Syntax error?

[trisager]

I'm getting a syntax error message with version 201406041407 of the rules:

$ sudo service httpd -t
AH00526: Syntax error on line 82 of /usr/local/apache/conf/modsec_rules/00_asl_zz_strict.conf:
Error creating rule: Could not add entry "127.0.0.0/8" from: 127.0.0.0/8.

Reverted to version 201406031837 and everything works fine.

This is on a cPanel server, in case it matters.

[mrsant]

We are seeing the same on each cpanel server we run easyapache on...

It would appear the current rule set is fine on machines that are still running 2.7.x but the machines that have 2.8 modsec are all throwing this same error. This is centos 6, fast cgi,

This is causing a lot of work...

[trisager]

I came across a note in the Wiki stating that the rules are tested on 2.7.7 and that 2.8 is not supported, so that probably explains it.

[mrsant]

I think I have found the cause, but I'm sat in a hospital on an ipad, so will have to look more closely when I'm in the office

https://github.com/SpiderLabs/ModSecurity/issues/706

[scott]

Yeah, 2.8 has some pretty serious issues still. We recommend sticking with 2.7.7 until that particular one has been resolved.

[mrsant]

We recommend sticking with 2.7.7

Hi Scott, and thank you for taking time to pitch in. The problem for fleets running cpanel is that this is unavoidable with EasyApache.

Given the impact this is no doubt going to have as more hosters happen to run EApache, I would be grateful if you could give this more attention. Right now, we are going to have to either edit the rules on every server when they are updated, or stop the updates - neither of which is optimal.

Look forward to your feedback.

[mikeshinn]

Unfortunately, its not a rule issue so for rules only users theres nothing we can do if you chose to use 2.8. 2.8 broke support for IP addresses. So theres nothing we can do to make rules that use IP addresses, like whitelists for example, work with 2.8. The code in 2.8 to handle IPs is broken.

So heres a solution that will work:

1) disable modsecurity in cpanel and uninstall it

2) use aum to install modsecurity. Which will install a version thats tested and works correctly

If you use our tools use our tools to install and manage modsecurity we'll make sure your system is using a version of modsecurity that works, and never leave you in a lurch like this.

[mrsant]

2) use aum to install modsecurity. Which will install a version thats tested and works correctly

Easier said than done... But I accept your reasoning.

[mikeshinn]

Just remember, 2.8.0 has lots of bugs in it, dont use it.

[mrsant]

Don't tell me, go tell cPanel, or better yet, blog about how they have made a really dumb decision - they seem blissfully unaware, and have pushed it out to everyone... Doh!!!

[mikeshinn]

Yeah thats a shame. My advice to any vendor that ships modsecurity is to really follow the development lists more closely, theres several known bugs in 2.8.0 that have been discussed for weeks and make it clear to not use 2.8.0 at this time.

We've added an FAQ for anyone else that runs into this known bug in 2.8.0 along with a solution:

https://www.atomicorp.com/wiki/index.ph ... _add_entry