Mod_Security with Moodle

Mod_Security with Moodle

by Zack Mack -
Number of replies: 9

Hi All,


I have been installing Moodle version 3.5 on my server but as i tries to install It's giving me error message as below :


Web server software (xxxxxxx WebPanel: Protected by Mod Security) is not supported, sorry.


I have checked  various resource in this forum and most of forums replies seems to provide opinion to disable mod_security Apache Module. But as i talked to my Hosting Company, they referred that removing/disabling Mod_Security Apache Module NOT recommended as it protects our server from various attacks.

I am not good at Server management so just want to confirm, If we disable Mod_Security Apache Module then running Moodle on unprotected Server would be fine OR is there any other alternative like making changes in Moodle configurations to run it with Mod_Security enabled. 

Please help and advice.


Thanks,

Zack


Attachment error.jpg
Average of ratings: -
In reply to Zack Mack

Re: Mod_Security with Moodle

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

It's not your problem - I suspect switching off mod security will make no difference.

This issue is because Moodle checks which web server you are running. It does this by checking the server variable... $_SERVER['SERVER_SOFTWARE'] and making sure that it is on the "approved" list. 

I suspect that your hosting company has compiled Apache in such a way that it returns a non-standard response. It should just say 'Apache' but instead is replying 'CentOS WebPanel: Protected by Mod Security'. This is all required because Moodle needs to do some 'fixing up' of data returned from the web server depending on what you are running. 

My inclination is to tell your company to sort this out - it's a weird thing to do. 

Average of ratings: Useful (2)
In reply to Howard Miller

Re: Mod_Security with Moodle

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

If your hosting company is not willing to sort this out, you can help Moodle deal with it smile

First, you need to find out the real web server you company is using (Apache x.y, nginx z.w, IIS n.p, etc.). Once you know it, you can add something like the following to your config.php file (the example assumes your company is using Apache, adjust to match your company's server type):

global $_SERVER;
$_SERVER['SERVER_SOFTWARE'] = 'Apache';

Make sure you add those two lines before the line that reads:

require_once(dirname(__FILE__) . '/lib/setup.php');

Saludos.

Iñaki.

Average of ratings: Useful (3)
In reply to Zack Mack

Re: Mod_Security with Moodle

by Ken Task -
Picture of Particularly helpful Moodlers

Please see:

https://tracker.moodle.org/browse/MDL-25915

which is old but no real resoluton ... see the reasons in Tracker.

http://www.modsecurity.org/crs/

Am going to assume that it's a false positive as Moodle on Linux without
mod_security seems pretty secure ... IF Moodle code is kept up to date.

With that in mind:
http://www.modsecurity.org/crs/

"Handling False Positives and Advanced Features

Advanced features are explained in the crs-setup.conf and the rule files themselves. The crs-setup.conf file is generally a very good entry point to explore the features of the CRS.

We are trying hard to reduce the number of false positives (false alerts) in the default installation. But sooner or later, you may encounter false positives nevertheless.

Christian Folini's tutorials on installing ModSecurity, configuring the CRS and handling false positives provide in-depth information on these topics."

Create an issue on GitHub to report a false positive or false negative (evasion). Please include your installed version and the relevant portions of your ModSecurity audit log.

https://github.com/SpiderLabs/owasp-modsecurity-crs/issues

There a many many many moodle installations throughout the globe with providers - some moodle friendly and some not.   Would think that provider would investigate for customer IF request was made.   If they resolve the issue, it's a plus for them and if there were in existence a 'best moodle hosting' accurate list your provider should be listed very high, I would think.

'spirit of sharing. Ken

Average of ratings: -
In reply to Ken Task

Re: Mod_Security with Moodle

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

mod-security is a red herring. 

The error message comes from the check made for the variety of web server software the OP is running. 

Average of ratings: Useful (1)
In reply to Zack Mack

Re: Mod_Security with Moodle

by Ken Task -
Picture of Particularly helpful Moodlers

Re-visiting ModSecurity ...

Hopefully, you've a linux server.  Recently involved in assisting a Moodle OP that hosted with a provider that supplies centos7 templates allocated by Web Hosting Management.   It's been a learning 'experience'.

Installing Moodle via git and cli, no issues.   ModSecurity actually taken out of the loop as git installed Moodles don't use the web service.

As far as 'false positives' ... the makers of ModSec are aware and are trying their best to ID those false positives - imagine that keeps them extremely busy. :\

Did find in these forums @ https://moodle.org/mod/forum/discuss.php?d=95086 some info shared that did help, a little.   Actually seeing the same moodle file modedit.php that triggered MS .. that was back in 2013 ... today ... same thing with Moodle 3.4.x and 3.5.x.

Can offer one tip in finding the issues ... below is a command line query of apache error logs:

grep -a ModSecurity /usr/local/apache/logs/error_log | grep -a dev

On the system upon which I was working grepping the error_log required the -a switch.  And as can see, searching for 'ModSecuity' references.   The |grep -a dev ... the 'dev' was an instance of Moodle ... url was https://site/dev/

In viewing what that found, key things ... the URL ... like /dev/modedit.php and the MS ID number.

Those two bits of info used in configuring a whitelist item.

/etc/apache2/conf.d/modsec2/whitelist.conf

<LocationMatch "/dev/course/modedit.php">
SecRuleRemoveById 300015
</LocationMatch>

Then checking for typo's:

apachectl -t

IF apachectl says 'OK' ... restart apache and hopefully the 'false positive' error will go away and one can get on down the road.

One of the side affects of this is seen in your DB stats ... number of dropped connections.  The MS was claiming the script to be an attempt at XSS SQL Injection ... which it was not - but MS didn't stop it before a connection was opened to the DB (that's a guess).

Know it's a pain ... but might be well worth it ... especially if you notice your server is poked and probed often.

'spirit of sharing', Ken


Average of ratings: Useful (1)
In reply to Ken Task

Re: Mod_Security with Moodle

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

However... the OP's problem wasn't mod_security. It was a string in the Apache build. 

Average of ratings: -
In reply to Howard Miller

Re: Mod_Security with Moodle

by Ken Task -
Picture of Particularly helpful Moodlers

The hosting provider has a centos7 template that's used to build server instances ... included ...mod_security and from what I can tell, rules for what's hosted the most with them ... WordPress.

Ok, you've now got me curious ... can't help it ... when you say a 'string in the apache build', could you expand on that a little, please!   Am the type where I will pop the hood! smile [sometimes a curse!]

Thanks, in advance,

Ken


Average of ratings: -
In reply to Ken Task

Re: Mod_Security with Moodle

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

I explained it above... 

Moodle is "spitting the dummy" because it doesn't recognise the web server (e.g. 'Apache', 'Nginx' etc.). This is because the name of the web server has been changed by the host when they built it (I assume).  

Absolutely nothing to do with mod_security. 

Could have said, "Our build of Apache with silver sparkles". 

Average of ratings: -
In reply to Howard Miller

Re: Mod_Security with Moodle

by Ken Task -
Picture of Particularly helpful Moodlers

Am beginning to understand ... thanks.   Similar to what I am seeing in LQW WHM allocated server.

Wonder where the OP host.

Speaking of that ... where hosted ... wonder if Moodle HQ has ever used registration data (if users register their site with Moodle HQ) to get a sense of which providers seem to be 'popular' - minus or plus Moodle Partners.  Would be interesting, me thinks, to see a chart of some sort, that listed providers ... like Liquid Web Hosting, Rackspace, Amazon, etc. ... and gave a count.

Recently, the question of where to move a site has been asked more than once.

my 2 cents!

'spirit of sharing', Ken


Average of ratings: -