• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

mod_security thoughts

LinqLOL

Basic Pleskian
Testing the mod_security functionality (in combination with the Atomic corp live rules) in active mode . Below some of my findings about the current state of mod_security in Plesk:
What are you thoughts about the current state of the WAF in Plesk?
 
@igor The link you gave me is interesting. I had the atomic turtle rpm installed but i'm pretty sure I did not do that! I uninstalled the turtle rpm and reinstalled the original
rpm. Now it seems to work.

But the modsec_audit.log keeps growing (today 82 MB already)!
 
We favor sticking with the LSB guidelines, where the audit logs will be in the same directory as the rest of the httpd logs: /var/log/httpd/
 
The log file not rotating should be considered a bug in Plesk.

Within the Plesk GUI you can go to the web application firewall settings tab and specify under Custom directives:
SecAuditLog "/var/log/httpd/modsec_audit.log"

OR

You can alternatively do what the Plesk devs should have done for us: edit /usr/local/psa/etc/logrotate.conf and insert

/var/log/modsec_audit.log {
daily
rotate 12
missingok
notifempty
copytruncate
compress
}
 
On my test Plesk 12 server I see:

# cat /etc/logrotate.d/mod_security
/var/log/modsec_audit.log {
daily
rotate 7
missingok
compress
postrotate
/sbin/service httpd reload > /dev/null 2>/dev/null || true
endscript
}

# rpm -qf /etc/logrotate.d/mod_security
mod_security-2.8.0-14061715.i386
 
Perhaps that logrotate file was set up by an earlier version or a very very recent update added it? I just freshly installed this server last week from CLI and that file does not exist:

Code:
# ls -al /etc/logrotate.d

total 60

drwxr-xr-x  2 root root    4096 Mar 28 20:22 .
drwxr-xr-x 86 root root    4096 Mar 29 04:24 ..
-rw-r--r--  1 root root      80 Nov  9  2012 drwebd
-rw-r--r--  1 root root     112 Feb 27  2013 drweb-update
-rw-r--r--  1 root root     185 Aug 15  2014 httpd
-rw-r--r--  1 root root      70 Feb  1  2013 lfd
-rw-r--r--  1 root mailman  407 Nov 20  2012 mailman
-rw-r--r--  1 root root     871 Feb  9 17:13 mysqld
-rw-r-----  1 root named    170 Dec 11 21:25 named
-rw-r--r--  1 root root     164 May 15  2014 nginx
-rw-r--r--  1 root root     207 Feb 23 16:29 php-fpm
-rw-r--r--  1 root root     115 Feb 23 06:31 samba
-rw-r--r--  1 root root      68 Jun 18  2012 sa-update
-rw-r--r--  1 root root     210 Dec 10 05:05 syslog
-rw-r--r--  1 root root      87 Oct 16 11:15 yum

Code:
# rpm -qa | grep security
plesk-modsecurity-configurator-12.0.18-cos6.build1200140724.12.noarch
mod_security-2.8.0-24.el6.art.x86_64
plesk-modsecurity-crs-12.0.14-14033112.x86_64
 
You have mod_security from Atomic. What about

# rpm -ql mod_security-2.8.0-24.el6.art.x86_64 | grep
 
Code:
# rpm -ql mod_security-2.8.0-24.el6.art.x86_64
/etc/httpd/conf.d/00_mod_security.conf
/etc/httpd/modsecurity.d
/usr/lib64/httpd/modules/mod_security2.so
/usr/share/doc/mod_security-2.8.0
/usr/share/doc/mod_security-2.8.0/CHANGES
/usr/share/doc/mod_security-2.8.0/LICENSE
/usr/share/doc/mod_security-2.8.0/README.TXT
/usr/share/doc/mod_security-2.8.0/doc
/usr/share/doc/mod_security-2.8.0/doc/README.txt
/usr/share/doc/mod_security-2.8.0/modsecurity.conf-recommended

Since Plesk sets up the configuration (including the log file) shouldn't it be Plesk's responsibility to set up logrotate no matter where the RPM is from? I could understand how Plesk would be exempt from this if the RPM came with the log file configuration built in, but the above referenced conf file is empty.
 
This is why the LSB uses /var/log/httpd, logrotate is already set up to do that for every log file that drops into that directory.

Additionally you would not associate a logrotate config with an apache module, since a module does not restart apache (and should not to avoid multiple restarts) . Were you to do that in a apache module, your log file would be rotated, and the inode would be lost, losing all your new logs.
 
Back
Top