We help IT Professionals succeed at work.
Get Started

Problems with WHM / cPanel OWASP ModSecurity..??

883 Views
Last Modified: 2015-06-29
I've been trying to battle a bunch of spammers and brute force attacks on my VPS server with HostGator.  I feel like a person who brought home a wifi router, plugged it in, and thought "it works, great!"  Yet they don't change the default IP address, default password, wifi security, etc.  That's I feel with this VPS.  I'm not a server admin, and HostGator isn't helping me figure out how to secure this thing (even with offers to pay for service.)

So, with a little bit of digging, I found this ModSecurity stuff inside the WHM called ModSecurity.  I had to enable it, and then I had to "add a vendor" which then gives me access to a bunch of different security settings I can turn on/off.  When everything enabled, though, my sites on this server weren't functioning correctly, so I turned off everything, and then went through 1 service at a time, turning it on, and testing to see if any of the sites had issues with that particular rule.  

At this point, I have everything except for the following enabled, because I had issues...

rules/REQUEST-10-IP-REPUTATION.conf
I’m pretty sure this one was enabled by default and was fine, but now that I everything disabled and I’m re-enabling one-by-one, I get this error when I try to enable this:

The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: Syntax error on line 31 of /usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-10-IP-REPUTATION.conf:
ModSecurity: Found another rule with the same id

rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf
With this enabled, some features on my WordPress sites break.  For example, the site stats feature that the Jetpack plugin provides (if you're familiar with that, by chance) breaks.

I have everything else still turned on right now, but what I'm finding is that people hitting my legitimate web services are getting failures.  I can't figure out which individual rule is doing it, but when I disable the entire ModSecurity firewall it works again.  

So, finally, my question is whether or not there's a way I can fine-tune these rules and allow legitimate traffic..??  I've been reading through this guide, but I just don't see anything other than simply turning on or off a rule.  That seems counter-intuitive, though, and again, I can't seem to find which individual rule is causing my problem with people hitting my legitimate web services.

Any information on all of this would be greatly appreciated.  Thanks!
Comment
Watch Question
Exec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
Unlock 1 Answer and 3 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE