• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue ModSecurity : collections_remove_stale: Failed deleting collection

Marc D.

Marc D.

New Pleskian
Hello,

With mod_security enabled (in detection mode only, in conjunction with fail2ban) we've got a lot of errors of this type :
"collections_remove_stale: Failed deleting collection (name "ip", key "xxxxx"): Internal error (specific information not available) Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client xxxx] ModSecurity: collections_remove_stale: Failed deleting collection (name "ip", key "xxxxx"): Internal error (specific information not available)"

I tried to truncate the /var/cache/modsecurity/www-data-ip.pag file (was 500 Mb) and re-started modsecurity but the problem persists.

The errors are treated as false positives by fail2ban.

Is there a way to solve this problem ?

btw, where are the configuration files located ?

Thanks in advance for your help

Marc
 
It is related to the known Plesk bug PPPM-11961.
As a workaround, apply either of the following solutions:
1. Login to Plesk
2. Go to Tools & Settings > IP Address Banning (Fail2Ban) > Trusted IP Addresses and click Add trusted IP
3. Type the IP address and click OK.
 
Thank you much for your answer.

I don't think this problem is related to rules 210710 and 214930 that are already disabled in my case.
I already whitelisted some IPs of my customer, but I can't add all my customer IP addresses.

The problem occurs several times a day on all websites (WordPress, Drupal, Symfony, ...) and is not specific to a rule.
Here is an example of error message occurred on a legitimate access (unless I miss something) :


Code: 
--10cc7a05-A--
[07/Sep/2021:14:13:51 +0200] YTdXfwbgfhL6gdeCv5CdcwAAAAE 176.157.135.121 35286 46.105.44.87 7081
--10cc7a05-B--
GET /themes/custom/somalu_theme/node_modules/bootstrap-sass/assets/javascripts/bootstrap/tooltip.js?qytklw HTTP/1.0
Host: www.somalu.com
X-Real-IP: 176.157.135.121
X-Accel-Internal: /internal-nginx-static-location
Connection: close
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
accept: application/signed-exchange;v=b3;q=0.9,*/*;q=0.8
purpose: prefetch
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://www.somalu.com/
accept-encoding: gzip, deflate, br
accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7

--10cc7a05-F--
HTTP/1.1 200 OK
X-Content-Type-Options: nosniff
Upgrade: h2,h2c
Connection: Upgrade, close
X-Accel-Version: 0.01
X-Accel-Redirect: /internal-nginx-static-location/themes/custom/somalu_theme/node_modules/bootstrap-sass/assets/javascripts/bootstrap/tooltip.js
Cache-Control: max-age=1209600
Expires: Tue, 21 Sep 2021 12:13:51 GMT
Content-Length: 0
Content-Type: application/javascript

--10cc7a05-H--
Message: collections_remove_stale: Failed deleting collection (name "ip", key "185.49.20.76_aa6b92822cd5e8bc79f4f753be2ac256ed1a542c"): Internal error (specific information not available)
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 176.157.135.121] ModSecurity: collections_remove_stale: Failed deleting collection (name "ip", key "185.49.20.76_aa6b92822cd5e8bc79f4f753be2ac256ed1a542c"): Internal error (specific information not available) [hostname "www.somalu.com"] [uri "/themes/custom/somalu_theme/node_modules/bootstrap-sass/assets/javascripts/bootstrap/tooltip.js"] [unique_id "YTdXfwbgfhL6gdeCv5CdcwAAAAE"]
Stopwatch: 1631016831835114 64186 (- - -)
Stopwatch2: 1631016831835114 64186; combined=122436, p1=381, p2=2120, p3=24, p4=32, p5=59967, sr=88, sw=0, l=0, gc=59912
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

I guess the problem is related to the persistent collections management by modsecurity (PB while accessing the DBM file that holds collections)
github.com

Reference Manual (v2.x)

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a rang...
github.com github.com

btw: Do you know where is the main modsecurity configuration file located in Plesk ?

Thanks again
Marc
 
Hello,

Same problem here. Modsecurity errors like "Message: collections_remove_stale: Failed deleting collection (name "ip", key "46.101.95.65_1759fce451e56b4eb624eea72c06ca78e73f27d0"): Internal error (specific information not available)" cause fail2ban to ban legit IPs.

I had no luck searching how to fix the deleting collections error in modsecurity.

I'll stay tuned hoping for a solution.

Warm regards,
Jesús Ángel.
 
I'm encountering a huge jump in this error in my logs today for unknown reasons. Since it seems fixing the logging of this condition in modsec.log is unlikely, it seems maybe a workaround would be to figure out how to ignore it in the fail2ban filter. I'm not an expert on that, but would welcome any input from someone confident in how to modify the default fail2ban filter below.
```
[Definition]
failregex = ^(?:\[.*?\]\s\S*|X-Real-IP:)\s<HOST>\s
ignoreregex = ^\[.*?\]\s\S*\s<HOST>\s.*\s\1
```
 
I found this page that explains it :

You need to edit the file /etc/fail2ban/filter.d/plesk-modsecurity.conf
and add these two lines :
collection_store
collections_remove_stale
Click to expand...
under the line
ignoreregex = ^\[.*?\]\s\S*\s<HOST>\s.*\s\1
Click to expand...
 
You must log in or register to reply here.

Similar threads

ic3_2k
Issue Problem with Modsecurity 2.9. Error: Could not set variable "ip.brute_force_counter" and Could not set variable "ip.xmlrpc_counter" as the collection
Replies
1
Views
527
Peter Debik
P
M
Issue Failed to update ModSecurity ruleset: modsecurity_ctl failed: gpg: key 4520AFA9: "Atomicorp (Atomicorp Official Signing Key) <[email protected]>"
Replies
0
Views
1K
muhammad.faraz
M
Azurel
Issue ModSecurity: Issue with Comodo rules set?
Replies
1
Views
2K
Azurel
Azurel
Azurel
Forwarded to devs Modsecurity issue with Comodo rules set. Missing folder: /var/cache/modsecurity/
Replies
2
Views
1K
IgorG
IgorG
Bitpalast
Forwarded to devs Recurring issues in all websites with ModSecurity ruleset
Replies
8
Views
3K
ahoi
A
Back
Top