Hi, I have posted on the support portal, but could not see my message show up there, so was not sure if it was sent or not, so I am also posting here a request for support.

httpd will not start on my server, so all websites on the server are down since the asl-lite update today. I only update MODSEC and the error is as follows, the error is the same if I try to start httpd, i get the error about this rule.

Syntax error on line 46 of /usr/local/apache/modsecurity.d/10_asl_rules.conf:
Error creating rule: Unknown variable: REQBODY_ERROR
Checking for updates..
ASL version is current: package asl is not installed
[OK]
APPINV rule updates are available: 201107281511 [INFO]
CLAMAV rule updates are available: 201108091005 [INFO]
GEOMAP rule updates are available: 201108090859 [INFO]
Updating MODSEC to 201108100957: updated [OK]
OSSEC rule updates are available: 201108021559 [INFO]


...just an update..I removed the include to the file 10_asl_rules.conf in modsec2.conf and httpd starts again, so my sites are up, but without the asl rules.. I have been running this system with these rules updating daily since November 2010, without any problem, so I am thinking it must be something with the newly updated file. I looked at the line and it is something to do with Plesk, the rule causing the problem. i dont run Plesk, but cPanel on my system..maybe thats a cause?

Hi there,

Unfortunately I have to report the exact same issue on our servers.

asl -l runs as a nightly cron job on our servers and last nights (Australian Time) update produced the same error poppy reported: Apache failed to restart after update!

Luckily one of techs was still up and was able to fix the issue. The temp solution was to comment line 46 of 10_asl_rules.conf out.

Here is our error, similar to the one form poppy:



Also our cron daemon reported the following:


Can anyone from atomicorp give a statement please? We do pay for the licence and I just want to make sure if that was an error on atomicorps site or if something is wrong with our ModSec configuration. To be honest, we are no ModSec Experts, but thats the reason why we use the ASL service.

Btw: Because of the issue around 1000 websites we host were offline for about an hour. Since it was in the middle of the night, damage was minimal, but still ...

Cheers from Oz
Bjorn

This means your mod_security installation is not up to date, this is a 2.6.x feature. Definitely upgrade to 2.6.1 (which is the current stable version), or you'll have to comment that rule out.

Definitely upgrade to 2.6.1, there are a lot of features in it that you will definitely want to have.

Hi mikeshinn,

thanks for the quick reply.

Ok looks like we were running 2.6.0 only (this is just after doing an Apache rebuild on Friday via easyapache in cPanel). And yes we do use cPanel.

But I was able to solve the problem. I just re-run the asl-lite installation again. Just as explained at:

http://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Special_notes_for_CPANEL_users_not_using_ASL

Since we only have an asl-lite subscription we used Option 2.

The installer finished after a couple of minutes and we were able to un-comment line 46 in 10_asl_rules.conf. Apache restart successfully.

@mikeshinn: could you please confirm that re-running the installing as explain in above wiki does update mod_security? is there any command to find out which version of mod_security actually runs on the server?

Thanks for the help,
Bjorn

A quick way to find the version is to look at the headers in a modsecurity audit record (then you KNOW the version for sure). For example:

Message: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "320"] [id "340017"] [rev "47"] [msg "Atomicorp.com WAF Rules: Generic SQL injection protection in ARGS"] [data "union select"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "rx (?:^/edit_page$|/node/[0-9]+/edit|^/forum/posting\\.php|^/admins/wnedit\\.php|/alt_doc\\.php\\?returnUrl=.*edit|^/admin/categories\\.php\\?cPath=.*|modules\\.php\\?name=Forums&file=posting&mode=.*|^/joomla/administrator/index2\\.php|^/wiki/index\\.php? ..." against "REQUEST_URI" required.
Action: Intercepted (phase 2)
Stopwatch: 1313019994460263 39440 (- - -)
Stopwatch2: 1313019994460263 39440; combined=1799, p1=156, p2=1624, p3=0, p4=0, p5=17, sr=92, sw=2, l=0, gc=0
WAF: ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/); 201108101832.
Server: Apache/2.2.3 (CentOS)


And definitely upgrade to 2.6.1, it also contains a number of fixes.

Hi,

Ok I think saying that we run 2.6.0 was a bit premature. The audit logs say that we run 2.5.13

What would be the easiest way to update mod_security on production server?

Cheers,
Bjorn

I was running modsec 2.5.13, so I did an easyapache update this morning and now have version 2.6.0. It gets installed as standard along with Apache 2.2+ , versions of apache before that do not install 2.6.0 of modsec, so version 2.2 has to be chosen to get the modsec update to 2.6.0

With this I was able to uncomment line 46 and httpd started successfully.

I have not tried to update to 2.6.1 as it is not coming with easy apache yet. But will wait to hear whether anyone does so successfully within a cpanel server.

I am thinking that wget -q -O - http://www.atomicorp.com/installers/asl-lite |sh does not actually alter the modsec version, but creates the asl directory structure that you just then have to alter the permissions on..but I installed at the end of last year, so that may be different now.

(edit..also on my system the version of easy apache update is Easy::Apache v3.5.2 ..I think that is also relevant as to whether the modsec version gets updated. As I read at http://forums.cpanel.net/f145/modsecuri ... 12391.html)

Thanks for the detailed info poppy.

Strangely we did an easyapache run last Friday (with apache 2.2) and mod_sec stayed as 2.5.13 ...
Maybe I have to check the version of easyapache as you suggested.

Cheers,
Bjorn

We forked all the 2.6 rules into their own rule files, so if you are stuck on 2.5.x you shouldnt see this issue anymore. However, we highly recommend you upgrade to 2.6 as you are missing out on some important features and bug fixes.