Rules dont work with FQDN

[gulamchagani]

Hi,

I just purchased a subscription for your rules. I have 2 issues:

ISSUE NO 1
I have followed all the instructions for installing this on my cPanel server, however when I test using FQDN, I get a 404 error instead of 403. When I test with IP address then the rule works. See example below of how I am testing

http://xyz.abc.com/foo.php?foo=http://www.example.com (404 error) and no logs

http://IP address/foo.php?foo=http://www.example.com (403 error)

Can you please advice what could be causing this and how to correct this.

ISSUE NO 2
If I use SecAuditLogType Concurrent, I don't see log entries using ConfigServer ModSec Control - it says No entries found in /usr/local/apache/logs/modsec_audit.log.

When checked modsec_audit.log, there is just a standard 403 entry without showing any match to the ASL rules. However the apache error_log has an entry that show a match against an ASL rule.

Is there any way to correct this?

Gulam

Thanks

Gulam

[gulamchagani]

Hi,

This is how ISSUE 1 was resolved - in case someone faces a similar problem.

cPanel puts the following directive automatically in httpd.conf that disables mod_security.

<IfModule mod_security2.c>
SecRuleEngine Off <- THIS IS THE PROBLEM
</IfModule>

httpd.conf cannot be edited manually since its dynamically built each a new domain is created, etc - so no changes made to it will stick.

In order to permanently remove this directive, you need to create a custom template with your changes. This is how I did this:
1. cd /var/cpanel/templates/apache2_2 (u have to go to the dir for the apache that you use)
2. cp main.default main.local
3. Edit main.local, remove the lines
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
4. Rebuild httpd.conf using /scripts/rebuildhttpdconf
5. service httpd restart

Thanks

Gulam