Duel Rulesets

srpurdy · **Posted:** Sun Mar 11, 2012 8:04 pm

Hi,

I would have opened a support ticket for some reason my login isn't working on the support portal. Works fine on the License screen?

Anyway This problem came out of no where. I'm guessing it's something with cpanel. I originally had the ASL rules installed manually myself with delayed rules I removed all those, but somehow I still seem to have an error about mod_security2 being already loaded on the asl -s -f command. I don't have mod_security during easy appache so I know this isn't the problem.

I search around and found asl seems to be updating rules in /usr/local/apache/modesecurity.d/ (These are dated march 12th default server time) but there is also a set of rules in /var/asl/rules (these are dated march 11th)

the modsecurity.d folder seems to not have all the rules. Is this normal?
About 2 weeks ago my apache process size jumped from around 80MB to 110 so I'm assuming something is loading that shouldn't be.

Any suggestions are welcome.

Shawn

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1876

I don't know how cpanel configures apache things, so I can't give you a definitive answer.

I suspect you just have two places where the mod_security module is being loaded, as opposed to two sets of rules being loaded.

In a Plesk-based full-fat ASL install, the rules are in /etc/httpd/modsecurity.d.

And in /etc/httpd/conf.d there's an 000_modesecurity.conf (or something like that) with a module load command, that is configured to specifically load only rules from modsecurity.d

The rules in /var/asl/rules/modsecurity(I think) are the "master" rules (as downloaded) that get copied to modsecurity.d every few minutes and when you run asl -s -f

I suspect you may also have a mod_security module load in apache.conf or httpd.conf or whatever cpanel uses, or possibly two files in the cpanel equivalent of /etc/httpd/conf.d

Like I say, I can't be specific for cpanel as I don't know it, so all this is general pointers, not specific instructions.

Faris.

srpurdy · **Posted:** Fri Mar 16, 2012 6:52 pm

I seem to have two configs, if I rename or comment out either of them and run asl -s -f

It replaces both of them.

I have one in
/usr/local/apache/conf.d/00_mod_security.conf

Other is in
/usr/local/apache/conf/modsec2.conf

Both have the same contents below.

Code:

# ASL mod_security Template: /var/asl/data/templates/template-01_mod_security.conf
# Special custom version for cpanel environments

LoadModule security2_module modules/mod_security2.so

<IfModule mod_security2.c>
        # Basic configuration goes in here
        Include modsecurity.d/tortix_waf.conf

        # Rule management is handled by ASL
        Include modsecurity.d/00*exclude.conf
        Include modsecurity.d/*asl*.conf
        Include modsecurity.d/99*exclude.conf

</IfModule>

I know this is the issue. cause if I comment one out and run httpd -M I don't get an [warn] that security2_module is already loaded. Where I do if both are normal.

Now that another problem is fixed my apache process size is 154MB This seems too big? or is it?

Just not sure what the solution would be if asl is re-creating both this files after running asl -s -f

Shawn

mikeshinn · **Posted:** Fri Mar 16, 2012 6:57 pm

Quote:

I have one in
/usr/local/apache/conf.d/00_mod_security.conf

Other is in
/usr/local/apache/conf/modsec2.conf

Are you sure that /usr/local/apache/conf/modsec2.conf isn't a symlink to /usr/local/apache/conf.d/00_mod_security.conf?

Quote:

Now that another problem is fixed my apache process size is 154MB This seems too big? or is it?

Thats normal. mod_security caches it rules to speed up processing.

srpurdy · **Posted:** Fri Mar 16, 2012 7:03 pm

mikeshinn wrote:

Quote:

I have one in
/usr/local/apache/conf.d/00_mod_security.conf

Other is in
/usr/local/apache/conf/modsec2.conf

Are you sure that /usr/local/apache/conf/modsec2.conf isn't a symlink to /usr/local/apache/conf.d/00_mod_security.conf?

Quote:

Now that another problem is fixed my apache process size is 154MB This seems too big? or is it?

Thats normal. mod_security caches it rules to speed up processing.

Ah it is system link.

I checked by editing one and seeing that the other one changed also.

So the duel loading of modsecurity2 is normal? Thanks for your help mike.

Quote:

Now that another problem is fixed my apache process size is 154MB This seems too big? or is it?

Quote:

Thats normal. mod_security caches it rules to speed up processing.

Okay thats good to know.

below is httpd -M command

Code:

 [warn] module security2_module is already loaded, skipping
Loaded Modules:
 core_module (static)
 authn_file_module (static)
 authn_dbm_module (static)
 authn_dbd_module (static)
 authn_default_module (static)
 authn_alias_module (static)
 authz_host_module (static)
 authz_groupfile_module (static)
 authz_user_module (static)
 authz_dbm_module (static)
 authz_default_module (static)
 auth_basic_module (static)
 auth_digest_module (static)
 include_module (static)
 filter_module (static)
 deflate_module (static)
 log_config_module (static)
 logio_module (static)
 env_module (static)
 expires_module (static)
 headers_module (static)
 unique_id_module (static)
 setenvif_module (static)
 version_module (static)
 proxy_module (static)
 proxy_connect_module (static)
 proxy_ftp_module (static)
 proxy_http_module (static)
 proxy_scgi_module (static)
 proxy_ajp_module (static)
 proxy_balancer_module (static)
 ssl_module (static)
 mpm_prefork_module (static)
 http_module (static)
 mime_module (static)
 dav_module (static)
 status_module (static)
 autoindex_module (static)
 asis_module (static)
 info_module (static)
 suexec_module (static)
 cgi_module (static)
 dav_fs_module (static)
 dav_lock_module (static)
 negotiation_module (static)
 dir_module (static)
 actions_module (static)
 userdir_module (static)
 alias_module (static)
 rewrite_module (static)
 so_module (static)
 cloudflare_module (shared)
 dav_svn_module (shared)
 authz_svn_module (shared)
 security2_module (shared)
 qos_module (shared)
 bw_module (shared)
 bwlimited_module (shared)
 suphp_module (shared)
Syntax OK

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1876

Loading it, or rather attempting to load it twice isn't normal normal, but Scott will have to tell us if it is normal with cpanel.

I don't get why there's both a "real" and a symlink to it being looked at by apache, but maybe that is normal for cpanel.

scott · **Posted:** Sat Mar 17, 2012 12:07 pm

Fortunately it doesnt load twice, but yeah this is problem with the way cpanel does its configs. They dont follow the conf.d layout, which frankly would solve a lot of their problems if they did. For those of you not familiar with it, this is the standard everyone, OS vendors, Linux software vendors, etc. agreed on using with the enterprise distros way back in the 90s. You invoke your include as such:

Include /etc/httpd/conf.d/*.conf

1) any file ending in .conf will be loaded, and
2) they are loaded in alphanumeric order. Ex: 01_php.conf is loaded before php.conf

When I was first mapping the way cpanel configs were laid out, the whiteboard wasnt big enough so I had to use a roomfull of sliding glass doors and a dry erase marker. (Include referencing an include, referencing an include)

So anyway, when the double load warning does come up it is not a problem if you are using ASL. Because we force them into the conf.d layout, and that ensures that the load order is correct.

srpurdy · **Posted:** Fri Apr 06, 2012 2:48 am

Yeah I'm not sure why they do that... I heard they are switching at some point though.

However I solved my problem here myself. It was loading two full rulesets. I'm still not sure how exactly but if I commented out that line in the 00_mod_security.conf. mod_security wasn't loading at all. With it in it was loading twice. So I just moved that load line into the cpanel pre_main configuration and edited the ASL template to not load it also. This seems to have worked for now. Although I guess I'll have to keep patching it, but now I'm at 70MB per process (not using antispam right now) This looks correct now.

Unless someone has a solution as to why. It seems like the .conf file must have been being loaded twice somehow, but with all the 17 million cpanel config files it's a pain to track down where that's happening lol.

EDIT Nevermind I found out where it was in the main httpd.conf

Code:

[b]Include /etc/httpd/conf.d/*.conf[/b]

Include "/usr/local/apache/conf/includes/pre_main_global.conf"
Include "/usr/local/apache/conf/includes/pre_main_2.conf"

LoadModule qos_module modules/mod_qos.so
LoadModule bw_module modules/mod_bw.so
LoadModule bwlimited_module modules/mod_bwlimited.so

[b]Include /etc/httpd/conf.d/*.conf[/b]
Include "/usr/local/apache/conf/mod_bandwidth.conf"
Include "/usr/local/apache/conf/php.conf"
Include "/usr/local/apache/conf/includes/errordocument.conf"

Duel Rulesets

Who is online