How to Mod_security on plesk servers

[ACID25]

Hi

thx for your answer...i fixed it with reinstall according mod_security site

but i have a problem with german "umlaute" like ä,ö,ü....it looks like this

ModSecurity: Access denied with code 400 (phase 2). Pattern match "\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:data. [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.XXX.de"] [uri "/cms/front_content.php?area=con_editcontent&idart=9&idcat=11&lang=1&action=20&contenido=a85ad70a809a5ac1dc08b455f70d7f72"] [unique_id "M@QWfdmrycYAAHi@DcAAAAAW"]

how can i allowed this?

THX and regards
ACID25

 

[Amin Taheri]

You either have to add the character to the regular expression or comment it out, or add an exlusion for the domain name for that one rule.

For example:

Create a file called vhost.conf in /var/www/vhosts/domain.com/conf containing the following

<Directory /var/www/vhosts/domain.com/httpdocs>
SecRuleRemoveByID 950107
</Directory>

Then run this in the SSH CLI

/usr/local/psa/admin/bin/websrvmng -u --vhost-name=domain.com
/sbin/service httpd restart

That should fix that for that one domain name, but it may be better to just add the umlatt to the allowed character list if you can.

 

[ACID25]

Hi


so it runs since one week on one of our servers. But somethings are not really working correctly for example

file upload in joomla doesn´t work (ponygallery)

webmail produce a lot of error messages...

So this rules produces the most trouble

950801
950922
950107
960014

So can anyone tell how i have to modify those rules that joomla and some other CMS systems works without any error messages. Maybe anyone have a working ruleset that works perfect with PELSK and there applications?

THX for help in advance & best regards
ACID25

 

[justchil]

Back from the dead!

Has anyone run into problems with RHEL5 Plesk 8.x (8.6)?

I've tried everything I know to do. phpinfo(); shows the modules needed are loaded but it doesn't log or work at all. I'm running out of options here and may have to look at using ASL.

 

[Amin Taheri]

asl is cheap enough that its too expensive not to have it

The beauty of asl is that you dont have to mess with the rules either, you tell their support about the rule false positives and they fix it for you, then put out an update.

All you have to do is asl -u once an hour and then gracefully or fully restart apache.

 

[justchil]

I'm going to make my work buy it LOL. It looks awesome... it just takes a few days to get somthing purchased. Anything that works with plesk is a blessing

I now have modsec working within 2 minutes of install. All I had to do was use version 1.9 instead of 2.5.x.

Cheers!

 

[KrazyBob]

None of this seems to work using Plesk 9.3 on Virtuozzo 3 running an ez-container OS of Centos 5.4.

 

[Theodor]

ModSecurity: Rule execution error - PCRE limits exceeded

Hello,

have anyone a ideea how to cange the PCRE limits?

ModSecurity: Rule execution error - PCRE limits exceeded


THX and regards

Theodor