Resolved ModSecurity is Enabled but is not Working on Windows

[Iman Gozal]

Hello There,

On one of my Windows servers which is powered by Plesk Onyx, I've noticed that one of my websites was hacked by SQL Injection. I've checked it and found out that ModSecurity is not working at all.

In %plesk_dir%\ModSecurity\vhosts\... The last log was written in about two months ago.

I've removed modsecurity and installed it once again, also changed rulesets from OWASP to Comodo (as custom ruleset) and ... but nothing helped.

Is there anyone who could help me with this problem?

Thanks!
Iman

 

[hostking]

Hi

Are you possibly using windows server 2008 R2?

Also ensure in IIS that the module is loaded.

 

[Iman Gozal]

Hi,

I have this issue on two different servers, one is Windows Server 2008 R2 and the other one is Windows Server 2012.
I've checked and IIS modules (both for 32bits and 64bits) are installed.

In Event Viewer, there are several error logs similar this one:

The description for Event ID 1 from source ModSecurity cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Cannot open config file: C:\Program Files (x86)\Parallels\Plesk\ModSecurity\vhosts\D2B58645-6258-47DE-B8FD-BB7C242CB898\modsecurity.conf

Edit: The mentioned config file exist on the server and I'm able to open it via notepad.

To make sure that it's not working, I've added this line to Custom Directive section:
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403,msg:'Our test rule has triggered'"

But when I use "?testparam=test" in the end of a website's url, It won't return any errors.

I've also removed ModSecurity via cli and reinstalled it but it didn't help too...

Any idea please?

Thanks
Iman

 

[hostking]

I am having the exact same issue. Any idea what could be causing it?

 

[Iman Gozal]

Bump!

 

[hostking]

Hey man I may have solved it as this seemed to work for me.

Try the following:

1. Change modsecurity ruleset to something else like OWASP and see if it gives you an error saying:
Failed to install the ModSecurity rule set: Unable to find row with id 916 in domains table

If so follow the below after disabling modsecurity in plesk:
Issue - Failed to install the ModSecurity rule set: Unable to find row with id 916 in domains table

Also run

plesk repair db

Then reenable and check.

Hope it helps you.

 

[Iman Gozal]

Hi,

Glad to hear that your issue is fixed. By the way it seems that I'm not that lucky... When I change my ModSecurity rule set, it returns:

"Information: The web application firewall settings were saved."

Evertything seems to be working fine but ModSecurity is not preventing anything...

Is there anyway I could check if it's module is responding anyway in IIS?

Thanks again.

 

[hostking]

well open iis and go to modules. ensure the modules are loaded there. You should see 2 global modules one for 32bit and another 64 bit. If they there then should be active for all domains on server and working.

 

[hostking]

I think I got it.

If you try any rules except OWASP it does not work.

I tested running this now : http://www.website.com/default.aspx?SELECT * FROM mysql.users

IT did not give me any modsecurity error or block when I tried comodo ruleset or atomic.

When I use OWASP then for some reason I get these errors now:

HTTP Error 403.0 - ModSecurity Action

So I guess it may be something like that?

 

[Iman Gozal]

Actually it's not working for me. I've changed it to OWASP, Even I downloaded Comodo Ruleset and manually installed them as a custom rule set but it didn't work too... The thing is that when I enable OWASP or ComodoWAF, there are all the available tags in ModSecurity panel in plesk but nothing is working in the IIS.

I've checked IIS modules and both 32bits and 64bits of ModSecurity are available in server and websites but rules are not working.

I'm gonna remove the modsecurity from plesk completely and install it manually on windows to see if it's working or not...

Thanks.

P.S. Thread is not solved yet.

 

[Iman Gozal]

OK got it! After a week working on it finally found the cause of the problem.

The problem was that when Plesk updates or when we run Plesk permission checker manually, it sets (possibly) wrong permissions to Plesk\ModSecurity\vhosts directory. The thing which is preventing ModSecurity to work is Deny permission assigned to psacln user.

I've made a custom permission directive in \etc\DiscSecurity directory with the following content:

<?xml version="1.0" encoding="utf-8" ?>
<!-- Copyright 1999-2017. Parallels IP Holdings GmbH. All Rights Reserved. -->
<Entries>
<!-- [PRODUCT_DATA_D]\ModSecurity\vhosts -->
    <Entry AccounType="1" Account="Psacln" Path="[PRODUCT_DATA_D]" SubPath="ModSecurity\vhosts" AceFlags="ThisFolderSubfoldersAndFiles" AccessMask="Read" EntryFlags="0" />
    <Entry AccounType="1" Account="Psacln" Path="[PRODUCT_DATA_D]" SubPath="ModSecurity\vhosts" AceFlags="ThisFolderAndFiles" AccessMask="Read" EntryFlags="0" />
</Entries>

and "checked component and folder permission" via Plesk Reconfigurator and problem was fixed immediately.

I'm just concerned if granting read access to psacln account could cause any security issues there. May I ask a member of Plesk team confirm this solution?

Thanks.
Iman

 

[hostking]

Wow I just noticed the same thing as ours seems to have broken again. I went crazy and decided to check the modsecurity folder and noticed it had "Read only" set. I then disabled inheritance on the folder and went CRAZY and decided to give it Everyone user access just to check with full control. I know its risky but just for testing I decided to do so and it seemed to have and fixed the issue. So it certainly is permissions related.

 

[hostking]

Your fix worked and now it doesnt. Seems the file keeps updating and reverting back to:

<!-- [PRODUCT_DATA_D]\ModSecurity\vhosts -->
<Entry AccounType="1" Account="Psacln" Path="[PRODUCT_DATA_D]" SubPath="ModSecurity\vhosts" AceFlags="ThisObjectOnly" AccessMask="0x100081" EntryFlags="0x1000" />

How do I stop plesk from breaking the file everytime when it updates every night?

 

[hostking]

Ok wait I got it.

Just created a file in /etc/Disksecurity called Modsecurityfix.xml and added your code and "checked component and folder permission" via Plesk Reconfigurator and problem was fixed

finally I understand