• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

How to test WAF (mod_security) Plesk 12

P

Paula1

New Pleskian
Hi there,
I have Parallels Plesk 12.0.18 with CentOS 6.5 (Final)

WAF is On, with Atomic Basic ModSecurity rule set.

I was wondering if my sites were protected and I went to the Atomic wiki.

When I run a test from a non-whitelisted system following these instructions (STEP 10) https://www.atomicorp.com/wiki/index.ph ... web_server
I always receive 404 error with all of my sites.

I also tested with:
http://www.xxxx.com/?abc=../../
http://www.xxxx.com/?abc=../../

Results: The sites load normally. (the call not even appears in the logs)

I've unistalled and reinstalled mod_security several times with the same results.

Is there any "official" way to check if WAF is protecting Plesk 12?

I asked same question in Atomic forum and they said:

you'd need to ask parallels about this, we made the ruleset available to them, but they implemented it using their own design. They might not be using 403 error codes like we do.

Thanks in advance.
 
Hi Alexey,

I have Parallels Plesk 12.0.18 update #19 with CentOS 6.5 (Final)
WAF is On, with Atomic Basic ModSecurity rule set.
I have reinstalled several times the ModSecurity Web Application Firewall for Apache.

Plesk Panel says modescurity is ON (the check green button, also is set to On in general setting for every website)

I tried the URI that you suggested with my own domain:

http://domain.com/test/php/test.php?foo=http://www.domain.com

and I did not receive 403 forbidden message. Instead of that I received the complete information that I pasted below (I deleted the results for obvious reasons)

PHP_VERSION
REQUEST_URI
REQUEST_METHOD
HTTP_CONNECTION
HTTP_ACCEPT_ENCODING
HTTP_ACCEPT_LANGUAGE
HTTP_ACCEPT
HTTP_USER_AGENT
HTTP_HOST
REQUEST_TIME_FLOAT
REQUEST_TIME

I will appreciate any help from you guys.

Thanks!
 
Hi Paula1,

ModSecurity does not work for websites that use Nginx as primary web server for scripting files (dynamic content below):
http://download1.parallels.com/Ples...inistrator-guide/index.htm?fileName=73383.htm

How nginx settings can be configured per website:
http://download1.parallels.com/Ples...inistrator-guide/index.htm?fileName=71997.htm


If the websites is running on Apache and Nginx is used only as reverse proxy, then I would suggest to check ModSecurity log file and search for the test query fragment: "?foo=".
If the HTTP request is processed, then it must be in the log:
modSecurity--log.jpg
 
Hi Alexey,
Thanks for your advices. However, I dont use Nginx at all.
I have Plesk 12.0.18 Update #19, last updated at Oct 12 (Centos 6.5 final)
WAF (Modsecurity) is ON. But none of the test mentionated above of this post is giving the expected 403 error mesage.

I already tried unistalling and reinstalling Modsecurity. I tried using OWASP and Atomic rules. None of them ever worked.
I dont tweak my Plesk at all. It is a clean installation.
Not sure if Modsecurity is trying to find the rules in a diferent place or what.
The thing is that is not working like it should be.

Can anyone verify if modsecurity is giving 403 forbidden message running Plesk 12.0.18 update #19 with Centos 6.5?

(Please use the URI that Alexey give us to test if WAF is working)

Thanks.
 
Alexey,
WAF is ON using OWASP rules (same happened with atomic rules)
I tried

http://domain.com/test/php/test.php?foo=http://www.domain.com

The conection never gives the forbidden message. The browser shows my php version, etc.
I will apreciate any help on this.

This is the log:

--a692d374-A--
[15/Oct/2014:23:33:55 --0600] VD9Yw38AAAEAAANTeEQAAAAO MY IP 50650 IP SERVER 80
--a692d374-B--
GET /test/php/test.php?foo=http://DOMAIN.COM HTTP/1.1
Host: www.DOMAIN.COM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive

--a692d374-F--
HTTP/1.1 200 OK
X-Powered-By: PleskLin
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

--a692d374-H--
Apache-Handler: fcgid-script
Stopwatch: 1413437635380424 140169 (- - -)
Stopwatch2: 1413437635380424 140169; combined=22, p1=2, p2=2, p3=2, p4=2, p5=12, sr=0, sw=2, l=0, gc=0
WAF: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"

--a692d374-Z--

--d9c2c329-A--
[15/Oct/2014:23:33:56 --0600] VD9YxH8AAAEAAF6LK7cAAAAA MY IP 50651 SERVER IP 80
--d9c2c329-B--
GET /css/style.css HTTP/1.1
Host: www.DOMAIN.COM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/css,*/*;q=0.1
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.DOMAIN.COM/test/php/test.php?foo=http://www.DOMAIN.COM
Connection: keep-alive

--d9c2c329-F--
HTTP/1.1 200 OK
Last-Modified: Wed, 07 Aug 2013 15:47:02 GMT
ETag: "21345-1e85-4e35d73da6980"
Accept-Ranges: bytes
Content-Length: 7813
X-Powered-By: PleskLin
Connection: close
Content-Type: text/css

--d9c2c329-H--
Stopwatch: 1413437636011431 6233 (- - -)
Stopwatch2: 1413437636011431 6233; combined=23, p1=2, p2=2, p3=3, p4=2, p5=12, sr=0, sw=2, l=0, gc=0
WAF: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"

--d9c2c329-Z--

--d9c2c329-A--
[15/Oct/2014:23:33:56 --0600] VD9YxH8AAAEAAHorRLAAAAAY MY IP 50652 IP SERVER 80
--d9c2c329-B--
GET /img/common/th-na-bg.gif HTTP/1.1
Host: www.DOMAIN.COM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.DOMAIN.COM/css/style.css
Connection: keep-alive

--d9c2c329-F--
HTTP/1.1 200 OK
Last-Modified: Wed, 07 Aug 2013 15:47:03 GMT
ETag: "2130c-183-4e35d73e9abc0"
Accept-Ranges: bytes
Content-Length: 387
X-Powered-By: PleskLin
Connection: close
Content-Type: image/gif

--d9c2c329-H--
Stopwatch: 1413437636471434 25154 (- - -)
Stopwatch2: 1413437636471434 25154; combined=22, p1=2, p2=2, p3=2, p4=2, p5=12, sr=0, sw=2, l=0, gc=0
WAF: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"

--d9c2c329-Z--

--837d851e-A--
[15/Oct/2014:23:33:57 --0600] VD9YxX8AAAEAAHomN8IAAAAU MY IP 50653 SERVER IP 80
--837d851e-B--
GET /favicon.ico HTTP/1.1
Host: www.DOMAIN.COM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive

--837d851e-F--
HTTP/1.1 200 OK
Last-Modified: Wed, 07 Aug 2013 15:47:03 GMT
ETag: "21306-47e-4e35d73e9abc0"
Accept-Ranges: bytes
Content-Length: 1150
X-Powered-By: PleskLin
Connection: close
Content-Type: image/vnd.microsoft.icon

--837d851e-H--
Stopwatch: 1413437637010425 7522 (- - -)
Stopwatch2: 1413437637010425 7522; combined=23, p1=2, p2=2, p3=3, p4=2, p5=12, sr=0, sw=2, l=0, gc=0
WAF: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"
 
Paula1,

Will you please login to the Plesk server via SSH and check the following folder:
/etc/httpd/conf/modsecurity.d/

It should contain apache include file:
/etc/httpd/conf/modsecurity.d/zz_rules.conf

and folder with ModSecurity rules:
/etc/httpd/conf/modsecurity.d/rules/modsecurity_crs-plesk/*
 
Hi Alexey,

I found:

[root@u1728 ~]# cd /etc/httpd/conf/modsecurity.d/
[root@u1728 modsecurity.d]# ls
rules zz_rules.conf zz_rules.conf.backup
[root@u1728 modsecurity.d]# cd rules
[root@u1728 rules]# ls
modsecurity_crs-plesk tortix tortix.backup
[root@u1728 rules]# cd modsecurity_crs-plesk/
[root@u1728 modsecurity_crs-plesk]# ls
modsecurity_35_bad_robots.data
modsecurity_35_scanners.data
modsecurity_40_generic_attacks.data
modsecurity_50_outbound.data
modsecurity_50_outbound_malware.data
modsecurity_crs_10_setup.conf
modsecurity_crs_20_protocol_violations.conf
modsecurity_crs_21_protocol_anomalies.conf
modsecurity_crs_23_request_limits.conf
modsecurity_crs_30_http_policy.conf
modsecurity_crs_35_bad_robots.conf
modsecurity_crs_40_generic_attacks.conf
modsecurity_crs_41_sql_injection_attacks.conf
modsecurity_crs_41_xss_attacks.conf
modsecurity_crs_42_tight_security.conf
modsecurity_crs_45_trojans.conf
modsecurity_crs_47_common_exceptions.conf
modsecurity_crs_48_local_exceptions.conf.example
modsecurity_crs_49_inbound_blocking.conf
modsecurity_crs_50_outbound.conf
modsecurity_crs_59_outbound_blocking.conf
modsecurity_crs_60_correlation.conf

The file

zz_rules.conf

contains:

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

Include "/etc/httpd/conf/modsecurity.d/rules/modsecurity_crs-plesk/*.conf"
 
Paula1,

As we can see ModSecurity rules reside in the correct place, ModSecurity engine is ON, it handles requests but do nothing.

Please do following:
1) please double check that ModSecurity is in ON mode
Home>Tools & Settings>Web Application Firewall>Web application firewall mode = ON

2) Switch rules to Atomic Basic ModSecurity rule set

3) Ensure that in Home>Tools & Settings>Web Application Firewall>Settings:
"Predefined set of values" if Fast
"Custom directives" is Empty

4) Try again the test URI: http://domain.com/test/php/test.php?foo=http://www.domain.com

5) Share ModSecurity log file

6) Share Apache error log files, server level and website level where you would like to use ModSecurity:
/etc/httpd/logs/error_log
/var/www/vhosts/system/domain.tld/logs/error_log
 
Hi Alexey,

I did all of that.

1. Home>Tools & Settings>Web Application Firewall>Web application firewall mode = ON

2. Rules set : Atomic Basic ModSecurity

3. Predefined set of values: Fast (I tried Tradeoff and Thorough as well) Custom directives is empty.

4. After I tested URI: http://domain.com/test/php/test.php?foo=http://www.domain.com

5. I found this in modsecurity log file:

--bc01ba68-A--
[18/Oct/2014:21:57:32 --0600] VEM2rH8AAAEAAErDQIcAAAAH MY IP 49575 IP SERVER 80
--bc01ba68-B--
GET /test/php/test.php?foo=http://www.DOMAIN.COM HTTP/1.1
Host: www.DOMAIN.COM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive

--bc01ba68-F--
HTTP/1.1 200 OK
X-Powered-By: PleskLin
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

--bc01ba68-H--
Apache-Handler: fcgid-script
Stopwatch: 1413691052666235 71311 (- - -)
Stopwatch2: 1413691052666235 71311; combined=22, p1=2, p2=2, p3=2, p4=3, p5=11, sr=0, sw=2, l=0, gc=0
WAF: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"

--bc01ba68-Z--

--b1e2f252-A--
[18/Oct/2014:21:57:34 --0600] VEM2rn8AAAEAAA@XwagAAAAe IP SERVER 53218 IP SERVER
--b1e2f252-B--
GET / HTTP/1.1
Host: 74.208.173.91

--b1e2f252-F--
HTTP/1.1 200 OK
Last-Modified: Thu, 13 Feb 2014 18:01:50 GMT
ETag: "20604-235-4f24d7bced5bf"
Accept-Ranges: bytes
Content-Length: 565
X-Powered-By: PleskLin
Connection: close
Content-Type: text/html

--b1e2f252-H--
Stopwatch: 1413691054425458 652 (- - -)
Stopwatch2: 1413691054425458 652; combined=23, p1=2, p2=2, p3=3, p4=2, p5=12, sr=0, sw=2, l=0, gc=0
WAF: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"

--b1e2f252-Z--

6. At server level, it shows the log above and website level shows the log bellow. There is nothing to do with the test because the log was generated few seconds before. Not new log when I tried the URI: http://domain.com/test/php/test.php?foo=http://www.domain.com

[Sat Oct 18 22:12:36 2014] [warn] [client MY IP] mod_fcgid: stderr: PHP Warning: Creating default object from empty value in /var/www/vhosts/domain.com/folder/modules/mod_jw_srfr/helper.php on line 135
 
Paula1,
We will try to help you directly on your server, if it is acceptable.
Please send me your server ip and ssh access details - via a private message.
 
Paula1,
We will try to help you directly on your server, if it is acceptable for you.
Please send me your server ip and ssh access details - via a private message.
 
Paula1,

It works now. As per our analysis, facts from your server:

1. You had installed rpm package ModSecurity from Atomic, not from Parallels:
# rpm -qf 00_mod_security.conf
mod_security-2.8.0-24.el6.art.x86_6

2. /etc/httpd/conf.d/00_mod_security.conf was renamed to 00_mod_security.conf.rpmsave, thus Apache did not load it as a module.
#apachectl -M | grep secu
(empty)

What we did:
1. We uninstalled mod_security-2.8.0-24.el6.art.x86_6 from Atomic
2. Then we installed ModSecurity rpm from Plesk (mod_security-2.8.0-14061715.x86_64, using Plesk autoinstaller)
3. Turned ModSecurity OFF and ON again in Plesk admin management UI

Technically, Atomic ruleset updater could install RPM packages from Atomic.
However, we are not aware about similar cases for now.

Thanks for your cooperation!
 
Last edited:
I have a similar case; I enabled mod_security to report only, (and followed plesk guide, enabled atomic rules, aum -u, disable/enable)
but it started dumping every request into /var/log/modsec_audit.log, and every request had something like:
Message: Audit log: Failed to lock global mutex: Permission denied

After some googling, I found that the serial nature of its logging was apparently causing the error.
I had to edit /etc/httpd//conf/plesk.conf.d/modsecurity.conf and put:
SecAuditLogType Concurrent

unfortunately after that, the logging stopped altogether.
I tried chmod 777 of the modsec_audit.log, it did not help.

I'm not sure if hackers have something better to do now, or modsecurity is not running.
I tried the http://www.kalfaoglu.net?foo=http://blah.com
trick, but that gave me my regular web site.
PS: I have "run as FTP user" and nginx on that server.

Update: I was able to get the concurrent to work after specifying a work directory.
However, I don't believe it still works; since when I request a www.kalfaoglu.net/etc/passwd
it still returns 404, not forbidden.
 
Last edited:
You must log in or register to reply here.

Similar threads

Ehud
Question Is Plesk Email SRS fully configured, or it requires an extension?
Replies
0
Views
2K
Ehud
Ehud
J
Issue ModSecurity: returns default Apache test page - not 403
Replies
1
Views
4K
John S.
J
jwvdmei
Resolved Still no SSL: After migrating a site from Plesk 12 to Plesk Onyx we used the “Let’s Encrypt” option
Replies
5
Views
2K
jwvdmei
jwvdmei
J
Mod_security Bug
Replies
2
Views
1K
Sergey_Ugdyzhekov
S
J
How to start your online store with WooCommerce
Replies
0
Views
4K
joerg
J
Back
Top