Messages

31

Suggestions / Re: :):):) Comodo WAF rules update required :):):)

« on: January 28, 2025, 10:28:35 PM »

The defaults are:
(...)
What's weird is that the OWASP old ruleset works OK, but if you select OWASP latest it breaks everything.
You still see it stop attacks if your view the ModSecurity log.

What is your corerulet version, ModSecurity version, and ModSecurity-nginx version?

(...)
Just added "/usr/local/cwpsrv/logs/*_log" to CUSTOM3_LOG, which was empty.
Will see if that works.

Must be noted here too, that the OWASP rules I have posted will work with CWP because is based in 'nginx' server(see the path is /usr/local/cwpsrv/logs/), that will work only with ModSecurity 3.0.x and ModSecurity-nginx connector v1.0.3-24-gef64996. I have placed an issue in ModSecurity-nginx website, because for some reason, it is not working with newer versions, and that bug is opened up to this date.

Also have a virtual meeting with Xcitium (company who bought Comodo) next week, to find out what there plans are for the future of that ruleset.
Because of right now it's dead.

Hopefully this will get resolved.

I'm not sure about anyone else, but this simple thing has turned into a large cluster.

Very, very good.
This is what we need, a few simple impressions for that company, to not begin a coding marathon to workaround the problem.

32

Suggestions / Re: :):):) Comodo WAF rules update required :):):)

« on: January 27, 2025, 10:36:31 PM »

I've tried different ways, just can't get OWASP to talk to CSF, even using the documentation.
It 'should' work, I see it in the logs, but CSF refuses to add the IP's and send notifications.

Are you referring to the lfd rules?
It may just be a matter of getting the regex right.

Here are some rules that work for me:
In file '/etc/csf/csf.conf':

Code: [Select]

CUSTOM4_LOG = "/usr/local/cwpsrv/logs/*_log"
In file '/usr/local/csf/bin/regex.custom.pm':

Code: [Select]

if (($lgfile eq $config{CUSTOM4_LOG}) and ($line =~ /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+\-\s+\-\s+\[\S+\/\S+\/\S+:\S+:\S+\s+\-\d{4}\].*\/login\/index\.php\?login\=failed/)) {
$ip = $1; $ip =~ s/:\w+//;
return ("Login Failed access of forbidden resource",$ip,"forbiddenmatch","5","80,82,443,8181,8443","1");
}

# CWP Failed Login Protection
if (($lgfile eq $config{CUSTOM4_LOG}) and ($line =~ /^\d{4}\/\d{2}\/\d{2}\s([0-1][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]\s\[error\]\s\d+#\d+:\s\*\d+\suser\s\"\w+\":\spassword\smismatch,\sclient:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),\sserver:\slocalhost,\srequest:\s\"(POST|GET)\s.*/)) {
$ip = $2; $ip =~ s/:\w+//;
return ("Login Failed access of forbidden resource",$ip,"forbiddenmatch","5","80,82,443,8181,8443","1");
}

## CWP Failed Login Protection
if (($lgfile eq $config{CUSTOM4_LOG}) and ($line =~ /^\d{4}\/\d{2}\/\d{2}\s([0-1][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]\s\[error\]\s\d+#\d+:\s\*\d+\suser\s\"\w+\"\swas\snot\sfound\sin\s\"\/usr\/local\/cwpsrv\/conf\/htpasswd\",\sclient:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),\sserver:\slocalhost,\srequest:\s\"(POST|GET)\s.*/)) {
$ip = $2; $ip =~ s/:\w+//;
return ("Login Failed access of forbidden resource",$ip,"forbiddenmatch","5","80,82,443,8181,8443","1");
}


33

Suggestions / Re: :):):) Comodo WAF rules update required :):):)

« on: January 26, 2025, 04:55:45 PM »

I tried that juggling, and it didn't work.

There is a problem with the OWASP latest ruleset that I've notified CWP about.

I've only found 2 semi-good replacements, but both are paid:

https://malware.expert/

https://atomicorp.com/modsecurity-rules/

And then there is course the company who bought Comodo, Xcitium. But their website doesn't even work

There is a possibility, for those who use nginx<->*<->Apache.
You can install Comodo on Apache, in normal operation mode, and OWASP on nginx, in log-only mode.
I haven't tested it yet, but it's an idea, and I'll test it very soon.

34

Suggestions / Re: :):):) Comodo WAF rules update required :):):)

« on: January 26, 2025, 04:50:54 PM »

i switched back to OWASP latest rules but they are not blocking malicious attempts . i can see in logs its detecting but attempt is not blocked 

on the other hand comodo waf rules keeps blocking everything  before last update everything was fine and comodo waf rules were the best

Yea, there is a bug CWP has been made aware of with the OWASP latest not working.

To avoid this, you can use the OWASP ruleset in "Anomaly Scoring Mode". Instead of blocking each rule individually, as is done in Comodo, a set of rules is evaluated and, if it reaches a certain score, only then is it blocked. This is a very powerful way of blocking. Even so, you should always analyze the ruleset, starting at level 1, the most secure in terms of no false positives, and increasing the level as you add whitelists.
There are plugins for phpMyAdmin, Roundcube and Wordpress, but they need to be tested and adapted for each case. However, it is much less work than building the exceptions from scratch.

From OWASP page:

Code: [Select]

https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.3/dev/crs-setup.conf.example
"
The CRS can run in two modes:
#
# -- [[ Anomaly Scoring Mode (default) ]] --
# In CRS3, anomaly mode is the default and recommended mode, since it gives the
# most accurate log information and offers the most flexibility in setting your
# blocking policies. It is also called "collaborative detection mode".
# In this mode, each matching rule increases an 'anomaly score'.
# At the conclusion of the inbound rules, and again at the conclusion of the
# outbound rules, the anomaly score is checked, and the blocking evaluation
# rules apply a disruptive action, by default returning an error 403.
#
# -- [[ Self-Contained Mode ]] --
# In this mode, rules apply an action instantly. This was the CRS2 default.
# It can lower resource usage, at the cost of less flexibility in blocking policy
# and less informative audit logs (only the first detected threat is logged).
# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc).
# The first rule that matches will execute this action. In most cases this will
# cause evaluation to stop after the first rule has matched, similar to how many
# IDSs function.
"

35

Suggestions / Re: :):):) Comodo WAF rules update required :):):)

« on: January 25, 2025, 03:17:58 AM »

I agree that it is dead. But the problem with Comodo being dead is that it forces most of us who use free rulesets to migrate to the only known free alternative, which is the OWASP rules.
And that certainly can't be done overnight.
And whoever wants to take on this challenge will have to do some digital juggling to get both rulesets working, putting OWASP in a log-only (no blocks) state while collecting logs and statistics to include its whitelists.
It's a medium-term problem, but it's a very serious problem, and must be worked since now.

36

Information / CentOS CWP vs cPanel comparison

« on: January 10, 2025, 02:00:11 AM »

"CentOS CWP is ranked #1, while cPanel is ranked #2. CentOS CWP holds a 19.2% mindshare in WHCP, compared to cPanel’s 18.9% mindshare."

Mindshare is this presence in the mind. It is occupying a prominent place in the consumer's mind. It is being remembered by him in some way.
I couldn't download the report, but the information is on that site.
https://www.peerspot.com/products/comparisons/centos-cwp_vs_cpanel

37

CentOS 7 Problems / Re: My CWP websites are not loading after i changed my webservers to Ningx + Apache

« on: January 03, 2025, 02:16:42 AM »

Here are all the screenshots
Apache is running but the connection refused

https://ibb.co/88ZhN3K
https://ibb.co/WpTc2KK
https://ibb.co/1LKGY00
My httpd.conf
https://codepen.io/sohailfarooq356/pen/raBYBwb

Are you using CWPPro..?!
Your domain is not resolving here, and is not registered: thcwebiner.com
As a consequence, your domain does not resolve here, nor panel.thcwebiner.com
Are using really ns1 and ns2.centos-webpanel.com as you nameservers?

Regards,
Netino

38

Information / Re: CWP Support Site Not Working

« on: December 17, 2024, 02:07:14 AM »

The main problem was PHP-FPM as down, so, fortunately, I could workaround by myself.
The problem was solved by cancel three licenses, and changing IPs between other servers.

But thanks for attention.
Regards,
Netino

39

Information / Re: CWP Support Site Not Working

« on: December 10, 2024, 12:27:58 AM »

It's completely unbelievable.
This new link refers to support for panel issues.
The thing is that I'm having problems with the LICENSE to use the CWPPro panel, because my server was no longer indicating the CWPPro license, and I posted a ticket on November 26th, and I still haven't received a response.
In other words, I'm paying for the license, and I can't use it.
This is completely unprofessional.
There comes a time when this type of problem starts to get tiresome.

Regards,
Netino

40

DNS / Re: Help with rDNS

« on: October 13, 2024, 01:21:49 AM »

This is only possible to set in the authoritative server.
You have access to that?

In a VPS server, normally, this is just configured with you provider.
This is yor case?

Regards,
Netino

41

PHP / Re: PHP Switcher version in Almalinux 9

« on: June 08, 2024, 02:05:30 AM »

You have enabled selinux on your server in enforcing mode. The ideal operation for selinux is to enable it in permissive mode, and only after resolving the error messages, then enable it in enforcing mode. It is not possible to install any web server management software with selinux enabled by default in enforcing mode, before operating it. You would have to work so much to solve the problems that it wouldn't be worth it. The best you can do is disable selinux, or only enable it in permissive mode, while you watch potential error messages.

Regards,
Netino

42

PHP / Re: PHP-FPM PHP 8.2 & 8.3 failing to update - CWPpro version: 0.9.8.1178

« on: May 22, 2024, 10:51:00 PM »

(...)
But for you, as you will use the CWP web environment, the more easy is to rename the file to /usr/bin/g++.old, and create a new script enabling that environment:
========================================================================
# mv /usr/bin/g++ /usr/bin/g++.old
# echo "scl enable devtoolset-7 'bash'" > /usr/bin/g++
# chmod 755 /usr/bin/g++
========================================================================
(...)

Sorry, this step is incomplete.
The correct, after install the environment, is:
========================================================================
# mv /usr/bin/g++ /usr/bin/g++.old
# echo "scl enable devtoolset-7 'bash'" > /usr/bin/g++
# echo "/opt/rh/devtoolset-7/root/usr/bin/g++" >> /usr/bin/g++
# chmod 755 /usr/bin/g++
========================================================================

We are simply using the newly installed 'g++'.
So, I just forget to invoke it.

43

PHP / Re: PHP-FPM PHP 8.2 & 8.3 failing to update - CWPpro version: 0.9.8.1178

« on: May 21, 2024, 11:33:49 PM »

The default installation of PHP-8.2.19 is failing at this point:
"configure: error: *** A compiler with support for C++17 language features is required"

Install the CentOS SCL repository, this is an environment enabled to run the g++ compiler, with C++17 support:
===========================================
yum installcentos-release-scl -y
===========================================

Yes, you are correct, sorry for the typo.
The correct repository installation is:
===========================================
yum install centos-release-scl -y
===========================================

You must to enable as default that environment.
===========================================
scl enable devtoolset-7 'bash'
===========================================
If did'n worked to you, is because that environment was not enabled by the script.

This can be made by several forms.
For the CWP team, is just to put that line right before the the php-fpm82 script installation invokation, in the php build script.

But for you, as you will use the CWP web environment, the more easy is to rename the file to /usr/bin/g++.old, and create a new script enabling that environment:
========================================================================
# mv /usr/bin/g++ /usr/bin/g++.old
# echo "scl enable devtoolset-7 'bash'" > /usr/bin/g++
# chmod 755 /usr/bin/g++
========================================================================

Only now, then, can you try compiling via CWP web environment.
Now, CWP will use it to build environment, when asked the g++ the environment will be enabled.

After you compile it with success, you need to return to the normal configuration:
========================================================================
# mv /usr/bin/g++ /usr/bin/g++.new
# mv /usr/bin/g++.old /usr/bin/g++
========================================================================

44

PHP / Re: PHP-FPM PHP 8.2 & 8.3 failing to update - CWPpro version: 0.9.8.1178

« on: May 20, 2024, 10:21:09 PM »

The default installation of PHP-8.2.19 is failing at this point:
"configure: error: *** A compiler with support for C++17 language features is required"

Install the CentOS SCL repository, this is an environment enabled to run the g++ compiler, with C++17 support:
===========================================
yum installcentos-release-scl -y
===========================================

Install C++ support for GCC version 7:
===========================================
yum install devtoolset-7-gcc-c++ --enablerepo='centos-sclo-rh' -y
===========================================

Just one line in the compiler script solves this problem, changing the environment to this compiler before building PHP version 8.2.19:
===========================================
scl enable devtoolset-7 'bash'
===========================================

After the above command, you can check the g++ version like this:
===========================================
g++ -v
===========================================

...resulting in this:
===========================================
(...)
gcc version 7.3.1 20180303 (Red Hat 7.3.1-5) (GCC)
===========================================

(Source: <https://access.redhat.com/documentation/en-us/red_hat_developer_toolset/7/html/user_guide/chap-gcc>)

The script must be run with this environment enabled.
Problem solved.

Regards,
Netino

45

SSL / Re: New SSL cert broke my server

« on: May 10, 2024, 11:30:26 PM »

Seems your files /etc/pki/tls/certs/hostname.bundle and /etc/pki/tls/private/hostname.key was generated at different moments.
The best an easier step to you, is save your server certificate.

Just save the hostname of your server again, and CWP will generate your server certificate again.

Regards,
Netino