|
Server : Apache System : Linux ecngx264.inmotionhosting.com 4.18.0-553.77.1.lve.el8.x86_64 #1 SMP Wed Oct 8 14:21:00 UTC 2025 x86_64 User : lonias5 ( 3576) PHP Version : 7.3.33 Disable Function : NONE Directory : /proc/self/root/proc/thread-self/root/opt/sharedrads/ |
Upload File : |
#!/usr/lib/rads/venv/bin/python3
"""Disable modsec rules for Cpanel or PlatformI users and domains."""
# Written by Quentin H
import subprocess
import argparse
from pathlib import Path
import sys
from rads.color import red, green
# Set the lock path to /tmp as a placeholder
lock_file = Path("/tmp/modsec_disable.lock")
platformI = Path("/etc/ansible/wordpress-ultrastack")
# Ensure that only one instance of the script runs at a time.
def get_lock():
if lock_file.exists():
print(
red("Another instance of the script is currently running. Exiting.")
)
sys.exit(1)
lock_file.touch() # Create a lock file to indicate the script is running
# Release the lock after the script has completed.
def release_lock():
lock_file.unlink(missing_ok=True)
# Check if Nginx exists
def check_nginx():
nginx_dir = Path("/var/log/nginx/")
return nginx_dir.exists()
# Get Apache version
def get_apache_version():
try:
result = subprocess.run(
["apachectl", "-v"], capture_output=True, text=True, check=True
)
except FileNotFoundError:
print(red("apachectl not found. Please ensure Apache is installed."))
sys.exit(1)
except subprocess.CalledProcessError:
print(red("Failed to get Apache version."))
sys.exit(1)
if "Server version" in result.stdout:
version_line = result.stdout.split('\n')[0]
version = version_line.split()[2]
return version.split('/')[1]
print(red("Unable to parse Apache version."))
sys.exit(1)
# Update modsec.conf file based on provided arguments.
def update_modsec_configuration(
modsec_file,
rule_ids=None,
disable_all=False,
reset=False,
remove_rule_id=None,
):
modsec_file.parent.mkdir(
parents=True, exist_ok=True
) # Ensure the directory exists
# Ensure the modsec.conf file exists before modifying it
if not modsec_file.exists() or reset:
modsec_file.write_text("") # Create or reset the file if necessary
if disable_all:
modsec_file.write_text("SecRuleEngine Off\n")
elif rule_ids:
for rule_id in rule_ids:
disable_rule(modsec_file, rule_id)
elif remove_rule_id:
for rule_id in remove_rule_id:
remove_rule(modsec_file, rule_id)
# Add rules to modsec.conf, checks if the rule exists and skips it if it does
def disable_rule(modsec_file, rule_id):
rule_text = f"SecRuleRemoveById {rule_id}"
contents = ""
if modsec_file.exists():
with modsec_file.open("r+") as file:
contents = file.read()
if rule_text in contents:
print(red(f"Rule {rule_id} already disabled, not adding."))
return
with modsec_file.open("a") as file:
file.write(f"{rule_text}\n")
print(green(f"Rule {rule_id} added to file: {modsec_file}"))
# Remove a rule from the modsec file.
def remove_rule(modsec_file, rule_id):
rule_text = f"SecRuleRemoveById {rule_id}"
if modsec_file.exists():
with modsec_file.open("r+") as file:
contents = file.readlines()
file.seek(0)
file.truncate()
for line in contents:
if rule_text not in line:
file.write(line)
print(green(f"Rule {rule_id} removed from file: {modsec_file}"))
# Remove all SecRuleRemoveById and SecRuleEngine entries from the modsec file.
def reset_modsec_configuration(modsec_file):
if modsec_file.exists():
with modsec_file.open("r+") as file:
contents = file.readlines()
file.seek(0)
file.truncate()
for line in contents:
if not (
line.startswith("SecRuleRemoveById")
or line.startswith("SecRuleEngine Off")
):
file.write(line)
print(
green(
"All SecRuleRemoveById and SecRuleEngine entries removed "
f"from file: {modsec_file}"
)
)
# Rebuild and restart Apache.
def cpanel_restart_apache():
subprocess.run(
["/usr/local/cpanel/bin/servers_queue", "queue", "build_apache_conf"],
check=False,
)
subprocess.run(
["/usr/local/cpanel/bin/servers_queue", "queue", "apache_restart"],
check=False,
)
print(green("Apache configuration and service reload queued."))
def platform_i_restart_apache():
try:
subprocess.run(["apachectl", "-t"], check=True)
except subprocess.CalledProcessError:
print(red("Syntax failed apache check"))
sys.exit(1)
try:
subprocess.run(["systemctl", "restart", "httpd"], check=True)
print(green("Apache restarted correctly."))
except subprocess.CalledProcessError:
print(red("Apache failed to restart"))
sys.exit(1)
# Run ngxconf if Nginx exists
def cpanel_run_ngxconf(user):
subprocess.run(["ngxconf", "-u", user, "-rd"], check=False)
# Function to handle platformI check and set the modsec file path
def platform_i_modsec(args):
modsec_file_path = Path(
"/etc/httpd/modsecurity.d/activated_rules/z-mycustom.conf"
)
update_modsec_configuration(
modsec_file=modsec_file_path,
rule_ids=args.rule if args.rule else None,
disable_all=args.off,
reset=args.reset,
remove_rule_id=args.drop,
)
if args.reset:
reset_modsec_configuration(modsec_file_path)
platform_i_restart_apache()
# Cpanel function that sets the modsec.conf file based on the flags/args passed
# to the script
def cpanel_modsec(args):
if not args.user:
print(red("The --user (-u) flag is required for CPanel operations."))
sys.exit(1)
try:
apache_version = get_apache_version()
if apache_version.startswith("2.4"):
std_apache_dir = Path("/usr/local/apache/conf/userdata/std/2_4")
ssl_apache_dir = Path("/usr/local/apache/conf/userdata/ssl/2_4")
elif apache_version.startswith("2."):
std_apache_dir = Path("/usr/local/apache/conf/userdata/std/2")
ssl_apache_dir = Path("/usr/local/apache/conf/userdata/ssl/2")
else:
print(red(f"Unsupported Apache version {apache_version}."))
sys.exit(1)
# Determine the correct modsec_file path based on the presence of the
# domain flag
if args.domain:
modsec_file_std = (
std_apache_dir / args.user / args.domain / "modsec.conf"
)
modsec_file_ssl = (
ssl_apache_dir / args.user / args.domain / "modsec.conf"
)
else:
modsec_file_std = std_apache_dir / args.user / "modsec.conf"
modsec_file_ssl = ssl_apache_dir / args.user / "modsec.conf"
# Ensure the directory and files exist
modsec_file_std.parent.mkdir(parents=True, exist_ok=True)
modsec_file_ssl.parent.mkdir(parents=True, exist_ok=True)
modsec_file_std.touch(exist_ok=True)
modsec_file_ssl.touch(exist_ok=True)
if args.rule:
for rule_id in args.rule:
disable_rule(modsec_file_std, rule_id)
disable_rule(modsec_file_ssl, rule_id)
if args.drop:
for rule_id in args.drop:
remove_rule(modsec_file_std, rule_id)
remove_rule(modsec_file_ssl, rule_id)
if args.reset:
if args.domain:
reset_modsec_configuration(modsec_file_std)
reset_modsec_configuration(modsec_file_ssl)
else:
reset_modsec_configuration(
std_apache_dir / args.user / "modsec.conf"
)
reset_modsec_configuration(
ssl_apache_dir / args.user / "modsec.conf"
)
if args.off:
disable_all_rules(modsec_file_std)
disable_all_rules(modsec_file_ssl)
finally:
if check_nginx():
print(green("Nginx detected."))
cpanel_run_ngxconf(args.user)
cpanel_restart_apache()
# Function to disable all rules in modsec.conf
def disable_all_rules(modsec_file):
if modsec_file.exists():
with modsec_file.open("a") as file:
file.write("SecRuleEngine Off\n")
print(green(f"All rules disabled in file: {modsec_file}"))
# Main function to parse arguments and run needed functions based on server type
def main():
get_lock() # Get the lock before proceeding
try:
parser = argparse.ArgumentParser(description=__doc__)
if platformI.exists():
parser.add_argument(
"-r",
"--rule",
type=int,
nargs='+',
help="Specific rule IDs to disable",
)
parser.add_argument(
"-o", "--off", action="store_true", help="Disable all rules"
)
parser.add_argument(
"-R",
"--reset",
action="store_true",
help="Reset the modsec configuration",
)
parser.add_argument(
"-D",
"--drop",
nargs='+',
type=int,
help="Drop/Remove a specific rule ID from the modsec "
"configuration",
)
else:
parser.add_argument(
"-u",
"--user",
type=str,
required=True,
help="CPanel user this is for",
)
parser.add_argument(
"-d",
"--domain",
type=str,
help="The domain to modify rules for",
)
parser.add_argument(
"-r",
"--rule",
type=int,
nargs='+',
help="Specific rule IDs to disable",
)
parser.add_argument(
"-o",
"--off",
action="store_true",
help="Disable all rules for the domain",
)
parser.add_argument(
"-R",
"--reset",
action="store_true",
help="Reset the modsec configuration",
)
parser.add_argument(
"-a",
"--all",
action="store_true",
help="Apply changes to all domains for the user",
)
parser.add_argument(
"-D",
"--drop",
nargs='+',
type=int,
help="Drop/Remove a specific rule ID from the modsec "
"configuration",
)
args = parser.parse_args()
if platformI.exists():
platform_i_modsec(args)
else:
cpanel_modsec(args)
finally:
release_lock() # Release the lock after the script completes
if __name__ == "__main__":
main()