• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Issue with modsecurity

F

florkz.com

New Pleskian
Server operating system version
CentOS Linux 7.9.2009 (Core)
Plesk version and microupdate number
Plesk Obsidian 18.0.48
Hello,
i'm getting errors with ModSecurity 2.9 rules from Comodo:

[Mon Dec 12 20:45:12.275561 2022] [:error] [pid 13307:tid 139813122467584] [client 45.32.234.28:54808] [client 45.32.234.28] ModSecurity: Warning. Operator GE matched 4 at TX: outgoing_points. [file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/20_Outgoing_FiltersEnd.conf"] [line "38"] [id "214940"] [rev "2"] [msg "COMODO WAF: Outbound Points Exceeded| Total Points: 4|www.florkz.com|F|2"] [severity "CRITICAL"] [tag "CWAF"]

I've did the first step in this post Resolved - Issue installing modsecurity (Resolved - Issue installing modsecurity) with the trust list command and got one cert, which is expired:

pkcs11:id=%88%68%bf%e0%8e%35%c4%3b%38%6b%62%f7%28%3b%84%81%c8%0c%d7%4d;type=cert
type: certificate
label: Explicitly Distrust DigiNotar Root CA
trust: blacklisted
category: authority

all other certs looks nominell for me.

should i do the further commands to remove the expired root CA from my system trust store:

trust dump --filter "pkcs11:id=%88%68%bf%e0%8e%35%c4%3b%38%6b%62%f7%28%3b%84%81%c8%0c%d7%4d;type=cert" > /etc/pki/ca-trust/source/blacklist/addtrust-external-root.p11-kit
update-ca-trust
trust list

to solve this problem?

Thanks for your help.
Best regards
 
ModSecurity is doing what it is supposed to do. The [id "214940"] points to the Comodo rule that is applied. The message is not an error in ModSecurity operatings itself, but a notification that a rule violation was detected. This rule actually does not do anything directly. As far as I know it sums up the number of warnings/errors from previous, blocking rules. Rule 214940 is triggered by the value of the variable TX:OUTGOING_POINT when it is greater than tx.outgoing_points_limit. That variable was loaded by a rule that was processed earlier and ought to be a counter for rule violations in the webserver response to a request.
--> You should be able to ignore the message without any impact on your server.
 
Peter Debik said:
ModSecurity is doing what it is supposed to do. The [id "214940"] points to the Comodo rule that is applied. The message is not an error in ModSecurity operatings itself, but a notification that a rule violation was detected. This rule actually does not do anything directly. As far as I know it sums up the number of warnings/errors from previous, blocking rules. Rule 214940 is triggered by the value of the variable TX:OUTGOING_POINT when it is greater than tx.outgoing_points_limit. That variable was loaded by a rule that was processed earlier and ought to be a counter for rule violations in the webserver response to a request.
--> You should be able to ignore the message without any impact on your server.
Click to expand...
Hi Peter,

So I just saw this same issue. I see/know that the user who got it, all was good. BUT I really dislike seeing the "Apache error".
If I ignore it, how do I know when I "should" ignore errors and when I should NOT?

the "Crying Wolf" example comes to mind :(

isn't there a better solution?
is comodo not a good rule set to use?
do all rule sets have issues like this?

thank you for the reply!
 
Yes, it seems that the warning message you are seeing in your ModSecurity logs is related to the Comodo WAF's Outbound Points Exceeded rule, which is triggering because the total points for the transaction are greater than or equal to 4.

Regarding the expired certificate issue, it is generally recommended to remove or update any expired certificates from your system trust store to avoid potential security issues. The command you have provided (trust dump --filter "pkcs11:id=%88%68%bf%e0%8e%35%c4%3b%38%6b%62%f7%28%3b%84%81%c8%0c%d7%4d;type=cert" > /etc/pki/ca-trust/source/blacklist/addtrust-external-root.p11-kit) will create a new file called addtrust-external-root.p11-kit in the /etc/pki/ca-trust/source/blacklist directory, which will blacklist the specified certificate.

After running this command, you should run the update-ca-trust command to update your system's trust store and ensure that the changes are applied. Finally, you can use the trust list command to verify that the certificate has been successfully removed or blacklisted.

Note that modifying your system's trust store can have potentially significant security implications, so it is important to be careful and ensure that you understand the implications of any changes you make. It is recommended that you consult with a security expert if you are unsure about how to proceed.
 
You must log in or register to reply here.

Similar threads

Epic Voyage
Issue PHP imap_open + ADDTrust External CA Root Expiration
Replies
1
Views
2K
Epic Voyage
Epic Voyage
websavers
Forwarded to devs PHP libcurl fails to populate certinfo array
Replies
2
Views
4K
websavers
websavers
Back
Top