• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Issue Atomic's rules are no longer updated

I

ivanes82

Basic Pleskian
Server operating system version
Almalinux 8.10
Plesk version and microupdate number
Plesk Obsidian 18.0.67
Since the last plesk update the modsecurity updates at least for atomic have stopped working. They don't work neither from plesk's daily cron job nor by forcing it with aum -uf.

Running aum -uf gives as a result:

[root@mail ~]# aum -uf

Atomic Updater

Analyzing system ... done

Checking for updates ...

Core packages : -> 6.0.59-32440 ...ok
Atomicorp WAF Rules : not enabled

Checking post install ownerships ...


Applying updates ...



All tasks complete.
Click to expand...
 
Sebahat.hadzhi said:
@ivanes82 could you please confirm if you using the standard or advanced Atomic ruleset? Also, what's the exact error you see?
Click to expand...
I have the atomic advanced. I really don't see any errors. Just every night when the rules were updated I got a notification in plesk, notifying me of the rules update. That no longer appears.
As I found it strange not to have the update, I tried to force it manually with plesk daily -f UpdateModSecurityRuleSet and that didn't work either.
Finally I tried with aum -uf and that didn't work either. Before when I updated it told me which version I had and to which one I had updated if there was an update, and now it says Atomicorp WAF Rules : not enabled.
 
Thank you for the confirmation. Could you please navigate to Tools & Settings > Web Application Firewall (ModSecurity) > Settings and confirm if the "Username" and "Password" fields contain any value? Also, just to be certain, under "Update rule sets" please click on "Manage them on the notification page" and ensure the notification is in fact enabled. Lastly, please try running:

plesk daily UpdateModSecurityRuleSet
Click to expand...
 
I have manually modified the files /var/awp/etc/config and /var/awp/etc/config.aum by setting MODSEC_ENABLED=“yes” and it works correctly again if I run aum -uf. The rules are updated correctly, but if I run plesk daily UpdateModSecurityRuleSet the rules are not updated and the configuration files return to MODSEC_ENABLED=“no”, so updating modsecurity rules through plesk does not work.
 
I also noticed that I do not get any notifications for the daily updates of the Atomicorp ruleset since the last update, although all notifications are set to on. But I use the standard/free ruleset. For my system specifications see my signature.
 
Is there no news on this matter? We have had a month with Modsecurity broken in plesk. Something as important as security, I get the feeling that it is not given the attention it should be, and that can bring many problems.
 
Thank you for the report, @King555 I filed a report, and our engineers are currently reviewing if that's a bug or isolated issue on your servers.
 
Thank you both for your patience. This hasn't been recognized as a bug. Since the last update aum is no longer used for Atomic rulesets for ModSecurity. Could you please following the instructions from this guide and ensure the corresponding ruleset entry is present in the panel.ini? If the issue continues afterward, please check /var/log/plesk/panel.log for any errors beginning with:

INFO [panel][] == Begin ModSecurity rule set update
Click to expand...
 
Unfortunately it did not work.
I never had to put in before:
[modSecurity]
ruleSet.tortix = true
ruleSet.atomic = true
in panel.ini, and it always worked, I tried it anyway but it didn't work.

I have no error in plesk, and everything works perfectly until I run plesk daily UpdateModSecurityRuleSet.

The only bug I had was that updating modsecurity rules disabled selinux PPPM-14747.

Interestingly this has stopped happening since the last update, although in the patch notes there is no reference to it, but a new bug has appeared, rules are no longer updated from plesk at all.

When is the PPPM-14747 bug fix scheduled for? The support team told me for Plesk Obsidian 18.0.67, but in the patch notes it does not appear.
 
Does the guide also apply to Ubuntu 24? I ask because the guide's title says AlmaLinux (and others) and the original poster has this OS, but I don't.
 
@ivanes82 , you should only have ruleSet.atomic = true since you are using the Advanced ruleset. Regarding bug PPPM-14747, it was caused by the aum installer and since Plesk Obsidian 18.0.67 the update of the ruleset is performed without AUM the issue seems to be fixed indeed. I will double-check with our team in order to confirm that for sure.

@King555 as far as I am aware no additional configuration is needed for Ubuntu. Do you see any errors in the log, please?
 
Sebahat.hadzhi said:
@ivanes82 , you should only have since you are using the Advanced ruleset. Regarding bug PPPM-14747, it was caused by the aum installer and since Plesk Obsidian 18.0.67 the update of the ruleset is performed without AUM the issue seems to be fixed indeed. I will double-check with our team in order to confirm that for sure.ruleSet.atomic = true

@King555 as far as I am aware no additional configuration is needed for Ubuntu. Do you see any errors in the log, please?
Click to expand...
Very strange, because updating the atomic rules from “aum” did not deactivate selinux, but doing it from plesk did.
Now activating the rules from aum updates the rules correctly, but doing it from plesk does not update the rules at all.
Are you sure nothing is broken in the last update?
 
Considering that our engineers are unable to replicate the described behavior on a test Almalinux 8.10 server I believe this could be specific to the local environment. They enabled the “Atomic Advanced (bought from Atomicorp) running on Apache (ModSecurity 2.9)” ruleset, removed a random rule, and then ran the daily task plesk daily UpdateModSecurityRuleSet to ensure the delete rule is re-added successfully. The in-panel notification was also successfully triggered.

Could you please confirm how exactly you verify that there was no ruleset update?
 
Sebahat.hadzhi said:
Do you see any errors in the log, please?
Click to expand...
I checked all log files I found and found nothing about any errors or information about updates of the ruleset. But I found out that under /etc/apache2/modsecurity.d/rules/tortix/modsec all files have been modified on the current day at 05:03 am. Does that mean the update works? Because then it's only the missing notification.
 
Sebahat.hadzhi said:
Considering that our engineers are unable to replicate the described behavior on a test Almalinux 8.10 server I believe this could be specific to the local environment. They enabled the “Atomic Advanced (bought from Atomicorp) running on Apache (ModSecurity 2.9)” ruleset, removed a random rule, and then ran the daily task plesk daily UpdateModSecurityRuleSet to ensure the delete rule is re-added successfully. The in-panel notification was also successfully triggered.

Could you please confirm how exactly you verify that there was no ruleset update?
Click to expand...
The only way I can know if the rules have been updated that I know of is through the notifications, and they no longer appear since the last update. Is there any other way to find out?

Another reference I can think of is when I used to run “plesk daily -UpdateModSecurityRuleSet” it took between 1 min 2 two to perform the task, and since the last update it takes about 5 seconds. Either the task has been optimized a lot, or the task is not running.
 
I see. If there's an update performed the files under /etc/httpd/conf/modsecurity.d/rules/atomic are going to be modified (in case, there's a missing ruleset update) and there is in-panel notification as well. The vendor from which you purchased the license doesn't matter for the ruleset update. Regarding the missing notification, our engineers did not identify such an issue. If you have the option to open a support ticket so our team can directly review the issue on your environment will be best.
 
My folder is not /etc/httpd/conf/modsecurity.d/rules/atomic, it is /etc/httpd/conf/modsecurity.d/rules/tortix
Is this correct? The /etc/httpd/conf/modsecurity.d/rules/atomic folder does not exist.
 
You must log in or register to reply here.

Similar threads

finbarr69
Resolved /var/awp/etc/config: No such file or directory, Failed to update the ModSecurity rule set
Replies
5
Views
4K
8tango
8
G
Question WP installs are quarantined daily.
Replies
4
Views
2K
Bobbbb
B
R
WAF Update Notifications
Replies
5
Views
2K
Bitpalast
Bitpalast
S
Resolved WAF Update Error Atomic Basic ModSecurity
Replies
2
Views
1K
Sally1
S
Azurel
Resolved Error: Failed to update the ModSecurity rule set: modsecurity_ctl failed
Replies
0
Views
2K
Azurel
Azurel
Back
Top