• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue ModSecurity : collections_remove_stale: Failed deleting collection

Marc D.

New Pleskian
Hello,

With mod_security enabled (in detection mode only, in conjunction with fail2ban) we've got a lot of errors of this type :
"collections_remove_stale: Failed deleting collection (name "ip", key "xxxxx"): Internal error (specific information not available) Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client xxxx] ModSecurity: collections_remove_stale: Failed deleting collection (name "ip", key "xxxxx"): Internal error (specific information not available)"

I tried to truncate the /var/cache/modsecurity/www-data-ip.pag file (was 500 Mb) and re-started modsecurity but the problem persists.

The errors are treated as false positives by fail2ban.

Is there a way to solve this problem ?

btw, where are the configuration files located ?

Thanks in advance for your help

Marc
 
It is related to the known Plesk bug PPPM-11961.
As a workaround, apply either of the following solutions:
1. Login to Plesk
2. Go to Tools & Settings > IP Address Banning (Fail2Ban) > Trusted IP Addresses and click Add trusted IP
3. Type the IP address and click OK.
 
Thank you much for your answer.

I don't think this problem is related to rules 210710 and 214930 that are already disabled in my case.
I already whitelisted some IPs of my customer, but I can't add all my customer IP addresses.

The problem occurs several times a day on all websites (WordPress, Drupal, Symfony, ...) and is not specific to a rule.
Here is an example of error message occurred on a legitimate access (unless I miss something) :


Code:
--10cc7a05-A--
[07/Sep/2021:14:13:51 +0200] YTdXfwbgfhL6gdeCv5CdcwAAAAE 176.157.135.121 35286 46.105.44.87 7081
--10cc7a05-B--
GET /themes/custom/somalu_theme/node_modules/bootstrap-sass/assets/javascripts/bootstrap/tooltip.js?qytklw HTTP/1.0
Host: www.somalu.com
X-Real-IP: 176.157.135.121
X-Accel-Internal: /internal-nginx-static-location
Connection: close
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
accept: application/signed-exchange;v=b3;q=0.9,*/*;q=0.8
purpose: prefetch
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://www.somalu.com/
accept-encoding: gzip, deflate, br
accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7

--10cc7a05-F--
HTTP/1.1 200 OK
X-Content-Type-Options: nosniff
Upgrade: h2,h2c
Connection: Upgrade, close
X-Accel-Version: 0.01
X-Accel-Redirect: /internal-nginx-static-location/themes/custom/somalu_theme/node_modules/bootstrap-sass/assets/javascripts/bootstrap/tooltip.js
Cache-Control: max-age=1209600
Expires: Tue, 21 Sep 2021 12:13:51 GMT
Content-Length: 0
Content-Type: application/javascript

--10cc7a05-H--
Message: collections_remove_stale: Failed deleting collection (name "ip", key "185.49.20.76_aa6b92822cd5e8bc79f4f753be2ac256ed1a542c"): Internal error (specific information not available)
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 176.157.135.121] ModSecurity: collections_remove_stale: Failed deleting collection (name "ip", key "185.49.20.76_aa6b92822cd5e8bc79f4f753be2ac256ed1a542c"): Internal error (specific information not available) [hostname "www.somalu.com"] [uri "/themes/custom/somalu_theme/node_modules/bootstrap-sass/assets/javascripts/bootstrap/tooltip.js"] [unique_id "YTdXfwbgfhL6gdeCv5CdcwAAAAE"]
Stopwatch: 1631016831835114 64186 (- - -)
Stopwatch2: 1631016831835114 64186; combined=122436, p1=381, p2=2120, p3=24, p4=32, p5=59967, sr=88, sw=0, l=0, gc=59912
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

I guess the problem is related to the persistent collections management by modsecurity (PB while accessing the DBM file that holds collections)

btw: Do you know where is the main modsecurity configuration file located in Plesk ?

Thanks again
Marc
 
Hello,

Same problem here. Modsecurity errors like "Message: collections_remove_stale: Failed deleting collection (name "ip", key "46.101.95.65_1759fce451e56b4eb624eea72c06ca78e73f27d0"): Internal error (specific information not available)" cause fail2ban to ban legit IPs.

I had no luck searching how to fix the deleting collections error in modsecurity.

I'll stay tuned hoping for a solution.

Warm regards,
Jesús Ángel.
 
I'm encountering a huge jump in this error in my logs today for unknown reasons. Since it seems fixing the logging of this condition in modsec.log is unlikely, it seems maybe a workaround would be to figure out how to ignore it in the fail2ban filter. I'm not an expert on that, but would welcome any input from someone confident in how to modify the default fail2ban filter below.
```
[Definition]
failregex = ^(?:\[.*?\]\s\S*|X-Real-IP:)\s<HOST>\s
ignoreregex = ^\[.*?\]\s\S*\s<HOST>\s.*\s\1
```
 
I found this page that explains it :

You need to edit the file /etc/fail2ban/filter.d/plesk-modsecurity.conf
and add these two lines :
collection_store
collections_remove_stale
under the line
ignoreregex = ^\[.*?\]\s\S*\s<HOST>\s.*\s\1
 
Back
Top