Modsecurity Tools hitlist is empty / not working

M

menathor

Registered
Apr 5, 2016
3
0
1
Australia
cPanel Access Level
Website Owner
Hi guys

For some reason my WHM -> "Modsecurity Tools" hitlist is not working / always empty. I know modsecurity is working because hits are recorded correctly in /usr/local/apache/logs/modsec_audit.log. I don't run any WAF apps- all my rules are installed via WHM -> "Modsecurity Vendors". I've tried rules from multiple vendors and same result- they work, are logged in modsec_audit.log but the hitlist doesn't work.

Any ideas on how I could fix this?

Cheers!
 
cPanelLauren

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,304
363
Houston
Hello @menathor

This could caused by a few things. If you're able to access the server via CLI can you please run the following and provide me with the output?

Code: 
grep skipmodseclog /var/cpanel/cpanel.config
Code: 
grep -i modsec_audit /usr/local/cpanel/logs/tailwatchd_log |tail -n5
Where is the Audit log being output to (i.e. where are you finding it)

Is there data in /usr/local/apache/conf/modsec2.user.conf
 
D

dstana

Well-Known Member
Jul 6, 2016
117
20
68
Phoenix, AZ
cPanel Access Level
Root Administrator
I'm having this same problem and I can provide outputs from those:

Code: 
grep skipmodseclog /var/cpanel/cpanel.config

skipmodseclog=0


grep -i modsec_audit /usr/local/cpanel/logs/tailwatchd_log |tail -n5

[9772] [2018-05-29 11:48:53 -0700] [Cpanel::TailWatch] [INFO] /etc/apache2/logs/modsec_audit.log opened with inode 1561
[9772] [2018-05-29 11:48:53 -0700] [Cpanel::TailWatch] [INFO] Restored /etc/apache2/logs/modsec_audit.log (size:0) to 0 (requested 0)
[9772] [2018-05-29 11:48:53 -0700] [Cpanel::TailWatch] [INFO] Caught up /etc/apache2/logs/modsec_audit.log to 0
[9772] [2018-05-29 11:48:53 -0700] [Cpanel::TailWatch] [INFO] Restoring /etc/apache2/logs/modsec_audit.log to catch up position 0
[9772] [2018-05-29 11:48:53 -0700] [Cpanel::TailWatch] [INFO] Restored /etc/apache2/logs/modsec_audit.log to position 0
And for me, /usr/local/apache/conf/modsec2.user.conf doesn't exist.
 
cPanelLauren

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,304
363
Houston
Hi @dstana


This shows that your modsec_audit.log has nothing in it which is why you wouldn't see any hits. Do you have any rulesets besides the OWASP ruleset that comes default? Have you made customizations to the configuration? Based on what you provided the modsec_audit log is enabled and empty since this populates the hits list it may be that you haven't had any matches.


Thanks!
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
verdon ModSecurity Tools not logging all hits Security 17
I ModSecurity Tools showing server ip as source ip Security 6
F SOLVED [CPANEL-28481] ModSecurity Rules Containing JavaScript Break WHM >> ModSecurity Tools UI Security 2
J SOLVED ModSecurity™ Tools The following exception has occurred: API failure Security 7
R ModSecurity Tools Hits List is empty Security 3
Similar threads
ModSecurity Tools not logging all hits
ModSecurity Tools showing server ip as source ip
SOLVED [CPANEL-28481] ModSecurity Rules Containing JavaScript Break WHM >> ModSecurity Tools UI
SOLVED ModSecurity™ Tools The following exception has occurred: API failure
ModSecurity Tools Hits List is empty
Top Bottom