• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Issue with modsecurity

florkz.com

New Pleskian
Server operating system version
CentOS Linux 7.9.2009 (Core)
Plesk version and microupdate number
Plesk Obsidian 18.0.48
Hello,
i'm getting errors with ModSecurity 2.9 rules from Comodo:

[Mon Dec 12 20:45:12.275561 2022] [:error] [pid 13307:tid 139813122467584] [client 45.32.234.28:54808] [client 45.32.234.28] ModSecurity: Warning. Operator GE matched 4 at TX: outgoing_points. [file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/20_Outgoing_FiltersEnd.conf"] [line "38"] [id "214940"] [rev "2"] [msg "COMODO WAF: Outbound Points Exceeded| Total Points: 4|www.florkz.com|F|2"] [severity "CRITICAL"] [tag "CWAF"]

I've did the first step in this post Resolved - Issue installing modsecurity (Resolved - Issue installing modsecurity) with the trust list command and got one cert, which is expired:

pkcs11:id=%88%68%bf%e0%8e%35%c4%3b%38%6b%62%f7%28%3b%84%81%c8%0c%d7%4d;type=cert
type: certificate
label: Explicitly Distrust DigiNotar Root CA
trust: blacklisted
category: authority

all other certs looks nominell for me.

should i do the further commands to remove the expired root CA from my system trust store:

trust dump --filter "pkcs11:id=%88%68%bf%e0%8e%35%c4%3b%38%6b%62%f7%28%3b%84%81%c8%0c%d7%4d;type=cert" > /etc/pki/ca-trust/source/blacklist/addtrust-external-root.p11-kit
update-ca-trust
trust list

to solve this problem?

Thanks for your help.
Best regards
 
ModSecurity is doing what it is supposed to do. The [id "214940"] points to the Comodo rule that is applied. The message is not an error in ModSecurity operatings itself, but a notification that a rule violation was detected. This rule actually does not do anything directly. As far as I know it sums up the number of warnings/errors from previous, blocking rules. Rule 214940 is triggered by the value of the variable TX:OUTGOING_POINT when it is greater than tx.outgoing_points_limit. That variable was loaded by a rule that was processed earlier and ought to be a counter for rule violations in the webserver response to a request.
--> You should be able to ignore the message without any impact on your server.
 
ModSecurity is doing what it is supposed to do. The [id "214940"] points to the Comodo rule that is applied. The message is not an error in ModSecurity operatings itself, but a notification that a rule violation was detected. This rule actually does not do anything directly. As far as I know it sums up the number of warnings/errors from previous, blocking rules. Rule 214940 is triggered by the value of the variable TX:OUTGOING_POINT when it is greater than tx.outgoing_points_limit. That variable was loaded by a rule that was processed earlier and ought to be a counter for rule violations in the webserver response to a request.
--> You should be able to ignore the message without any impact on your server.
Hi Peter,

So I just saw this same issue. I see/know that the user who got it, all was good. BUT I really dislike seeing the "Apache error".
If I ignore it, how do I know when I "should" ignore errors and when I should NOT?

the "Crying Wolf" example comes to mind :(

isn't there a better solution?
is comodo not a good rule set to use?
do all rule sets have issues like this?

thank you for the reply!
 
Yes, it seems that the warning message you are seeing in your ModSecurity logs is related to the Comodo WAF's Outbound Points Exceeded rule, which is triggering because the total points for the transaction are greater than or equal to 4.

Regarding the expired certificate issue, it is generally recommended to remove or update any expired certificates from your system trust store to avoid potential security issues. The command you have provided (trust dump --filter "pkcs11:id=%88%68%bf%e0%8e%35%c4%3b%38%6b%62%f7%28%3b%84%81%c8%0c%d7%4d;type=cert" > /etc/pki/ca-trust/source/blacklist/addtrust-external-root.p11-kit) will create a new file called addtrust-external-root.p11-kit in the /etc/pki/ca-trust/source/blacklist directory, which will blacklist the specified certificate.

After running this command, you should run the update-ca-trust command to update your system's trust store and ensure that the changes are applied. Finally, you can use the trust list command to verify that the certificate has been successfully removed or blacklisted.

Note that modifying your system's trust store can have potentially significant security implications, so it is important to be careful and ensure that you understand the implications of any changes you make. It is recommended that you consult with a security expert if you are unsure about how to proceed.
 
Back
Top