• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Extension ModSecurity issues with matomo?

Azurel

Silver Pleskian
We have a team member that frequently will banned by "plesk-modsecurity" and maybe more visitors?

Fail2Ban Jails Management
  • plesk-modsecurity bans the IP addresses detected as harmful by the ModSecurity Web Application Firewall. ...... The ban lasts for 10 minutes.

How I find the reason why he is detected as "harmful"? I take a look in /var/log/modsec_audit.log but that very hard, because its 90MB and very slow. Its possible to make a logfile per day? ;)

Is this addon/rules incompatible with Matomo?
The "GET" is always (100%) a legal /matomo/piwik.php?download=https%3A%2F%2....... url created by matomo itself and show than this

Message: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "179"] [id "33340162"] [rev "294"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: URL detected as argument, possible RFI attempt detected"] [data "%TX:1,TX:1"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith %{request_headers.host}" against "TX:1" required.

Motomo is installed on host analytics.example.com and user surfing on www.example.de. What I can see is, that user coming from user panel (access only logged in) as referer.

Here a full example for this case
--a473ef48-A--
[01/Dec/2018:11:04:47 +0100] XAJcv@qA2Z4wjj2VQ2YJCgAAAAE xx.xx.xx.xx 58994 xx.xx.xx.xx 7081
--a473ef48-B--
GET /matomo/piwik.php?download=https%3A%2F%2Fcdn.example.de%2Fimages%2Fitem%2Fimage%2F2%2F2916%2Ffull%2F403344.jpg&idsite=1&rec=1&r=931005&h=11&m=4&s=46&url=https%3A%2F%2Fwww.example.de%2Fitem%2F2916&urlref=https%3A%2F%2Fwww.example.de%2Fusercp%2Fprofile&_id=eacff84d6fb77fbb&_idts=1531739314&_idvc=864&_idn=0&_refts=0&_viewts=1543653077&send_image=1&cookie=1&res=1920x1080&gt_ms=195&pv_id=fmfEhn HTTP/1.0
Host: analytics.example.com
X-Real-IP: xx.xx.xx.xx
X-Accel-Internal: /internal-nginx-static-location
Connection: close
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
accept: */*
accept-language: de,en-US;q=0.7,en;q=0.3
accept-encoding: gzip, deflate, br
referer: https://www.example.de/item/2916
dnt: 1

--a473ef48-F--
HTTP/1.1 403 Forbidden
Last-Modified: Sun, 13 Nov 2016 18:38:19 GMT
ETag: "3fe-5413306f3b248"
Accept-Ranges: bytes
Content-Length: 1022
Connection: close
Content-Type: text/html

--a473ef48-H--
Message: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "179"] [id "33340162"] [rev "294"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: URL detected as argument, possible RFI attempt detected"] [data "%TX:1,TX:1"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith %{request_headers.host}" against "TX:1" required.
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Action: Intercepted (phase 2)
Stopwatch: 1543658687423572 6125 (- - -)
Stopwatch2: 1543658687423572 6125; combined=3553, p1=2, p2=3549, p3=0, p4=0, p5=2, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.1 (ModSecurity: Open Source Web Application Firewall 201811211523.
Server: Apache
Engine-Mode: "ENABLED"

--a473ef48-Z--

Why is he detected as "CRITICAL" and banned for 10min? Is it that?:
"URL detected as argument, possible RFI attempt detected".
But that must ban each visitor on this website. What can I do?

EDIT: I search on matomo side and found this article
How do I configure Piwik when mod_security (or CA SiteMinder) is enabled? - Analytics Platform - Matomo
Is it possible to whitelist a domain in modsecurity?

EDIT2: I found How to disable a single ModSecurity rule for a website?
Where I find the rule ID or tag in my case?
Is it this bold red number?
Message: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "179"] [id "33340162"] [rev "294"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: URL detected as argument, possible RFI attempt detected"]

I think it is. I can find this id with Find and Disable Specific ModSecurity Rules | InMotion Hosting
 
Last edited:
This issue still exists 2 years later.

How I can use matomo without block page visitors?
 
You can simply exclude the rule "id" from Web Application Firewall. In this case as presented above it would be 33340162, but check your own logs, maybe it is a different rule id there.

This change needs a web server reload, so you might need to wait for n minutes until your web server reload interval expires and the exclusion takes effect.
 
Thanks! Yeah this time its was a Comodo rule to add "211120". After 2 years I forgot about this. I have make me a notice. ;=)

Message: Access denied with code 403 (phase 2). Match of "endsWith /modules/paypal/express_checkout/payment.php" against "REQUEST_FILENAME" required. [file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/02_Global_Generic.conf"] [line "29"] [id "211120"] [rev "11"] [msg "COMODO WAF: Remote File Inclusion Attack||analytics.example.com|F|2"] [data "Matched Data: https://www.example.de/folder/123456,text-text-text? found within REQUEST_FILENAME: /matomo/matomo.php"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"]

I don't get it what here happen. This match make no sense.
 
Back
Top