Resolved Issue with AtomicCorp rules updates.

[micfrip]

Hi,

Both web interface and command line failed to download the updated rules.

Here is the output:

[root@myServer1 ~]# /usr/local/psa/bin/sw-engine-pleskrun /usr/local/psa/admin/plib/DailyMaintainance/script.php UpdateModSecurityRuleSet
[2016-11-28 10:47:00] ERR [util_exec] proc_close() failed ['/usr/local/psa/admin/bin/modsecurity_ctl' '--install' '--with-backup' '--ruleset' 'atomic'] with exit code [1]
Error occured while sending feedback. HTTP code returned: 502
[2016-11-28 10:47:01] ERR [panel] modsecurity_ctl failed: gpg: key 4520AFA9: "Atomicorp (Atomicorp Official Signing Key) <[email protected]>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg: Signature made Mon Sep 12 17:56:54 2016 CEST using RSA key ID 4520AFA9
gpg: Good signature from "Atomicorp (Atomicorp Official Signing Key) <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1818 66DF 9DAC A40E 5B42  9B08 FFBD 5D0A 4520 AFA9
TERM environment variable not set.
aum failed with exitcode 3.
stdout:



Checking versions ...

        ASL version is current:                                           [PASS]
        Updating Web Application Firewall to 201611221017: updated        [PASS]
-------------------------------------------------------------------------------
Errors were encountered:

L CODE SOURCE                        MESSAGE
- ---- ----------------------------- ------------------------------------------
2 9901 ASLCommon::cmd_system         ERROR: '/bin/cp -af /var/asl/rules/modsec/
                                     template-* /var/asl/data/templates/ >/dev/
                                     null 2>&1 (1)'
3 18   c_modsec::apply_rules         Failed to copy file /var/asl/rules/modsec/
                                     waf_classes -> /var/asl/data/waf_classes



stderr:
Unable to download atomic rule set

Could you please help?

 

[UFHH01]

Hi micfrip,

you could try to solve the issue with the following commands over the ssh - command line ( logged in as user "root" ):

/var/asl/bin/aum -uf
yum upgrade mod_security tortix-waf
/var/asl/bin/asl -s -f

On Debian/Ubuntu based systems, the package would be upgraded with the command "apt-get install --only-upgrade aum"


If you exsperience issues with these commands, pls. consider to check the file "/etc/asl/config" to ensure that UPDATE_TYPE is set to "all".

If you experience the issue, that there is no "config" - file on Debian/Ubuntu - based systems, which you could edit, pls. consider to use "cp -p /etc/asl/config.dpkg-dist /etc/asl/config", followed by the command "/var/asl/bin/aum -c". But ( ! ), pls. be informed, that the sample configuration is a STANDARD configuration file, with no unique settings, so the copy of the configuration file is only recommended for experienced linux administrators, who are able to solve ( possible ) issues with a standard configuration file for WAF. If you are an unexperienced user, pls. consider to WAIT for an update/upgrade/patch from Atomic and Plesk, to solve the described issue!

Pls. see as well an actual forum thread at the Atomic forum: => https://forums.atomicorp.com/viewtopic.php?f=3&t=8497​

 

[micfrip]

First of all, many thanks for your kind help!

The first command seems to return some problems:

# /var/asl/bin/aum -uf




Checking versions ...

ASL version is current: [PASS]
Updating Web Application Firewall to 201611221017: updated [PASS]
-------------------------------------------------------------------------------
Errors were encountered:

L CODE SOURCE MESSAGE
- ---- ----------------------------- ------------------------------------------
2 9901 ASLCommon::cmd_system ERROR: '/usr/sbin/apachectl -t >/dev/null
2>&1 (1)'
2 9901 ASLCommon::cmd_exec ERROR: '(1) /usr/sbin/apachectl -t 2>&1 --
[Mon Nov 28 11:41:38.543463 2016] [so:war
n] [pid 17534:tid 140267821828160] AH01574
: module unique_id_module is already loade
d, skipping||[Mon Nov 28 11:41:38.583052 2
016] [so:warn] [pid 17534:tid 140267821828
160] AH01574: module security2_module is a
lready loaded, skipping||AH00526: Syntax e
rror on line 36 of /etc/httpd/conf/modsecu
rity.d/rules/atomic/modsec/00_asl_z_antiev
asion.conf:||ModSecurity: Found another ru
le with the same id'
2 601 c_modsec::apply_rules There is a problem with the apache config:
[Mon Nov 28 11:41:38.543463 2016] [so:war
n] [pid 17534:tid 140267821828160] AH01574
: module unique_id_module is already loade
d, skipping; [Mon Nov 28 11:41:38.583052 2
016] [so:warn] [pid 17534:tid 140267821828
160] AH01574: module security2_module is a
lready loaded, skipping; AH00526: Syntax e
rror on line 36 of /etc/httpd/conf/modsecu
rity.d/rules/atomic/modsec/00_asl_z_antiev
asion.conf:; ModSecurity: Found another ru
le with the same id
2 601 c_modsec::apply_rules There is a problem with the apache config:
Rolling back to the previous update
3 600 c_modsec::apply_rules Errors occurred with Apache

 

[UFHH01]

Hi micfrip,

pls. consider to use the ssh - command over the command line ( logged in as user "root" ):

/usr/local/psa/bin/sw-engine-pleskrun /usr/local/psa/admin/plib/DailyMaintainance/script.php UpdateModSecurityRuleSet

... and/or try to switch the actual rule-set and reverse it afterwards over your Plesk Control Panel ( => Home > Tools & Settings > Web Application Firewall ). ​

 

[dyrer]

running
/var/asl/bin/aum -uf
I get messages
- ---- ----------------------------- ------------------------------------------
2 302 Core::distributed_update remote fail: E_GEN_RETRY 22 .. www4.atomicorp.com/channels/asl-4.0/modsec-201706161912.tar.bz2
2 6 Core::distributed_update File not found www4.atomicorp.com /channels/asl-4.0/modsec-201706161912.tar.bz2
2 302 Core::distributed_update remote fail: E_GEN_RETRY 22 .. www3.atomicorp.com/channels/asl-4.0/modsec-201706161912.tar.bz2
2 6 Core::distributed_update File not found www3.atomicorp.com /channels/asl-4.0/modsec-201706161912.tar.bz2
2 302 Core::distributed_update remote fail: E_GEN_RETRY 22 .. www6.atomicorp.com/channels/asl-4.0/modsec-201706161912.tar.bz2
2 6 Core::distributed_update File not found www6.atomicorp.com /channels/asl-4.0/modsec-201706161912.tar.bz2
2 302 Core::distributed_update remote fail: E_GEN_RETRY 22 .. www5.atomicorp.com/channels/asl-4.0/modsec-201706161912.tar.bz2
2 6 Core::distributed_update File not found www5.atomicorp.com /channels/asl-4.0/modsec-201706161912.tar.bz2
2 302 Core::distributed_update remote fail: E_GEN_RETRY 22 .. www2.atomicorp.com/channels/asl-4.0/modsec-201706161912.tar.bz2
2 6 Core::distributed_update File not found www2.atomicorp.com /channels/asl-4.0/modsec-201706161912.tar.bz2


I have subscription on atomicorp

 

[UFHH01]

Hi dyrer,

with an existent subsciption from Atomic, you have existent support at: => Atomicorp

 

[dyrer]

--bc1c384c-H--
Message: [file "/etc/httpd/conf/modsecurity.d/rules/atomic/modsec/20_asl_useragents.conf"] [line "360"] [id "333515"] [rev "4"] [msg "Atomicorp.com WAF Rules: MJ12 Distributed bot detected (Disable this rule if you want to allow this bot)"] [severity "ERROR"] [tag "no_ar"] Access denied with code 403 (phase 2). Pattern match "MJ12bot" at REQUEST_HEADERS:User-Agent.
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Action: Intercepted (phase 2)
Stopwatch: 1497887726147861 9581 (- - -)
Stopwatch2: 1497887726147861 9581; combined=4500, p1=246, p2=4200, p3=0, p4=0, p5=54, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.1 (ModSecurity: Open Source Web Application Firewall 201706161912.
Server: Apache
Engine-Mode: "ENABLED

 

[UFHH01]

Hi dyrer,

apart from the fact, that the previous copied message is a normal information about the ( expected ) behaviour, when you use ModSecurity, could you pls. explain

• What has this information got to do with the thread?
• Why did you paste it to this thread?
• Did you notice, that Plesk ( and Plesk Forum Members ) can't give support for Atomic Rules, as they don't develop ModSecurity?

 

[dyrer]

I know here is a forum about Plesk, but the problem occurs from Plesk so I am asking help here
I have removed and installed again modsecurity, to see if problem persists
and something else how can remove modsecurity log file? from plesk of course
@UFHH01 Thank for your help

 

[GaMa]

Hi micfrip,

you could try to solve the issue with the following commands over the ssh - command line ( logged in as user "root" ):

/var/asl/bin/aum -uf
yum upgrade mod_security tortix-waf
/var/asl/bin/asl -s -f

On Debian/Ubuntu based systems, the package would be upgraded with the command "apt-get install --only-upgrade aum"


If you exsperience issues with these commands, pls. consider to check the file "/etc/asl/config" to ensure that UPDATE_TYPE is set to "all".

If you experience the issue, that there is no "config" - file on Debian/Ubuntu - based systems, which you could edit, pls. consider to use "cp -p /etc/asl/config.dpkg-dist /etc/asl/config", followed by the command "/var/asl/bin/aum -c". But ( ! ), pls. be informed, that the sample configuration is a STANDARD configuration file, with no unique settings, so the copy of the configuration file is only recommended for experienced linux administrators, who are able to solve ( possible ) issues with a standard configuration file for WAF. If you are an unexperienced user, pls. consider to WAIT for an update/upgrade/patch from Atomic and Plesk, to solve the described issue!

Pls. see as well an actual forum thread at the Atomic forum: => https://forums.atomicorp.com/viewtopic.php?f=3&t=8497​

Hi!
I found this thread while searching informations wether it is possible to use a Ubuntu Server with Plesk Onyx and Atomic-Rules via Plesk? I have found limitations to some os (Centos 6 and 7, Red Hat Enterprise Linux 6 and 7, CloudLinux 6 and 7). But when i read your post it seems to be possible to use the Plesk-Extension "
Atomic Secured Linux" on Ubuntu 16 with Onyx...
Can you tell me something about the real status?
Best wishes,
Matthias

 

[GaMa]

Hi!
I found this thread while searching informations wether it is possible to use a Ubuntu Server with Plesk Onyx and Atomic-Rules via Plesk? I have found limitations to some os (Centos 6 and 7, Red Hat Enterprise Linux 6 and 7, CloudLinux 6 and 7). But when i read your post it seems to be possible to use the Plesk-Extension "
Atomic Secured Linux" on Ubuntu 16 with Onyx...
Can you tell me something about the real status?
Best wishes,
Matthias

Sorry, i have just found out that using mod_security with "atomic Rules subscription" is something complitly different then using the plesk-extension "Atomic Secured Linux"...

Best regards,
Matthias