ModSecurity Fails on Plesk 12.0.18 Update #71

[jola]

All of a sudden my ModSecurity in Plesk 12.0.18 Update #71 has stopped working. I am on a box running CentOS 7.1.

First I had some ModSecurity key rule set update error shown in Plesk. I found some document that recommended me to remove and reinstall ModSecurity, which I have done. Now when I try to enable ModSecurity Plesk gives me the following error message:

Error: modsecurity_ctl failed: /usr/local/psa//admin/sbin/httpd_modules_ctl: line 110: /etc/httpd/conf.d/00_mod_security.conf.rpmorig
/etc/httpd/conf.d/00_mod_security.conf.rpmsave
/etc/httpd/conf.d/security2.conf.new: No such file or directory
cat: /etc/httpd/conf.d/00_mod_security.conf.rpmorig
/etc/httpd/conf.d/00_mod_security.conf.rpmsave
/etc/httpd/conf.d/security2.conf: No such file or directory
mv: cannot stat '/etc/httpd/conf.d/00_mod_security.conf.rpmorig\n/etc/httpd/conf.d/00_mod_security.conf.rpmsave\n/etc/httpd/conf.d/security2.conf.new': No such file or directory
/usr/local/psa//admin/sbin/httpd_modules_ctl: line 110: /etc/httpd/conf.d/00_mod_security.conf.rpmorig
/etc/httpd/conf.d/00_mod_security.conf.rpmsave.new: No such file or directory
cat: /etc/httpd/conf.d/00_mod_security.conf.rpmorig
/etc/httpd/conf.d/00_mod_security.conf.rpmsave: No such file or directory
mv: cannot stat '/etc/httpd/conf.d/00_mod_security.conf.rpmorig\n/etc/httpd/conf.d/00_mod_security.conf.rpmsave.new': No such file or directory

Any help or suggestion you might have are appreciated.

 

[IgorG]

/etc/httpd/conf.d/security2.conf: No such file or directory

This file is a part of mod_security package:

# rpm -qf /etc/httpd/conf.d/security2.conf
mod_security-2.8.0-14061715.i386

Looks like your ModSecurity is damaged. I'd suggest you reinstall this component with autoinstaller.

 

[jola]

Thanks for your advice IgorG. I have tried to remove and reinstall ModSecurity using the plesk GUI (under Server / Tools & Settings / Updates & Upgrades / Add Remove Components / Web Hosting Features). However, the problem still remains.

I do have a file /etc/httpd/conf.d/security2.conf that contains this:

#LoadModule security2_module modules/mod_security2.so

<IfModule security2_module>
  SecDataDir /var/cache/modsecurity
  IncludeOptional "/etc/httpd/conf/modsecurity.d/*.conf"
</IfModule>

This is when ModSecurity is off (I assume that is why the first line is commented). When I try to turn it on I get the error message given in my first post.

 

[IgorG]

What is the output of command:

# ls -la /etc/httpd/conf.d/00_mod_security.conf*

 

[jola]

Here it is:

# ls -la /etc/httpd/conf.d/00_mod_security.conf*
-rw------- 1 root root 625 Dec  8 03:15 /etc/httpd/conf.d/00_mod_security.conf.rpmorig
-rw-r--r-- 1 root root 625 Dec  8 23:03 /etc/httpd/conf.d/00_mod_security.conf.rpmsave

 

[IgorG]

So, you haven't config file /etc/httpd/conf.d/00_mod_security.conf there.
Try to create it with

# mv /etc/httpd/conf.d/00_mod_security.conf.rpmorig /etc/httpd/conf.d/00_mod_security.conf

 

[jola]

Now the error when I try to enable ModSecurity changed to:

Error: [Wed Dec 09 09:59:16.560268 2015] [so:warn] [pid 16869] AH01574: module actions_module is already loaded, skipping
[Wed Dec 09 09:59:16.561903 2015] [so:warn] [pid 16869] AH01574: module headers_module is already loaded, skipping
[Wed Dec 09 09:59:16.562129 2015] [so:warn] [pid 16869] AH01574: module logio_module is already loaded, skipping
[Wed Dec 09 09:59:16.562980 2015] [so:warn] [pid 16869] AH01574: module suexec_module is already loaded, skipping
[Wed Dec 09 09:59:16.584801 2015] [so:warn] [pid 16869] AH01574: module unique_id_module is already loaded, skipping
httpd: Syntax error on line 357 of /etc/httpd/conf/httpd.conf: Syntax error on line 12 of /etc/httpd/conf.d/00_mod_security.conf: No matches for the wildcard '*asl*.conf' in '/etc/httpd/conf/modsecurity.d/rules/tortix/modsec', failing (use IncludeOptional if required)

 

[IgorG]

Try to edit mentioned in the error message config file /etc/httpd/conf.d/00_mod_security.conf Find and comment out line 12.

 

[jola]

If I comment out line 12 my /etc/httpd/conf.d/00_mod_security.conf file now looks like this:

# ASL mod_security Template: /var/asl/data/templates/template-00_mod_security.conf   

LoadModule security2_module /etc/httpd/modules//mod_security2.so
LoadModule unique_id_module /etc/httpd/modules//mod_unique_id.so

<IfModule mod_security2.c>
  # Basic configuration goes in here   
  Include /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/tortix_waf.conf

  # Rule management is handled by ASL   
  Include /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/00*exclude.conf
#  Include /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/*asl*.conf   
  Include /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/99*exclude.conf

</IfModule>

Now I am able to start ModSecurity using the plesk GUI.

Does the fact that I have commented out line 12 above mean that I am now running without some functionality in ModSecurity? If I understand this correctly I have disable the loading of ASL rule management... which kind of sounds bad.

How does this /etc/httpd/conf.d/00_mod_security.conf file look for those who have not had this problem running ModSecurity and who have not commented out line 12?

 

[jola]

I have investigated this some more and it seems as if I am missing a file /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf which I used to have and which contain a lot of rules. Any clues on where I can find the this file that is correct for my ModSecurity installation? Perhaps this is the file from Atomic that it updated daily?

 

[jola]

I have continued to investigate this. In my attempts to solve this I had tried to run "aum -u" to manually update the rule-sets. Doing this gives a bunch or errors which I will include below and it also removes the 50_plesk_basic_asl_rules.conf files.

# aum -u

sh: /sbin/ifconfig: No such file or directory
sh: /sbin/ifconfig: No such file or directory

Checking versions ...

  ASL version is current:  [PASS]
  Updating Web Application Firewall to 201512080958: updated  [PASS]
-------------------------------------------------------------------------------
Errors were encountered:

L CODE SOURCE  MESSAGE
- ---- ----------------------------- ------------------------------------------
2 2  c_modsec::apply_rules  An error occurred attempting to read file
  /var/asl/data/waf_groups
2 9901 ASLCommon::cmd_system  ERROR: '/usr/sbin/apachectl -t >/dev/null
  2>&1 (1)'
2 9901 ASLCommon::cmd_exec  ERROR: '(1) /usr/sbin/apachectl -t 2>&1 --
  [Wed Dec 09 12:29:34.945749 2015] [so:war
  n] [pid 15428] AH01574: module actions_mod
  ule is already loaded, skipping||[Wed Dec
  09 12:29:34.947325 2015] [so:warn] [pid 15
  428] AH01574: module headers_module is alr
  eady loaded, skipping||[Wed Dec 09 12:29:3
  4.947572 2015] [so:warn] [pid 15428] AH015
  74: module logio_module is already loaded,
  skipping||[Wed Dec 09 12:29:34.948327 201
  5] [so:warn] [pid 15428] AH01574: module s
  uexec_module is already loaded, skipping||
  [Wed Dec 09 12:29:34.968852 2015] [so:warn
  ] [pid 15428] AH01574: module unique_id_mo
  dule is already loaded, skipping||httpd: S
  yntax error on line 357 of /etc/httpd/conf
  /httpd.conf: Syntax error on line 12 of /e
  tc/httpd/conf.d/00_mod_security.conf: No m
  atches for the wildcard '*asl*.conf' in '/
  etc/httpd/conf/modsecurity.d/rules/tortix/
  modsec', failing (use IncludeOptional if r
  equired)'
2 601  c_modsec::apply_rules  There is a problem with the apache config:
  [Wed Dec 09 12:29:34.945749 2015] [so:war
  n] [pid 15428] AH01574: module actions_mod
  ule is already loaded, skipping; [Wed Dec
  09 12:29:34.947325 2015] [so:warn] [pid 15
  428] AH01574: module headers_module is alr
  eady loaded, skipping; [Wed Dec 09 12:29:3
  4.947572 2015] [so:warn] [pid 15428] AH015
  74: module logio_module is already loaded,
  skipping; [Wed Dec 09 12:29:34.948327 201
  5] [so:warn] [pid 15428] AH01574: module s
  uexec_module is already loaded, skipping;
  [Wed Dec 09 12:29:34.968852 2015] [so:warn
  ] [pid 15428] AH01574: module unique_id_mo
  dule is already loaded, skipping; httpd: S
  yntax error on line 357 of /etc/httpd/conf
  /httpd.conf: Syntax error on line 12 of /e
  tc/httpd/conf.d/00_mod_security.conf: No m
  atches for the wildcard '*asl*.conf' in '/
  etc/httpd/conf/modsecurity.d/rules/tortix/
  modsec', failing (use IncludeOptional if r
  equired)
2 601  c_modsec::apply_rules  There is a problem with the apache config:
  Rolling back to the previous update
2 9901 ASLCommon::cmd_system  ERROR: '/bin/cp -af /var/asl/tmp/waf_rules
  /* /etc/httpd/conf/modsecurity.d/rules/tor
  tix/modsec>/dev/null 2>&1 (1)'
3 600  c_modsec::apply_rules  Errors occurred with Apache

By restoring the 50_plesk_basic_asl_rules.conf I have been able to start ModSecurity without commenting out line 12 that loads this file.

Then Plesk looks as if ModSecurity is running well. However, if I try to disable ModSecurity by turning it off in the Plesk GUI I get the following error:

Error: modsecurity_ctl failed:

and ModSecurity in the Plesk GUI continues to look like it is running although I tried to turn it off.

Something is broken in my setup of Plesk / ModSecurity and removing and re-installing ModSecurity does not solve it :-(

 

[jola]

This morning the ModSecurity rule set update failed again, with the following error message shown in Plesk:

Error: Failed to update the ModSecurity rule set: modsecurity_ctl failed: gpg: key 4520AFA9: "Atomicorp (Atomicorp Official Signing Key) <[email protected]>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 gpg: Signature made Mon Dec 7 21:41:31 2015 CET using RSA key ID 4520AFA9 gpg: Good signature from "Atomicorp (Atomicorp Official Signing Key) <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 1818 66DF 9DAC A40E 5B42 9B08 FFBD 5D0A 4520 AFA9 TERM environment variable not set. aum failed with exitcode 3. stdout: Checking versions ... ASL version is current: [75G[[1;31m[1;32mPASS[0m[0m] Updating Web Application Firewall to 201512080958: updated[75G[[1;31m[1;32mPASS[0m[0m] ------------------------------------------------------------------------------- Errors were encountered: L CODE SOURCE MESSAGE - ---- ----------------------------- ------------------------------------------ [0;33m2 2 c_modsec::apply_rules An error occurred attempting to read file /var/asl/data/waf_groups [0m[0;33m2 9901 ASLCommon::cmd_system ERROR: '/usr/sbin/apachectl -t >/dev/null 2>&1 (1)' [0m[0;33m2 9901 ASLCommon::cmd_exec ERROR: '(1) /usr/sbin/apachectl -t 2>&1 -- [Thu Dec 10 03:13:40.051460 2015] [so:war n] [pid 27516] AH01574: module actions_mod ule is already loaded, skipping||[Thu Dec 10 03:13:40.052993 2015] [so:warn] [pid 27 516] AH01574: module headers_module is alr eady loaded, skipping||[Thu Dec 10 03:13:4 0.053174 2015] [so:warn] [pid 27516] AH015 74: module logio_module is already loaded, skipping||[Thu Dec 10 03:13:40.053983 201 5] [so:warn] [pid 27516] AH01574: module s uexec_module is already loaded, skipping|| [Thu Dec 10 03:13:40.073810 2015] [so:warn ] [pid 27516] AH01574: module unique_id_mo dule is already loaded, skipping||httpd: S yntax error on line 357 of /etc/httpd/conf /httpd.conf: Syntax error on line 12 of /e tc/httpd/conf.d/00_mod_security.conf: No m atches for the wildcard '*asl*.conf' in '/ etc/httpd/conf/modsecurity.d/rules/tortix/ modsec', failing (use IncludeOptional if r equired)' [0m[0;33m2 601 c_modsec::apply_rules There is a problem with the apache config: [Thu Dec 10 03:13:40.051460 2015] [so:war n] [pid 27516] AH01574: module actions_mod ule is already loaded, skipping; [Thu Dec 10 03:13:40.052993 2015] [so:warn] [pid 27 516] AH01574: module headers_module is alr eady loaded, skipping; [Thu Dec 10 03:13:4 0.053174 2015] [so:warn] [pid 27516] AH015 74: module logio_module is already loaded, skipping; [Thu Dec 10 03:13:40.053983 201 5] [so:warn] [pid 27516] AH01574: module s uexec_module is already loaded, skipping; [Thu Dec 10 03:13:40.073810 2015] [so:warn ] [pid 27516] AH01574: module unique_id_mo dule is already loaded, skipping; httpd: S yntax error on line 357 of /etc/httpd/conf /httpd.conf: Syntax error on line 12 of /e tc/httpd/conf.d/00_mod_security.conf: No m atches for the wildcard '*asl*.conf' in '/ etc/httpd/conf/modsecurity.d/rules/tortix/ modsec', failing (use IncludeOptional if r equired) [0m[0;33m2 601 c_modsec::apply_rules There is a problem with the apache config: Rolling back to the previous update [0m[0;33m2 9901 ASLCommon::cmd_system ERROR: '/bin/cp -af /var/asl/tmp/waf_rules /* /etc/httpd/conf/modsecurity.d/rules/tor tix/modsec>/dev/null 2>&1 (1)' [0m[1;31m3 600 c_modsec::apply_rules Errors occurred with Apache [0m stderr: sh: /sbin/ifconfig: No such file or directory sh: /sbin/ifconfig: No such file or directory Unable to download tortix rule set

 

[Ricardo23]

Greetings , I have a similar problem . Does anyone know the solution?
This is the error message:

Error: Error al actualizar el conjunto de reglas de ModSecurity: modsecurity_ctl failed: gpg: key  "Atomicorp (Atomicorp Official Signing Key) <[email protected]>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.  ------------------------------------------------------------------------------- Errors were encountered: L CODE SOURCE MESSAGE - ---- ----------------------------- ------------------------------------------ [0;33m2 2 c_modsec::apply_rules An error occurred attempting to read file /var/asl/data/waf_groups [0m[0;33m2 9901 ASLCommon::cmd_system ERROR: '/usr/sbin/apachectl -t >/dev/null 2>&1 (1)' [0m[0;33m2 9901 ASLCommon::cmd_exec ERROR: '(1) /usr/sbin/apachectl -t 2>&1 -- [Thu Dec 10 03:52:31.380367 2015] [so:war n] [pid 8195] AH01574: module actions_modu le is already loaded, skipping||[Thu Dec 1 0 03:52:31.381444 2015] [so:warn] [pid 819 5] AH01574: module headers_module is alrea dy loaded, skipping||[Thu Dec 10 03:52:31. 381596 2015] [so:warn] [pid 8195] AH01574: module logio_module is already loaded, sk ipping||[Thu Dec 10 03:52:31.382120 2015] [so:warn] [pid 8195] AH01574: module suexe c_module is already loaded, skipping||[Thu Dec 10 03:52:31.398881 2015] [so:warn] [p id 8195] AH01574: module unique_id_module is already loaded, skipping||httpd: Syntax error on line 357 of /etc/httpd/conf/http d.conf: Syntax error on line 12 of /etc/ht tpd/conf.d/00_mod_security.conf: No matche s for the wildcard '*asl*.conf' in '/etc/h ttpd/conf/modsecurity.d/rules/tortix/modse c', failing (use IncludeOptional if requir ed)' [0m[0;33m2 601 c_modsec::apply_rules There is a problem with the apache config: [Thu Dec 10 03:52:31.380367 2015] [so:war n] [pid 8195] AH01574: module actions_modu le is already loaded, skipping; [Thu Dec 1 0 03:52:31.381444 2015] [so:warn] [pid 819 5] AH01574: module headers_module is alrea dy loaded, skipping; [Thu Dec 10 03:52:31. 381596 2015] [so:warn] [pid 8195] AH01574: module logio_module is already loaded, sk ipping; [Thu Dec 10 03:52:31.382120 2015] [so:warn] [pid 8195] AH01574: module suexe c_module is already loaded, skipping; [Thu Dec 10 03:52:31.398881 2015] [so:warn] [p id 8195] AH01574: module unique_id_module is already loaded, skipping; httpd: Syntax error on line 357 of /etc/httpd/conf/http d.conf: Syntax error on line 12 of /etc/ht tpd/conf.d/00_mod_security.conf: No matche s for the wildcard '*asl*.conf' in '/etc/h ttpd/conf/modsecurity.d/rules/tortix/modse c', failing (use IncludeOptional if requir ed) [0m[0;33m2 601 c_modsec::apply_rules There is a problem with the apache config: Rolling back to the previous update [0m[0;33m2 9901 ASLCommon::cmd_system ERROR: '/bin/cp -af /var/asl/tmp/waf_rules /* /etc/httpd/conf/modsecurity.d/rules/tor tix/modsec>/dev/null 2>&1 (1)' [0m[1;31m3 600 c_modsec::apply_rules Errors occurred with Apache [0m217.160.92.9 212.227.137.53 stderr: Unable to download tortix rule set

I've updated the package ca-certificates but does not run .

 

[jola]

I've been trying to fix this and now all of a sudden all of the sites on my server are unavailable even though I have removed ModSecurity .... *help please*

 

[jola]

Server online again, I needed to delete a left-over /etc/httpd/conf.d/00_mod_security.conf file that was still there although I had removed ModSecurity. This file prevented httpd to start and brought all of my sites down.

In my attempts to solve the ModSecurity Atomic Basic rule problems I tried to switch to OWASP. That worked well. However, now I am unable to switch back to Atomic Basic. When I try to do that I get the following error:

Failed to install the ModSecurity rule set: modsecurity_ctl failed: gpg: key 4520AFA9: "Atomicorp (Atomicorp Official Signing Key) <[email protected]>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 gpg: Signature made Mon Dec 7 21:41:31 2015 CET using RSA key ID 4520AFA9 gpg: Good signature from "Atomicorp (Atomicorp Official Signing Key) <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 1818 66DF 9DAC A40E 5B42 9B08 FFBD 5D0A 4520 AFA9 TERM environment variable not set. aum failed with exitcode 3. stdout: Checking versions ... ASL version is current: [75G[[1;31m[1;32mPASS[0m[0m] Updating Web Application Firewall to 201512080958: updated[75G[[1;31m[1;32mPASS[0m[0m] ------------------------------------------------------------------------------- Errors were encountered: L CODE SOURCE MESSAGE - ---- ----------------------------- ------------------------------------------ [0;33m2 2 c_modsec::apply_rules An error occurred attempting to read file /var/asl/data/waf_groups [0m[0;33m2 9901 ASLCommon::cmd_system ERROR: '/usr/sbin/apachectl -t >/dev/null 2>&1 (1)' [0m[0;33m2 9901 ASLCommon::cmd_exec ERROR: '(1) /usr/sbin/apachectl -t 2>&1 -- [Fri Dec 11 02:17:48.672859 2015] [so:war n] [pid 12696] AH01574: module actions_mod ule is already loaded, skipping||[Fri Dec 11 02:17:48.674354 2015] [so:warn] [pid 12 696] AH01574: module headers_module is alr eady loaded, skipping||[Fri Dec 11 02:17:4 8.674540 2015] [so:warn] [pid 12696] AH015 74: module logio_module is already loaded, skipping||[Fri Dec 11 02:17:48.675282 201 5] [so:warn] [pid 12696] AH01574: module s uexec_module is already loaded, skipping|| [Fri Dec 11 02:17:48.693219 2015] [so:warn ] [pid 12696] AH01574: module unique_id_mo dule is already loaded, skipping||httpd: S yntax error on line 357 of /etc/httpd/conf /httpd.conf: Syntax error on line 12 of /e tc/httpd/conf.d/00_mod_security.conf: No m atches for the wildcard '*asl*.conf' in '/ etc/httpd/conf/modsecurity.d/rules/tortix/ modsec', failing (use IncludeOptional if r equired)' [0m[0;33m2 601 c_modsec::apply_rules There is a problem with the apache config: [Fri Dec 11 02:17:48.672859 2015] [so:war n] [pid 12696] AH01574: module actions_mod ule is already loaded, skipping; [Fri Dec 11 02:17:48.674354 2015] [so:warn] [pid 12 696] AH01574: module headers_module is alr eady loaded, skipping; [Fri Dec 11 02:17:4 8.674540 2015] [so:warn] [pid 12696] AH015 74: module logio_module is already loaded, skipping; [Fri Dec 11 02:17:48.675282 201 5] [so:warn] [pid 12696] AH01574: module s uexec_module is already loaded, skipping; [Fri Dec 11 02:17:48.693219 2015] [so:warn ] [pid 12696] AH01574: module unique_id_mo dule is already loaded, skipping; httpd: S yntax error on line 357 of /etc/httpd/conf /httpd.conf: Syntax error on line 12 of /e tc/httpd/conf.d/00_mod_security.conf: No m atches for the wildcard '*asl*.conf' in '/ etc/httpd/conf/modsecurity.d/rules/tortix/ modsec', failing (use IncludeOptional if r equired) [0m[0;33m2 601 c_modsec::apply_rules There is a problem with the apache config: Rolling back to the previous update [0m[0;33m2 9901 ASLCommon::cmd_system ERROR: '/bin/cp -af /var/asl/tmp/waf_rules /* /etc/httpd/conf/modsecurity.d/rules/tor tix/modsec>/dev/null 2>&1 (1)' [0m[1;31m3 600 c_modsec::apply_rules Errors occurred with Apache [0m stderr: sh: /sbin/ifconfig: No such file or directory sh: /sbin/ifconfig: No such file or directory Unable to download tortix rule set

 

[IgorG]

I can say only that at the moment we are working with Atomic for fixing this problem.

 

[jola]

I'm glad to hear that you are working on it. I have also created a support ticket with Odin. For everybody's information, here comes a summary of the problems I have had with ModSecurity and what I have tried to do to fix it:

1. The server was up and running fine with ModSecurity using the Atomic Basic rules with daily updates. I did not do anything on the server as far as I know.

2. Suddenly Plesk when I logged in showed me an error that the Atomic rule updates had failed: "Error: Failed to update the ModSecurity rule set: modsecurity_ctl failed: gpg: key 4520AFA9: "Atomicorp (Atomicorp Official Signing Key)..."

3. I started searching online for a possible solution. Things I have tried are:

a. Removed and reinstalled ModSecurity using the plesk GUI

b. Removed ModSecurity using "rpm --erase plesk-modsecurity-crs-12.0.18-14070712.x86_64 mod_security-2.8.0-14080716.x86_64 plesk-modsecurity-configurator-12.0.18-cos7.build1200150814.14.noarch" and then reinstalled it using the plesk GUI. Early I was able to get ModSecurity up and running again using Atomic Basic rules by manually restoring "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf" from a backup. However, in the morning plesk again showed me the error in point 2. that rule updates had failed due to a key error.

c. Tried to update rules manually using "aum -u"

d. Tried to remove and reinstall aum using "yum remove aum" and "yum --enablerepo=tortix-common install aum"

e. Tried to switch over to OWASP rules. That seemed to work. However, I was not able to switch back to Atomic Basic, but only got a Plesk error when I tried to switch back to Atomic Basic.

f. I have also tried to remove directories and files left from ModSecurity and aum after I had removed them to make the server "clean" before reinstalling ModSecutiry and aum. This did not help.

g. Now if I install ModSecurity it comes online with the OWASP rules, and if I try to switch to Atomic Basic rules I get a "Failed to install the ModSecurity rule set: modsecurity_ctl failed: gpg: key 4520AFA9: "Atomicorp (Atomicorp Official Signing Key)..." error. If I try to turn off ModSecurity (but still have it installed) I get an error "Error: modsecurity_ctl failed: grep: /etc/httpd/conf/modsecurity.d: Is a directory grep: /etc/httpd/conf/plesk.conf.d: Is a directory". Thereafter all sites become inaccessible and I need to remove ModSecurity, remove the /etc/httpd/conf.d/00_mod_security.conf file and restart httpd using "service httpd restart" to get the sites up and running again.

I will post here if my support ticket helps me to find a solution to this.

 

[ili101]

Hi guys
My first post
Wanted to let you know I opened a ticket yesterday and got a reply now and a new KB was created:
https://kb.odin.com/en/127737

 

[jola]

I also opened a ticket and got the same reply as you that I should follow https://kb.odin.com/en/127737.

However, doing exactly what is said in https://kb.odin.com/en/127737 did not work. First I installed ModSecurity again, since I had uninstalled it.

As before installing ModSecurity via the Plesk GUI works well and ModSecurity starts running with the OWASP (CRS) rules.

I then logged in via ssh and according to the instructions I tried to re-create the apache configuration files. This gave me the following error:

# /usr/local/psa/admin/bin/httpdmng --reconfigure-all
Error occured while sending feedback. HTTP code returned: 502
Execution failed.
Command: httpdmng
Arguments: Array
(
 [0] => --reconfigure-server
 [1] => -no-restart
)

Details: [2015-12-11 20:02:58] ERR [util_exec] proc_close() failed
Error occured while sending feedback. HTTP code returned: 502
[2015-12-11 20:03:00] ERR [util_exec] proc_close() failed
Error occured while sending feedback. HTTP code returned: 502
[2015-12-11 20:03:01] ERR [panel] Apache config (14498605780.52333700) generation failed: Template_Exception: [Fri Dec 11 20:02:58.908231 2015] [so:warn] [pid 24144] AH01574: module actions_module is already loaded, skipping
[Fri Dec 11 20:02:58.909820 2015] [so:warn] [pid 24144] AH01574: module headers_module is already loaded, skipping
[Fri Dec 11 20:02:58.910008 2015] [so:warn] [pid 24144] AH01574: module logio_module is already loaded, skipping
[Fri Dec 11 20:02:58.910809 2015] [so:warn] [pid 24144] AH01574: module suexec_module is already loaded, skipping
[Fri Dec 11 20:02:58.935390 2015] [so:warn] [pid 24144] AH01574: module unique_id_module is already loaded, skipping
httpd: Syntax error on line 357 of /etc/httpd/conf/httpd.conf: Syntax error on line 13 of /etc/httpd/conf.d/00_mod_security.conf: No matches for the wildcard '00*exclude.conf' in '/etc/httpd/modsecurity.d', failing (use IncludeOptional if required)

file: /usr/local/psa/admin/plib/Template/Writer/Webserver/Abstract.php
line: 75
code: 0
Error occured while sending feedback. HTTP code returned: 502
[Fri Dec 11 20:02:58.908231 2015] [so:warn] [pid 24144] AH01574: module actions_module is already loaded, skipping
[Fri Dec 11 20:02:58.909820 2015] [so:warn] [pid 24144] AH01574: module headers_module is already loaded, skipping
[Fri Dec 11 20:02:58.910008 2015] [so:warn] [pid 24144] AH01574: module logio_module is already loaded, skipping
[Fri Dec 11 20:02:58.910809 2015] [so:warn] [pid 24144] AH01574: module suexec_module is already loaded, skipping
[Fri Dec 11 20:02:58.935390 2015] [so:warn] [pid 24144] AH01574: module unique_id_module is already loaded, skipping
httpd: Syntax error on line 357 of /etc/httpd/conf/httpd.conf: Syntax error on line 13 of /etc/httpd/conf.d/00_mod_security.conf: No matches for the wildcard '00*exclude.conf' in '/etc/httpd/modsecurity.d', failing (use IncludeOptional if required)

The error messdage I get when running "aum -u" is not exactly what the instructions show. I get the following error message:

# aum -u
sh: /sbin/ifconfig: No such file or directory
sh: /sbin/ifconfig: No such file or directory
Checking versions ...
 Updating asl components
 (this may take several minutes)
 Updating ASL Core: successful  [PASS]
df: â/etc/httpd/conf/modsecurity.d/rules/tortix/modsecâ: No such file or directory
 Updating Web Application Firewall to 201512111346: updated  [PASS]
df: â/etc/httpd/conf/modsecurity.d/rules/tortix/modsecâ: No such file or directory
df: â/etc/httpd/conf/modsecurity.d/rules/tortix/modsecâ: No such file or directory
-------------------------------------------------------------------------------
Errors were encountered:
L CODE SOURCE  MESSAGE
- ---- ----------------------------- ------------------------------------------
2 23  c_modsec::tortix_conf_generat Low space detected writing to tortix_waf.c
 onf - 0 / 
2 1  c_modsec::tortix_conf_generat An error occurred attempting to open file 
 /etc/httpd/conf/modsecurity.d/rules/tortix
 /modsec/tortix_waf.conf
2 48  ASLRBC  Reverting all changes
2 48  ASLRBC::rollback_file  No valid previous version found for /etc/h
 ttpd/conf/modsecurity.d/rules/tortix/modse
 c/tortix_waf.conf
2 23  c_modsec::apply_rules  Low space detected writing to 50_plesk_bas
 ic_asl_rules.conf - 0 / 
2 1  c_modsec::apply_rules  An error occurred attempting to open file 
 /etc/httpd/conf/modsecurity.d/rules/tortix
 /modsec/50_plesk_basic_asl_rules.conf
2 48  ASLRBC  Reverting all changes
2 48  ASLRBC::rollback_file  No valid previous version found for /etc/h
 ttpd/conf/modsecurity.d/rules/tortix/modse
 c/tortix_waf.conf
2 48  ASLRBC::rollback_file  No valid previous version found for /etc/h
 ttpd/conf/modsecurity.d/rules/tortix/modse
 c/50_plesk_basic_asl_rules.conf
2 23  c_modsec::apply_rules  Low space detected writing to sql.txt - 0 
 / 
2 1  c_modsec::apply_rules  An error occurred attempting to open file 
 /etc/httpd/conf/modsecurity.d/rules/tortix
 /modsec/sql.txt
2 48  ASLRBC  Reverting all changes
2 48  ASLRBC::rollback_file  No valid previous version found for /etc/h
 ttpd/conf/modsecurity.d/rules/tortix/modse
 c/tortix_waf.conf
2 48  ASLRBC::rollback_file  No valid previous version found for /etc/h
 ttpd/conf/modsecurity.d/rules/tortix/modse
 c/50_plesk_basic_asl_rules.conf
2 48  ASLRBC::rollback_file  No valid previous version found for /etc/h
 ttpd/conf/modsecurity.d/rules/tortix/modse
 c/sql.txt
2 18  c_modsec::apply_rules  Failed to copy file /var/asl/rules/modsec/
 sql.txt -> /etc/httpd/conf/modsecurity.d/r
 ules/tortix/modsec/sql.txt
3 19  c_modsec::apply_rules  Failed to create directory /var/asl/tmp/wa
 f_rules

I then tried something slightly different from the instructions. Instead of running "/usr/local/psa/admin/bin/httpdmng --reconfigure-all" with ModSecurity installed but running OWASP (CRS) rules I uninstalled ModSecurity using the plesk GUI and then I ran "/usr/local/psa/admin/bin/httpdmng --reconfigure-all". This worked without errors. Then I installed ModSecurity again with the Plesk GUI and also this worked. As before ModSecurity starts running with the OWASP (CRS) rules (I had switched to those rules before in my attempts to get the Atomic Basic rules to work). Then I ran "/usr/local/psa/admin/bin/httpdmng --reconfigure-all" again, also this time without errors. After that I switched to Atomic Basic rules in the Plesk GUI and now it worked without errors!!! As the server looks now I have hope that the problems have been solved and I hope that the server will continue to work and that the Atomic Basic rules will updated daily, as set. I had got ModSecurity with Atomic Basic rules up and running before, but then it failed with a key error the next day when it tried to update the Atomic Basic rules. I will report back tomorrow to tell you if updates of Atomic Basic rules now works.

 

[jola]

I'm glad to report that the automatic updates of the Atomic Basic rules seems to have worked well tonight . I can now declare my server free of ModSecurity problems for this time. I got very good support from Odin on this. Their response to my ticket was quick, and although the solution given was not 100% accurate for my problem it lead me to the right track. After the problem had been solved they called me up to confirm that everything was now okay .