Centos – mod_security: another rule with same ID

centoshttpdmod-security

I have installed httpd 2.2.15 on CentOS 6.5 (minimal installation with no cPanel) with modsecurity 2.8. When I am starting httpd I am getting this error:

Starting httpd: Syntax error on line 23  of /etc/httpd/conf.d/modsecurity.conf:  ModSecurity: Found another rule with the same id

The line 23 is:

"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

Best Answer

I ran into a similar problem while following a tutorial - http://www.tecmint.com/protect-apache-using-mod_security-and-mod_evasive-on-rhel-centos-fedora/

My httpd.conf file already had an include for *.conf and the tutorial had me explicitly include the modsecurity.conf file. As a result, all my rules were duplicates because the conf file was included twice.

Related Solutions

Apache vhost-specific logging

Try to put the SecAuditLog entry into the setting for each of your virtual hosts.

Something like this (setup can look a little bit different but this is a basic setting). ~~Also you could check your other log entries (CustomLog, ErrorLog etc) for possible wildcards to insert.~~

domain1.conf
============
<VirtualHost *:80>
  ServerAdmin postmaster@domain1.com
  ServerName www.domain1.com

  SecAuditLog "/var/www/vhosts/domain1/statistics/logs/modsec_audit.log"
  # lots of more setting goes here
  # ...
</VirtualHost>

domain2.conf
============
<VirtualHost *:80>
  ServerAdmin postmaster@domain2.com
  ServerName www.domain2.com

  SecAuditLog "/var/www/vhosts/domain2/statistics/logs/modsec_audit.log"
  # lots of more setting goes here
  # ...
</VirtualHost>

Httpd – Error Start Apache “php value”

I recently ran into this exact problem using Plesk 9.5 on CentOS.

I cannot say for sure whether it was caused by an update to Plesk, or not. The customer doesn't think any changes were made recently, but Apache failed to start with this error.

After an assesment of the system to ensure it wasn't due to a breach, I did some troubleshooting and determined that mod_php had been removed from the Apache config. After checking Plesk settings, every vhost on the box was using FastCGI and SuExec.

When using FastCGI and SuExec, you cannot change PHP directives in php.conf (FastCGI) and .htaccess (SuExec).

The customer had originally commented out the offending lines, but this broke session support for everything. The only way I was able to resolve it was to manually add mod_php back to httpd.conf.

Add the following line to the section with the other LoadModule's. Make sure the path (../modules/) matches the rest of the modules in there. Chances are good that it already exists on your system and was simply removed from the config during the update.

bash# vi /etc/httpd/conf/httpd.conf
LoadModule php5_module ../modules/libphp5.so

bash# apachectl restart

This caught me off guard, and I cannot say for sure it is the upgrade that caused the issue or whether this is the best fix. I am open for comment, but highly advise against commenting out the php directives in /etc/httpd/conf.d/php.conf as it will break stuff.

Best Answer

Related Solutions

Apache vhost-specific logging

Httpd – Error Start Apache “php value”

Related Topic