mod_security plugin Comodo WAF blank page on DA

[MaXi32]

does anyone experience this blank screen problem using Comodo WAF plugin? how do you solve this?

This is what my current config looks like on /etc/nginx/nginx-modsecurity.conf

# Default recommended configuration
SecRuleEngine On
SecRequestBodyAccess On
#SecDefaultAction "phase:2,deny,log,status:406"
SecRequestBodyLimitAction ProcessPartial
SecResponseBodyLimitAction ProcessPartial
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecAuditLogFormat JSON

SecPcreMatchLimit 250000
SecPcreMatchLimitRecursion 250000

SecCollectionTimeout 600

SecDebugLog /var/log/nginx/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLog /var/log/nginx/modsec_audit.log
SecUploadDir /tmp
SecTmpDir /tmp
SecDataDir /tmp
SecTmpSaveUploadedFiles on

# ModSecurity Core Rules Set and Local configuration
Include /etc/modsecurity.d/*.conf.main
Include /etc/modsecurity.d/*.conf

All folders are set to 755 and files are set to 644 in /usr/local/directadmin/plugins/comodo_waf

755 drwxr-xr-x 6 diradmin root     4.0K Jun 19 15:50 .
711 drwx--x--x 6 diradmin diradmin 4.0K Jun 19 15:50 ..
755 drwxr-xr-x 3 diradmin root     4.0K Oct 22  2019 admin
644 -rw-r--r-- 1 diradmin root        6 Jun 20 09:02 available_version.txt
755 drwxr-xr-x 2 diradmin root     4.0K Jun 19 15:50 hooks
755 drwxr-xr-x 5 diradmin root     4.0K Jun 19 15:50 images
644 -rw-r--r-- 1 diradmin root      280 Jun 19 15:50 plugin.conf
755 drwxr-xr-x 2 diradmin root     4.0K Oct 22  2019 scripts

I do test whether mod_security is working of my site to see if the log is generated: curl "http://mywebsite.com/?q='1 OR 1=1"
I check tail -f /var/log/nginx/modsec_audit.log and seems like it's generated a log "[{"message":"COMODO WAF: SQLmap attack detected"

nginx is running:

● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/etc/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-06-20 09:19:34 +08; 7h ago
  Process: 1531093 ExecStop=/bin/kill -s QUIT $MAINPID (code=exited, status=0/SUCCESS)
  Process: 1535025 ExecReload=/bin/kill -s HUP $MAINPID (code=exited, status=0/SUCCESS)
  Process: 1532328 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
  Process: 1531987 ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCES>
Main PID: 1532329 (nginx)
    Tasks: 3 (limit: 25004)
   Memory: 27.3M
   CGroup: /system.slice/nginx.service
           ├─1532329 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
           ├─1535152 nginx: worker process
           └─1535156 nginx: worker process

Jun 20 09:19:33 s.serverserverserverserverserver.com systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jun 20 09:19:33 s.serverserverserverserverserver.com nginx[1531987]: nginx: the configuration file /etc/nginx/nginx.conf syn>
Jun 20 09:19:33 s.serverserverserverserver.com nginx[1531987]: nginx: configuration file /etc/nginx/nginx.conf test is>
Jun 20 09:19:34 s.serverserverserver.com systemd[1]: Started The nginx HTTP and reverse proxy server.
Jun 20 09:20:01 s.serverserver.com systemd[1]: Reloading The nginx HTTP and reverse proxy server.
Jun 20 09:20:01 s.server.com systemd[1]: Reloaded The nginx HTTP and reverse proxy server.

httpd is running:

[root@earth extra]# systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/etc/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-06-20 09:05:59 +08; 7h ago
  Process: 1476273 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
  Process: 1534950 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS)
Main PID: 1476279 (httpd)
   Status: "Total requests: 1004; Idle/Busy workers 100/0;Requests/sec: 0.0355; Bytes served/sec: 382 B/s>
    Tasks: 343 (limit: 25004)
   Memory: 27.7M
   CGroup: /system.slice/httpd.service
           ├─1476279 /usr/sbin/httpd -DFOREGROUND
           ├─1535220 /usr/sbin/httpd -DFOREGROUND
           └─1535225 /usr/sbin/httpd -DFOREGROUND

Jun 20 09:05:59 s.server.com systemd[1]: Stopped The Apache HTTP Server.
Jun 20 09:05:59 s.server.com systemd[1]: Starting The Apache HTTP Server...
Jun 20 09:05:59 s.server.com systemd[1]: Started The Apache HTTP Server.
Jun 20 09:06:01 s.server.com systemd[1]: Reloading The Apache HTTP Server.
Jun 20 09:06:01 s.server.com systemd[1]: Reloaded The Apache HTTP Server.
Jun 20 09:20:01 s.server.com systemd[1]: Reloading The Apache HTTP Server.
Jun 20 09:20:01 s.server.com systemd[1]: Reloaded The Apache HTTP Server.

I'm using nginx_apache. Why the UI is blank ? I check php log also it doesn't generate any errors. checking nginx and apache logs nothing found.

 

[smtalk]

It's a 3rd party plugin, we may drop it at all due to all the complaints about it. Regarding native modsecurity support in UI of admin/user level - it should be released today in pre-release.

 

[MaXi32]

It's a 3rd party plugin, we may drop it at all due to all the complaints about it. Regarding native modsecurity support in UI of admin/user level - it should be released today in pre-release.

Always hear good news from @smtalk. I feel like the luckiest person.

 

[sparek]

Is the Comodo WAF project still being developed? They haven't released updates to their rulesets in ages. ... Or have I missed something?

 

[smtalk]

Always hear good news from @smtalk. I feel like the luckiest person.

It's there in pre-release now.
For logs to be shown, re-compilation of ModSecurity is needed:

cd /usr/local/directadmin/custombuild
./build update
./build modsecurity

Is the Comodo WAF project still being developed? They haven't released updates to their rulesets in ages. ... Or have I missed something?

I've logged in to check, it shows:

List of rule files
Selected version: 1.230 (2020-04-08 14:28:36)

So, last update was ~2 months ago.

 

[MaXi32]

It's there in pre-release now.
For logs to be shown, re-compilation of ModSecurity is needed:

cd /usr/local/directadmin/custombuild
./build update
./build modsecurity

I've logged in to check, it shows:


So, last update was ~2 months ago.

Installed the pre-release now and recompiled mod security. But, I couldn't find the new modsecurity UI in the evolution skin?

 

[smtalk]

Installed the pre-release now and recompiled mod security. But, I couldn't find the new modsecurity UI in the evolution skin?

I guess custom menu in "Customize Evolution Skin" We don't want to add new entries or edit the ones customized, so, you'd need to customize it again and add the entries needed.

Please let me know if that's not the case? (but I'm almost sure it is) If you use it to limit the features - feature sets is a way better way for doing this.

 

[MaXi32]

I guess custom menu in "Customize Evolution Skin" We don't want to add new entries or edit the ones customized, so, you'd need to customize it again and add the entries needed.

Please let me know if that's not the case? (but I'm almost sure it is) If you use it to limit the features - feature sets is a way better way for doing this.

I saw this feature is on 1.61.4: https://www.directadmin.com/features.php?id=2822 and, I notice I'm still on DA 1.61.3, the pre-release version is 1.61.4 ? When I put the new entry at Evolution Skin I use URL as "CMD_MODSECURITY", and when I navigate to that link, I got this:

Now this is what I have:

Compiled on	CentOS 8.0 64-Bit
Compile Date	Jun 20 2020, 14:12:22
Server Version	1.61.3
Current Available Version	1.613000
Last Updated	Sun Jun 21 04:13:11 2020
Last Restart	Sun Jun 21 05:16:32 2020

Maybe I need to try another mirror.

 

[smtalk]

Pre-release binary doesn't change the version number, so, your binaries are valid. I'd suggest resetting customizations, or appending the routes. /admin/mod-security on admin level, /user/mod-security on user level.

 

[MaXi32]

Pre-release binary doesn't change the version number, so, your binaries are valid. I'd suggest resetting customizations, or appending the routes. /admin/mod-security on admin level, /user/mod-security on user level.

I tried this, when appending routes I got invalid route name for both /admin/mod-security, and /user/mod-security. I just recompiled this,
./build update
./build modsecurity

also doesn't seem to be able to use that route. I also reset evolution skin.

 

[smtalk]

I tried this, when appending routes I got invalid route name for both /admin/mod-security, and /user/mod-security. I just recompiled this,
./build update
./build modsecurity

also doesn't seem to be able to use that route. I also reset evolution skin.

Does it still show:

Compile Date

Jun 20 2020, 14:12:22

 

[MaXi32]

Does it still show:

Compile Date

Jun 20 2020, 14:12:22

yes it does:

Compile Date

Jun 20 2020, 14:12:22

But with the enhanced skin, I can see the UI at the domain section.

 

[smtalk]

Hm.. I think I may need access to say why it's behaving so. No issues here with exactly the same version. What's your webserver?

 

[MaXi32]

Hm.. I think I may need access to say why it's behaving so. No issues here with exactly the same version. What's your webserver?

I'm using nginx_apache, I can see it's working only with the enhanced skin. Or perhaps I need to rebuild everything later to see magic ;D. Thanks a lot @smtalk

 

[smtalk]

I'm using nginx_apache, I can see it's working only with the enhanced skin. Or perhaps I need to rebuild everything later to see magic ;D. Thanks a lot @smtalk

Maybe something custom in data/skins/evolution ?

 

[MaXi32]

Maybe something custom in data/skins/evolution ?

I don't think there is any customization in evolution. I even removed the evolution skin completely and reinstall it with this:

rm -rf /usr/local/directadmin/data/skins/evolution

then

1. cd /usr/local/directadmin/data/skins

2. mkdir evolution

3. cd evolution

4. wget http://demo.directadmin.com/download/evolution.tar.gz

5. tar -xvzf evolution.tar.gz

6.

find . -type d -exec chmod 0755 {} \; find . -type f -exec chmod 0644 {} \;

 

[smtalk]

Step #4 is your problem just update pre-release, as the skin is included there.

 

[MaXi32]

Step #4 is your problem just update pre-release, as the skin is included there.

ouch.. since you mentioned it's working on evolution skin, I think I'm going to rebuild everything now into pre-release. thank you so much.