1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Resolved ModSecurity is Enabled but is not Working on Windows

Discussion in 'Plesk Onyx for Windows' started by Iman Gozal, May 14, 2017.

  1. Iman Gozal

    Iman Gozal New Pleskian

    5
    20%
    Joined:
    Apr 28, 2017
    Messages:
    15
    Likes Received:
    2
    Location:
    Jordan
    Hello There,

    On one of my Windows servers which is powered by Plesk Onyx, I've noticed that one of my websites was hacked by SQL Injection. I've checked it and found out that ModSecurity is not working at all.

    In %plesk_dir%\ModSecurity\vhosts\... The last log was written in about two months ago.

    I've removed modsecurity and installed it once again, also changed rulesets from OWASP to Comodo (as custom ruleset) and ... but nothing helped.

    Is there anyone who could help me with this problem?

    Thanks!
    Iman

     
  2. hostking

    hostking Basic Pleskian

    11
     
    Joined:
    Dec 15, 2015
    Messages:
    58
    Likes Received:
    3
    Location:
    Cape Town
    Hi

    Are you possibly using windows server 2008 R2?

    Also ensure in IIS that the module is loaded.
     
  3. Iman Gozal

    Iman Gozal New Pleskian

    5
    20%
    Joined:
    Apr 28, 2017
    Messages:
    15
    Likes Received:
    2
    Location:
    Jordan
    Hi,

    I have this issue on two different servers, one is Windows Server 2008 R2 and the other one is Windows Server 2012.
    I've checked and IIS modules (both for 32bits and 64bits) are installed.

    In Event Viewer, there are several error logs similar this one:
    Code:
    The description for Event ID 1 from source ModSecurity cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    
    If the event originated on another computer, the display information had to be saved with the event.
    
    The following information was included with the event:
    
    Cannot open config file: C:\Program Files (x86)\Parallels\Plesk\ModSecurity\vhosts\D2B58645-6258-47DE-B8FD-BB7C242CB898\modsecurity.conf
    Edit: The mentioned config file exist on the server and I'm able to open it via notepad.

    To make sure that it's not working, I've added this line to Custom Directive section:
    SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403,msg:'Our test rule has triggered'"

    But when I use "?testparam=test" in the end of a website's url, It won't return any errors.

    I've also removed ModSecurity via cli and reinstalled it but it didn't help too...

    Any idea please?

    Thanks
    Iman
     
  4. hostking

    hostking Basic Pleskian

    11
     
    Joined:
    Dec 15, 2015
    Messages:
    58
    Likes Received:
    3
    Location:
    Cape Town
    I am having the exact same issue. Any idea what could be causing it?
     
  5. Iman Gozal

    Iman Gozal New Pleskian

    5
    20%
    Joined:
    Apr 28, 2017
    Messages:
    15
    Likes Received:
    2
    Location:
    Jordan
  6. hostking

    hostking Basic Pleskian

    11
     
    Joined:
    Dec 15, 2015
    Messages:
    58
    Likes Received:
    3
    Location:
    Cape Town
    Hey man I may have solved it as this seemed to work for me.

    Try the following:

    1. Change modsecurity ruleset to something else like OWASP and see if it gives you an error saying:
    Failed to install the ModSecurity rule set: Unable to find row with id 916 in domains table

    If so follow the below after disabling modsecurity in plesk:
    Issue - Failed to install the ModSecurity rule set: Unable to find row with id 916 in domains table

    Also run

    plesk repair db

    Then reenable and check.

    Hope it helps you.
     
  7. Iman Gozal

    Iman Gozal New Pleskian

    5
    20%
    Joined:
    Apr 28, 2017
    Messages:
    15
    Likes Received:
    2
    Location:
    Jordan
    Hi,

    Glad to hear that your issue is fixed. By the way it seems that I'm not that lucky... When I change my ModSecurity rule set, it returns:

    "Information: The web application firewall settings were saved."

    Evertything seems to be working fine but ModSecurity is not preventing anything...

    Is there anyway I could check if it's module is responding anyway in IIS?

    Thanks again.
     
  8. hostking

    hostking Basic Pleskian

    11
     
    Joined:
    Dec 15, 2015
    Messages:
    58
    Likes Received:
    3
    Location:
    Cape Town
    well open iis and go to modules. ensure the modules are loaded there. You should see 2 global modules one for 32bit and another 64 bit. If they there then should be active for all domains on server and working.
     
  9. hostking

    hostking Basic Pleskian

    11
     
    Joined:
    Dec 15, 2015
    Messages:
    58
    Likes Received:
    3
    Location:
    Cape Town
    I think I got it.

    If you try any rules except OWASP it does not work.

    I tested running this now : http://www.website.com/default.aspx?SELECT * FROM mysql.users

    IT did not give me any modsecurity error or block when I tried comodo ruleset or atomic.

    When I use OWASP then for some reason I get these errors now:

    HTTP Error 403.0 - ModSecurity Action

    So I guess it may be something like that?
     
    Iman Gozal likes this.
  10. Iman Gozal

    Iman Gozal New Pleskian

    5
    20%
    Joined:
    Apr 28, 2017
    Messages:
    15
    Likes Received:
    2
    Location:
    Jordan
    Actually it's not working for me. I've changed it to OWASP, Even I downloaded Comodo Ruleset and manually installed them as a custom rule set but it didn't work too... The thing is that when I enable OWASP or ComodoWAF, there are all the available tags in ModSecurity panel in plesk but nothing is working in the IIS.

    I've checked IIS modules and both 32bits and 64bits of ModSecurity are available in server and websites but rules are not working.

    I'm gonna remove the modsecurity from plesk completely and install it manually on windows to see if it's working or not...

    Thanks.

    P.S. Thread is not solved yet.
     
  11. Iman Gozal

    Iman Gozal New Pleskian

    5
    20%
    Joined:
    Apr 28, 2017
    Messages:
    15
    Likes Received:
    2
    Location:
    Jordan
    Best Answer
    OK got it! After a week working on it finally found the cause of the problem.

    The problem was that when Plesk updates or when we run Plesk permission checker manually, it sets (possibly) wrong permissions to Plesk\ModSecurity\vhosts directory. The thing which is preventing ModSecurity to work is Deny permission assigned to psacln user.

    I've made a custom permission directive in \etc\DiscSecurity directory with the following content:

    Code:
    <?xml version="1.0" encoding="utf-8" ?>
    <!-- Copyright 1999-2017. Parallels IP Holdings GmbH. All Rights Reserved. -->
    <Entries>
    <!-- [PRODUCT_DATA_D]\ModSecurity\vhosts -->
        <Entry AccounType="1" Account="Psacln" Path="[PRODUCT_DATA_D]" SubPath="ModSecurity\vhosts" AceFlags="ThisFolderSubfoldersAndFiles" AccessMask="Read" EntryFlags="0" />
        <Entry AccounType="1" Account="Psacln" Path="[PRODUCT_DATA_D]" SubPath="ModSecurity\vhosts" AceFlags="ThisFolderAndFiles" AccessMask="Read" EntryFlags="0" />
    </Entries>
    and "checked component and folder permission" via Plesk Reconfigurator and problem was fixed immediately.

    I'm just concerned if granting read access to psacln account could cause any security issues there. May I ask a member of Plesk team confirm this solution?

    Thanks.
    Iman
     
  12. hostking

    hostking Basic Pleskian

    11
     
    Joined:
    Dec 15, 2015
    Messages:
    58
    Likes Received:
    3
    Location:
    Cape Town
    Wow I just noticed the same thing as ours seems to have broken again. I went crazy and decided to check the modsecurity folder and noticed it had "Read only" set. I then disabled inheritance on the folder and went CRAZY and decided to give it Everyone user access just to check with full control. I know its risky but just for testing I decided to do so and it seemed to have and fixed the issue. So it certainly is permissions related.
     
  13. hostking

    hostking Basic Pleskian

    11
     
    Joined:
    Dec 15, 2015
    Messages:
    58
    Likes Received:
    3
    Location:
    Cape Town
    Your fix worked and now it doesnt. Seems the file keeps updating and reverting back to:

    <!-- [PRODUCT_DATA_D]\ModSecurity\vhosts -->
    <Entry AccounType="1" Account="Psacln" Path="[PRODUCT_DATA_D]" SubPath="ModSecurity\vhosts" AceFlags="ThisObjectOnly" AccessMask="0x100081" EntryFlags="0x1000" />

    How do I stop plesk from breaking the file everytime when it updates every night?
     
Loading...