• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Issue installing modsecurity

Winnstorm

Basic Pleskian
Hello,
I'm facing an issue with modsecurity, actually one website is facing a false-positive for comodo waf rules:
[file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/20_Outgoing_FiltersEnd.conf"] [line "38"] [id "214940"]
[file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/15_Outgoing_FilterASP.conf"] [line "14"] [id "214450"]

I've switched off, disabled, almost anything related to WAF domain configuration and nothing happened. So I tried to swap the WAF from Comodo default to Atomic free, and then the same issue is happening on the log (after the change) but now the rules are not working and also I cannot revert back to comodo since when I change from the WAF config I receive the following error:

Failed to install the ModSecurity rule set: modsecurity_ctl failed: ERROR:root:Error Traceback (most recent call last): File "/usr/lib64/plesk-9.0/modsecurity_get_vendor_ruleset/modsecurity_get_vendor_ruleset.py", line 53, in main File "/usr/lib64/plesk-9.0/modsecurity_get_vendor_ruleset/modsecurity_get_vendor_ruleset.py", line 35, in get_vendor_ruleset File "/usr/lib64/plesk-9.0/modsecurity_get_vendor_ruleset/plesk_atomic.py", line 105, in download with closing(urllib2.urlopen(url, timeout=15)) as fin: File "/usr/lib64/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/usr/lib64/python2.7/urllib2.py", line 431, in open response = self._open(req, data) File "/usr/lib64/python2.7/urllib2.py", line 449, in _open '_open', req) File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/usr/lib64/python2.7/urllib2.py", line 1258, in https_open context=self._context, check_hostname=self._check_hostname) File "/usr/lib64/python2.7/urllib2.py", line 1214, in do_open raise URLError(err) URLErrorWrapper: Error interacting with https://waf.comodo.com/doc/meta_comodo_apache.yaml: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)> Unable to download comodo_free rule set

Any help will be appreciated :)

Thanks
best regards
 
Try to fix it with following steps:
  1. Back up the /usr/lib/ssl/certs directory:
    # mv /usr/lib/ssl/certs{,.backup}
  2. Create a symlink in /usr/lib/ssl/certs pointing to /etc/ssl/certs/ directory:
    # ln -s /etc/ssl/certs /usr/lib/ssl/certs
 
Try to fix it with following steps:
  1. Back up the /usr/lib/ssl/certs directory:
    # mv /usr/lib/ssl/certs{,.backup}
  2. Create a symlink in /usr/lib/ssl/certs pointing to /etc/ssl/certs/ directory:
    # ln -s /etc/ssl/certs /usr/lib/ssl/certs

thanks for your answer!!

I tried the commands but it seems that the folder is non existant on my current centos installation:

mv: cannot stat ‘/usr/lib/ssl/certs’: No such file or directory

EDIT: Created the dir on usr but after creating the simlink the issue still persist, same error on plesk panel after changing for comodo waf.
 
Last edited:
Another question is, related to atomic basic set (the free option):

On security tags there is blank (no object) to activate or deactivate. Is this correct??? Why I can only see these objects on comodo??
1591109596792.png
 
Try to fix it with following steps:
  1. Back up the /usr/lib/ssl/certs directory:
    # mv /usr/lib/ssl/certs{,.backup}
  2. Create a symlink in /usr/lib/ssl/certs pointing to /etc/ssl/certs/ directory:
    # ln -s /etc/ssl/certs /usr/lib/ssl/certs

This is an issue with the ROOT certificate of waf.comodo.com.

Common name: USERTrust RSA Certification Authority
Organization: The USERTRUST Network
Location: Jersey City, New Jersey, US
Valid from May 30, 2000 to May 30, 2020 !!!
Serial Number:
13ea28705bf4eced0c36630980614336
Signature Algorithm: sha384WithRSAEncryption
Issuer: AddTrust External CA Root
 
expired Sectigo Root Cerificate may need to be removed manually, instructions are os specific, i managed to resolve the issue on centos 7 with following instructions Sectigo Root and Intermediate Certificate Expiry - May 2020 - Red Hat Customer Portal



  • Figure out the expired CA certificate with:

# trust list

  • Create a blacklist file: (filter part need to be copied from above result from the AddTrust External Root part)

# trust dump --filter "pkcs11:id=%AD%BD%98%7A%34%B4%26%F7%FA%C4%26%54%EF%03%BD%E0%24%CB%54%1A;type=cert" > /etc/pki/ca-trust/source/blacklist/addtrust-external-root.p11-kit

  • Update the system trust store:

# update-ca-trust

  • Make sure that the CA is not listed anymore as trusted with:

# trust list
 
Back
Top