Facebook
Twitter
Azurel
Silver Pleskian
I use Plesk Obsidian with centOS 7.8 and changed from atomic to comodo modsecurity rules. After this a moderators of my project was banned. Reason its showed up two times in "plesk-modsecurity" and get a jail for "recidive" (banned for a week)
/var/log/modsec_audit.log
More and more user get banned. Because Plesk Obsidian don't show+sort with a datetime object I must now remove ~800 bans.
/var/log/modsec_audit.log
--b0bd2d59-A--
[04/Aug/2020:17:12:01 +0200] Xyl6wLFCz9we-GcmRYPKZwAAAAM USER_IPv4 40716 SERVER_IPv4 7081
--b0bd2d59-B--
GET /folder/index?text=%E3%82%A8%E3%83%AB%E3%83%95%E5%85%AC%E7%88%B5%E3%81%AF%E5%91%AA%E3%82%8F%E3%82%8C%E4%BB%A4%E5%AC%A2%E3%82%92%E3%82%A4%E3%83%A4%E3%82%A4%E3%83%A4%E5%A8%B6%E3%82%8B&quick-search=&char=all&q=true HTTP/1.0
Host: www.example.de
X-Real-IP: USER_IPv4
Connection: close
user-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
accept-language: de-CH,de;q=0.8,en-US;q=0.5,en;q=0.3
accept-encoding: gzip, deflate, br
referer: https://www.example.de/
authorization: Basic REMOVED
upgrade-insecure-requests: 1
cookie: REMOVED
--b0bd2d59-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/7.4.8
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Webkit-CSP: default-src 'self';img-src * 'self' data:;font-src 'self' *.gstatic.com;style-src 'self' 'unsafe-inline' *.example.de *.googleapis.com;script-src 'self' 'nonce-gtXL2sEaAefP' *.example.de *.example.com *.google.com *.googlesyndication.com;frame-src 'self' 'nonce-gtXL2sEaAefP' *.youtube.com *.facebook.com *.amazon-adsystem.com *.vimeo.com *.dailymotion.com;connect-src 'self' api.jikan.moe;
X-Content-Security-Policy: default-src 'self';img-src * 'self' data:;font-src 'self' *.gstatic.com;style-src 'self' 'unsafe-inline' *.example.de *.googleapis.com;script-src 'self' 'nonce-gtXL2sEaAefP' *.example.de *.example.com *.google.com *.googlesyndication.com;frame-src 'self' 'nonce-gtXL2sEaAefP' *.youtube.com *.facebook.com *.amazon-adsystem.com *.vimeo.com *.dailymotion.com;connect-src 'self' api.jikan.moe;
Content-Security-Policy: upgrade-insecure-requests
Upgrade-Insecure-Requests: 1
Strict-Transport-Security: max-age=31536000
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin
X-Content-Age: 12
Set-Cookie: key=value; expires=Wed, 05-Aug-2020 03:12:01 GMT; Max-Age=43200; path=/; domain=.example.de; secure; HttpOnly
Connection: close
Content-Type: text/html; charset=utf-8
--b0bd2d59-H--
Message: collections_remove_stale: Failed to access DBM file "/var/cache/modsecurity/global": No such file or directory
Message: collections_remove_stale: Failed to access DBM file "/var/cache/modsecurity/ip": No such file or directory
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Handler: proxy:unix:///var/www/vhosts/system/example.de/php-fpm.sock|fcgi://127.0.0.1:9000
Stopwatch: 1596553920214099 1023775 (- - -)
Stopwatch2: 1596553920214099 1023775; combined=32643, p1=1031, p2=30927, p3=0, p4=0, p5=445, sr=27, sw=0, l=0, gc=240
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"
--b0bd2d59-Z--
--0d086038-A--
[04/Aug/2020:16:05:53 +0200] XylrQam5mugGmg2ui-f5GgAAAAQ USER_IPv4 38102 SERVER_IPv4 7081
--0d086038-B--
POST /ajax/manage/notifications HTTP/1.0
Host: www.example.de
X-Real-IP: USER_IPv4
Connection: close
Content-Length: 59
user-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
accept: application/json, text/javascript, /; q=0.01
accept-language: de-CH,de;q=0.8,en-US;q=0.5,en;q=0.3
accept-encoding: gzip, deflate, br
referer: https://www.example.de/
content-type: application/x-www-form-urlencoded; charset=UTF-8
x-requested-with: XMLHttpRequest
origin: https://www.example.de/
authorization: Basic REMOVED
cookie: REMOVED
--0d086038-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/7.4.8
Set-Cookie: key=value; expires=Wed, 05-Aug-2020 02:05:53 GMT; Max-Age=43200; path=/; domain=.example.de; secure; HttpOnly
Connection: close
Content-Type: text/html; charset=UTF-8
--0d086038-H--
Message: collections_remove_stale: Failed to access DBM file "/var/cache/modsecurity/global": No such file or directory
Message: collections_remove_stale: Failed to access DBM file "/var/cache/modsecurity/ip": No such file or directory
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Handler: proxy:unix:///var/www/vhosts/system/example.de/php-fpm.sock|fcgi://127.0.0.1:9000
Stopwatch: 1596549953690309 83409 (- - -)
Stopwatch2: 1596549953690309 83409; combined=16522, p1=859, p2=15132, p3=0, p4=0, p5=341, sr=23, sw=0, l=0, gc=190
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"
--0d086038-Z--
More and more user get banned. Because Plesk Obsidian don't show+sort with a datetime object I must now remove ~800 bans.
Last edited:
