum thread outlines the reasons that we're not considering that particular solution at this time.

photo
1

Out of curiosity, has the status of this issue changed with the release of v.58? I did notice that no alerts or notices were thrown in my EA4 instance when installing ITK alongside Modsecurity2 this week...

photo
1

Hey there! We've allowed them to be installed together, but the DBM and caching issues remain a problem. As such this request wouldn't be considered resolved, but I have adjusted it to "Not planned", because at this time cPanel doesn't have the ability to provide a secure, robust, viable and long-term solution to this problem.

photo
1

the release notes say that they are not allowed together: https://documentation.cpanel.net/display/EA4/Current+Status+of+EasyApache+4#CurrentStatusofEasyApache4-ModSecModRUID2 . SOOO CONFUSING :)

photo
1

Good catch! That's the Current-Status documentation, and I'll make sure that gets updated.

photo
1

Thanks @benny I think you are awesome. I think modsec is a fantastic tool and Cp has integrated it well. With the push for security it is soooo ironic that whoever made this decision is forcing people to disable modsec IN THE NAME OF SECURITY! modsec is super important and this is an edge case. Let's please use reason and solve this important problem. Thx

photo
2

I contacted Felipe Zimmerle the lead developer at SpiderLabs who is really open to helping resolve this and collaborate with CPANEL. He wants to know the best developer contact. He is also tracking the issues specifically for CPANEL: https://github.com/SpiderLabs/ModSecurity/labels/CPANEL%20itk . I think you should also connect about modesec 3. I will cross post in forum but please get this in the right hands. I'm doing my best as a customer to help and I think this is a really big issue (ie. people disabling modsec so they can run modruid2 or itk) for the community.

photo
1

Hi,


Again, we are not disabling ModSec if they are using RUID2. We are not going to use ModSec 3, because it is not ready for production environments. Once ModSec gets these fixes into public, production ready builds, we will then upgrade.

photo
1

Hey everyone! We're starting to work on this internally again. Our security team is on top of keeping things done in the most secure way, and our EA team is on top of getting this as usable as possible. Once there's something tangible to share we'll be back!

photo
1

Hey all! It looks like my update here was lost in our data loss earlier this year. Unfortunately, we were unable to resolve the security issues that caused us concern in this, so we're back to square one on it. If that changes, we'll be back here with more updates.

Replies have been locked on this page!