Error with ASL mod_security basic (Atomic Basic ModSecurity)

[Oto Tortorella]

This morning the update of ASL basic rules failed, I get an error message in the Home screen of plesk.
I uninstalled mod_security using the graphical installer and then reinstalled it.

Now I get an error when enabling Atomic Basic ModSecurity, I don't get any error when enabling OWASP ModSecurity. Here is my error message when enabling Atomic Basic ModSecurity rules:

Errore nell'installazione del set di regole di ModSecurity: modsecurity_ctl failed: gpg: key 4520AFA9: "Atomicorp (Atomicorp Official Signing Key) <[email protected]>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 gpg: Signature made Mon Dec 7 21:41:31 2015 CET using RSA key ID 4520AFA9 gpg: Good signature from "Atomicorp (Atomicorp Official Signing Key) <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 1818 66DF 9DAC A40E 5B42 9B08 FFBD 5D0A 4520 AFA9 TERM environment variable not set. aum failed with exitcode 3. stdout: Checking versions ... ASL version is current: [75G[[1;31m[1;32mPASS[0m[0m] Updating Web Application Firewall to 201512071312: updated[75G[[1;31m[1;32mPASS[0m[0m] ------------------------------------------------------------------------------- Errors were encountered: L CODE SOURCE MESSAGE - ---- ----------------------------- ------------------------------------------ [0;33m2 2 c_modsec::apply_rules An error occurred attempting to read file /var/asl/data/waf_groups [0m[0;33m2 9901 ASLCommon::cmd_system ERROR: '/usr/sbin/apachectl -t >/dev/null 2>&1 (1)' [0m[0;33m2 9901 ASLCommon::cmd_exec ERROR: '(1) /usr/sbin/apachectl -t 2>&1 -- [Tue Dec 08 11:59:57.141784 2015] [so:war n] [pid 9688:tid 140403470714944] AH01574: module unique_id_module is already loaded , skipping||httpd: Syntax error on line 37 8 of /etc/httpd/conf/httpd.conf: Syntax er ror on line 12 of /etc/httpd/conf.d/00_mod _security.conf: No matches for the wildcar d '*asl*.conf' in '/etc/httpd/conf/modsecu rity.d/rules/tortix/modsec', failing (use IncludeOptional if required)' [0m[0;33m2 601 c_modsec::apply_rules There is a problem with the apache config: [Tue Dec 08 11:59:57.141784 2015] [so:war n] [pid 9688:tid 140403470714944] AH01574: module unique_id_module is already loaded , skipping; httpd: Syntax error on line 37 8 of /etc/httpd/conf/httpd.conf: Syntax er ror on line 12 of /etc/httpd/conf.d/00_mod _security.conf: No matches for the wildcar d '*asl*.conf' in '/etc/httpd/conf/modsecu rity.d/rules/tortix/modsec', failing (use IncludeOptional if required) [0m[0;33m2 601 c_modsec::apply_rules There is a problem with the apache config: Rolling back to the previous update [0m[0;33m2 9901 ASLCommon::cmd_system ERROR: '/bin/cp -af /var/asl/tmp/waf_rules /* /etc/httpd/conf/modsecurity.d/rules/tor tix/modsec>/dev/null 2>&1 (1)' [0m[1;31m3 600 c_modsec::apply_rules Errors occurred with Apache [0m5.135.236.36 stderr: Unable to download tortix rule set

When using 'aum -u' on the CLI i get:

Checking versions ...

Updating asl components
(this may take several minutes)
Updating ASL Core: successful [PASS]
Updating Web Application Firewall to 201512071312: updated [PASS]
-------------------------------------------------------------------------------
Errors were encountered:

L CODE SOURCE MESSAGE
- ---- ----------------------------- ------------------------------------------
2 2 c_modsec::apply_rules An error occurred attempting to read file
/var/asl/data/waf_groups
2 9901 ASLCommon::cmd_system ERROR: '/usr/sbin/apachectl -t >/dev/null
2>&1 (1)'
2 9901 ASLCommon::cmd_exec ERROR: '(1) /usr/sbin/apachectl -t 2>&1 --
[Tue Dec 08 13:10:46.964887 2015] [so:war
n] [pid 31916:tid 140019657013312] AH01574
: module unique_id_module is already loade
d, skipping||httpd: Syntax error on line 3
78 of /etc/httpd/conf/httpd.conf: Syntax e
rror on line 12 of /etc/httpd/conf.d/00_mo
d_security.conf: No matches for the wildca
rd '*asl*.conf' in '/etc/httpd/conf/modsec
urity.d/rules/tortix/modsec', failing (use
IncludeOptional if required)'
2 601 c_modsec::apply_rules There is a problem with the apache config:
[Tue Dec 08 13:10:46.964887 2015] [so:war
n] [pid 31916:tid 140019657013312] AH01574
: module unique_id_module is already loade
d, skipping; httpd: Syntax error on line 3
78 of /etc/httpd/conf/httpd.conf: Syntax e
rror on line 12 of /etc/httpd/conf.d/00_mo
d_security.conf: No matches for the wildca
rd '*asl*.conf' in '/etc/httpd/conf/modsec
urity.d/rules/tortix/modsec', failing (use
IncludeOptional if required)
2 601 c_modsec::apply_rules There is a problem with the apache config:
Rolling back to the previous update
2 9901 ASLCommon::cmd_system ERROR: '/bin/cp -af /var/asl/tmp/waf_rules
/* /etc/httpd/conf/modsecurity.d/rules/tor
tix/modsec>/dev/null 2>&1 (1)'
3 600 c_modsec::apply_rules Errors occurred with Apache

Currently there is no file in /etc/httpd/conf/modsecu rity.d/rules/tortix/modsec that maches '*asl*.conf'

I cannot understand if it is an update problem tied to a wrong key or something else.
The key in /etc/pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt seems correct and maches the one on https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt

Please advise if you have any idea.

Regards
Oto Tortorella teletype.it

 

[Oto Tortorella]

Some addendum...

The problem leaves Apache in a wrongly configured state, I cannot see enabled modules when configuring apache in the gui.
When I use the extension "Webserver Configurations Troubleshooter" to recreate the configuratiuon files I get this other error:

Errore: Impossibile riconfigurare le configurazioni del server web: Unable to execute httpdmng: Execution failed.
Command: httpdmng
Arguments: Array
(
[0] => --reconfigure-server
[1] => -no-restart
)

Details: [2015-12-08 13:16:45] ERR [util_exec] proc_close() failed ['/usr/local/psa/admin/bin/apache-config' '-t'] with exit code [1]
[2015-12-08 13:16:45] ERR [util_exec] proc_close() failed ['/usr/local/psa/admin/bin/apache-config' '-t'] with exit code [1]
[2015-12-08 13:16:45] ERR [panel] Apache config (14495770050.15817400) generation failed: Template_Exception: [Tue Dec 08 13:16:45.378329 2015] [so:warn] [pid 4477:tid 139790418565184] AH01574: module unique_id_module is already loaded, skipping
httpd: Syntax error on line 378 of /etc/httpd/conf/httpd.conf: Syntax error on line 12 of /etc/httpd/conf.d/00_mod_security.conf: No matches for the wildcard '*asl*.conf' in '/etc/httpd/conf/modsecurity.d/rules/tortix/modsec', failing (use IncludeOptional if required)

file: /usr/local/psa/admin/plib/Template/Writer/Webserver/Abstract.php
line: 75
code: 0
[Tue Dec 08 13:16:45.378329 2015] [so:warn] [pid 4477:tid 139790418565184] AH01574: module unique_id_module is already loaded, skipping
httpd: Syntax error on line 378 of /etc/httpd/conf/httpd.conf: Syntax error on line 12 of /etc/httpd/conf.d/00_mod_security.conf: No matches for the wildcard '*asl*.conf' in '/etc/httpd/conf/modsecurity.d/rules/tortix/modsec', failing (use IncludeOptional if required)


Errore: I nuovi file di configurazione per il server web Apache non sono stati creati a causa di errori nei modelli di configurazione: [Tue Dec 08 13:16:45.378329 2015] [so:warn] [pid 4477:tid 139790418565184] AH01574: module unique_id_module is already loaded, skipping httpd: Syntax error on line 378 of /etc/httpd/conf/httpd.conf: Syntax error on line 12 of /etc/httpd/conf.d/00_mod_security.conf: No matches for the wildcard '*asl*.conf' in '/etc/httpd/conf/modsecurity.d/rules/tortix/modsec', failing (use IncludeOptional if required). Cerca in KB

In order to successful recreate configuration file using the "Webserver Configurations Troubleshooter" I have to change:
Include /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/*asl*.conf
in
IncludeOptional /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/*asl*.conf
'cause no file match the Include directive.

Any suggestion

 

[Oto Tortorella]

Last update.
I'm on:
Plesk 12.5 latest update
CentOS Linux release 7.1.1503 (Core) (minimal)
Linux 3.10.0-229.20.1.el7.x86_64 #1 SMP Tue Nov 3 19:10:07 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

 

[Chris1]

I had the same problem today, it brought Apache down and websites were not loading. I couldn't start Apache manually either.

I disabled mod security, I was then able to start Apache, then I turned mod security back on. Not a good way to start the morning.

 

[jola]

I also have a similar problem. I am on Plesk 12.0.18 Update #71 running on an updated CentOS 7.1 KVM based virtual machine. First Plesk all of a sudden gave me an error when it failed to update the rules from Atomic due to a key error. To fix this I tried to remove and reinstall ModSecurity. After that I had the same problem as you that I was not able to activate ModSecurity due to the missing /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/*asl*.conf files. If I comment out the loading of these files (line 12 in /etc/httpd/conf.d/00_mod_security.conf) I am able to start ModSecurity. But I suspect that this means I am running ModSecurity without any rules, which seems a bit stupid. I can see in my backups that I used to have a large file with rules here: /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf This file is now gone. Anyone know where I can find the latest version of this file? Is this perhaps the file that should be updated daily/weekly/monthly from Atomic?

 

[Thomas Poisl]

I was also facing a stopped SMTP and all websites showing a 502 bad gateway message this morning.

It boiled also down, that apache could not start because of duplicate IDs errors in this file: /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf

I deactivated the WAF and uninstalled mod_security and reinstalled it again, which seems to work.

Only change on the server is the recent 12.5 MU14 and a php7 installation, I hope there is no relation to that. I'm also in Centos 7.1.

 

[jola]

Glad to hear that you got your server up and running again. I have also got my server up and running with ModSecurity, you can find the details in the thread linked below. However, if I try to turn off ModSecurity Plesk gives me an error, so something is still not 100% okay.

More info in this thread: http://talk.plesk.com/threads/modsecurity-fails-on-plesk-12-0-18-update-71.336166/

 

[Thomas Poisl]

Maybe upgrading to 12.5.30 MU#14 could solve this problem.

 

[jola]

Yea I thought about that also, but then decided not to, upgrading when you have problems is only like asking for more trouble.

 

[Chris1]

Maybe upgrading to 12.5.30 MU#14 could solve this problem.

The two servers that I'm experiencing this problem on are already on on MU #14.

My case is slightly different though. I have the file 50_plesk_basic_asl_rules.conf in the directory /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/ so the wildcard '*asl*.conf' should not be a problem.

Part of my error message states:

Syntax error on line 12 of /etc/httpd/conf.d/00_mod_security.conf: No matches for the wildcard '*asl*.conf' in '/etc/httpd/conf/modsecurity.d/rules/tortix/modsec', failing (use IncludeOptional if required)

...however, this is what my /etc/httpd/conf.d/00_mod_security.conf file looks like:

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

Could someone from the Plesk development team look at this asap please? ModSecurity updates have to be turned off to prevent Apache crashing every time the ModSecurity update fails.

 

[Oto Tortorella]

In my opinion the problem is in the ASL update process.
It is not able to update the rules and deletes the file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf" leaving apache in a unfunctional state.

I believe this is the key:
c_modsec::apply_rules There is a problem with the apache config: Rolling back to the previous update [0m[0;33m2 9901 ASLCommon::cmd_system ERROR: '/bin/cp -af /var/asl/tmp/waf_rules/* /etc/httpd/conf/modsecurity.d/rules/tor tix/modsec>/dev/null 2>&1 (1)'

After a failing update the procedure tries to go back copying the old rules, but this fails.
/var/asl/tmp/waf_rules/ is always empty.

 

[jola]

I agree that it is the update process that breaks things. The question is why is the update failing?! I had got my server up-and-running again with ModSecurity active by restoring the 50_plesk_basic_asl_rules.conf file from a backup. But then when the update failed a few hours later the 50_plesk_basic_asl_rules.conf file is gone again and the problems are back. More info in this thread:

http://talk.plesk.com/threads/modsecurity-fails-on-plesk-12-0-18-update-71.336166/

 

[danami]

I'm seeing the same issue:

# plesk version
Product version: 12.5.30 Update #14
Update date: 2015/12/08 10:43
Build date: 2015/11/27 16:00
OS version: CentOS 7.1.1503
Revision: 344620
Architecture: 64-bit
Wrapper version: 1.2

 

[TheGamersVault]

Just brought my entire site offline, and nothing is working.

Removed mod-security, rebuilt configs and just errors with everything.

When is this getting fixed because downtime is money! Enough to drive me to using cPanel in the future, Plesk has been nothing but problems since day 1.

 

[Chris1]

I sent a Twitter message to the Plesk Developers, they are looking into this problem for us.

 

[IgorG]

I can say only that at the moment we are working with Atomic for fixing this problem.

 

[Thomas Poisl]

I got the same problem again today:

Fehler: Der ModSecurity-Regelsatz konnte nicht aktualisiert werden: modsecurity_ctl failed: gpg: key 4520AFA9: "Atomicorp (Atomicorp Official Signing Key) <[email protected]>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: Signature made Mon Dec 7 21:41:31 2015 CET using RSA key ID 4520AFA9
gpg: Good signature from "Atomicorp (Atomicorp Official Signing Key) <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1818 66DF 9DAC A40E 5B42 9B08 FFBD 5D0A 4520 AFA9
TERM environment variable not set.
aum failed with exitcode 3.
stdout: 



Checking versions ... 

ASL version is current: [75G[[1;31m[1;32mPASS[0m[0m]
Updating Web Application Firewall to 201512080958: updated[75G[[1;31m[1;32mPASS[0m[0m]
-------------------------------------------------------------------------------
Errors were encountered:

L CODE SOURCE MESSAGE
- ---- ----------------------------- ------------------------------------------
[0;33m2 2 c_modsec::apply_rules An error occurred attempting to read file 
/var/asl/data/waf_groups
[0m[0;33m2 9901 ASLCommon::cmd_system ERROR: '/usr/sbin/apachectl -t >/dev/null 
2>&1 (1)'
[0m[0;33m2 9901 ASLCommon::cmd_exec ERROR: '(1) /usr/sbin/apachectl -t 2>&1 --
[Fri Dec 11 09:55:52.672009 2015] [so:war
n] [pid 12688] AH01574: module actions_mod
ule is already loaded, skipping||[Fri Dec 
11 09:55:52.674352 2015] [so:warn] [pid 12
688] AH01574: module headers_module is alr
eady loaded, skipping||[Fri Dec 11 09:55:5
2.674634 2015] [so:warn] [pid 12688] AH015
74: module logio_module is already loaded,
skipping||[Fri Dec 11 09:55:52.676327 201
5] [so:warn] [pid 12688] AH01574: module s
uexec_module is already loaded, skipping||
[Fri Dec 11 09:55:52.704630 2015] [so:warn
] [pid 12688] AH01574: module unique_id_mo
dule is already loaded, skipping||httpd: S
yntax error on line 357 of /etc/httpd/conf
/httpd.conf: Syntax error on line 12 of /e
tc/httpd/conf.d/00_mod_security.conf: No m
atches for the wildcard '*asl*.conf' in '/
etc/httpd/conf/modsecurity.d/rules/tortix/
modsec', failing (use IncludeOptional if r
equired)'
[0m[0;33m2 601 c_modsec::apply_rules There is a problem with the apache config:
[Fri Dec 11 09:55:52.672009 2015] [so:war
n] [pid 12688] AH01574: module actions_mod
ule is already loaded, skipping; [Fri Dec 
11 09:55:52.674352 2015] [so:warn] [pid 12
688] AH01574: module headers_module is alr
eady loaded, skipping; [Fri Dec 11 09:55:5
2.674634 2015] [so:warn] [pid 12688] AH015
74: module logio_module is already loaded,
skipping; [Fri Dec 11 09:55:52.676327 201
5] [so:warn] [pid 12688] AH01574: module s
uexec_module is already loaded, skipping; 
[Fri Dec 11 09:55:52.704630 2015] [so:warn
] [pid 12688] AH01574: module unique_id_mo
dule is already loaded, skipping; httpd: S
yntax error on line 357 of /etc/httpd/conf
/httpd.conf: Syntax error on line 12 of /e
tc/httpd/conf.d/00_mod_security.conf: No m
atches for the wildcard '*asl*.conf' in '/
etc/httpd/conf/modsecurity.d/rules/tortix/
modsec', failing (use IncludeOptional if r
equired)
[0m[0;33m2 601 c_modsec::apply_rules There is a problem with the apache config:
Rolling back to the previous update
[0m[0;33m2 9901 ASLCommon::cmd_system ERROR: '/bin/cp -af /var/asl/tmp/waf_rules
/* /etc/httpd/conf/modsecurity.d/rules/tor
tix/modsec>/dev/null 2>&1 (1)'
[0m[1;31m3 600 c_modsec::apply_rules Errors occurred with Apache
[0m

stderr: sh: /sbin/ifconfig: No such file or directory
sh: /sbin/ifconfig: No such file or directory

Unable to download tortix rule set

I disabled the WAF again until this issue is fixed.

 

[dash]

Hello,

It seems that the issue is now completely resolved by Atomicorp!

1. Update Atomic ruleset from console with command (as user root):
#/usr/local/psa/bin/sw-engine-pleskrun /usr/local/psa/admin/plib/DailyMaintainance/script.php UpdateModSecurityRuleSet
or
#aum -u

2. In Plesk switch modsecurity ruleset from Atomic to another provider and then back to Atomic.

Please check KB article for details: https://kb.odin.com/en/127737

 

[Oto Tortorella]

I confirm, thank you.

 

[Hellokevin111]

2. In Plesk switch modsecurity ruleset from Atomic to another provider and then back to Atomic.

How would I do this?