• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • (Plesk for Windows):
    MySQL Connector/ODBC 3.51, 5.1, and 5.3 are no longer shipped with Plesk because they have reached end of life. MariaDB Connector/ODBC 64-bit 3.2.4 is now used instead.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue ModSecurity: Issue with Comodo rules set?

Azurel

Azurel

Silver Pleskian
I use Plesk Obsidian with centOS 7.8 and changed from atomic to comodo modsecurity rules. After this a moderators of my project was banned. Reason its showed up two times in "plesk-modsecurity" and get a jail for "recidive" (banned for a week)

/var/log/modsec_audit.log
--b0bd2d59-A--
[04/Aug/2020:17:12:01 +0200] Xyl6wLFCz9we-GcmRYPKZwAAAAM USER_IPv4 40716 SERVER_IPv4 7081
--b0bd2d59-B--
GET /folder/index?text=%E3%82%A8%E3%83%AB%E3%83%95%E5%85%AC%E7%88%B5%E3%81%AF%E5%91%AA%E3%82%8F%E3%82%8C%E4%BB%A4%E5%AC%A2%E3%82%92%E3%82%A4%E3%83%A4%E3%82%A4%E3%83%A4%E5%A8%B6%E3%82%8B&quick-search=&char=all&q=true HTTP/1.0
Host: www.example.de
X-Real-IP: USER_IPv4
Connection: close
user-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
accept-language: de-CH,de;q=0.8,en-US;q=0.5,en;q=0.3
accept-encoding: gzip, deflate, br
referer: https://www.example.de/
authorization: Basic REMOVED
upgrade-insecure-requests: 1
cookie: REMOVED

--b0bd2d59-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/7.4.8
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Webkit-CSP: default-src 'self';img-src * 'self' data:;font-src 'self' *.gstatic.com;style-src 'self' 'unsafe-inline' *.example.de *.googleapis.com;script-src 'self' 'nonce-gtXL2sEaAefP' *.example.de *.example.com *.google.com *.googlesyndication.com;frame-src 'self' 'nonce-gtXL2sEaAefP' *.youtube.com *.facebook.com *.amazon-adsystem.com *.vimeo.com *.dailymotion.com;connect-src 'self' api.jikan.moe;
X-Content-Security-Policy: default-src 'self';img-src * 'self' data:;font-src 'self' *.gstatic.com;style-src 'self' 'unsafe-inline' *.example.de *.googleapis.com;script-src 'self' 'nonce-gtXL2sEaAefP' *.example.de *.example.com *.google.com *.googlesyndication.com;frame-src 'self' 'nonce-gtXL2sEaAefP' *.youtube.com *.facebook.com *.amazon-adsystem.com *.vimeo.com *.dailymotion.com;connect-src 'self' api.jikan.moe;
Content-Security-Policy: upgrade-insecure-requests
Upgrade-Insecure-Requests: 1
Strict-Transport-Security: max-age=31536000
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin
X-Content-Age: 12
Set-Cookie: key=value; expires=Wed, 05-Aug-2020 03:12:01 GMT; Max-Age=43200; path=/; domain=.example.de; secure; HttpOnly
Connection: close
Content-Type: text/html; charset=utf-8

--b0bd2d59-H--
Message: collections_remove_stale: Failed to access DBM file "/var/cache/modsecurity/global": No such file or directory
Message: collections_remove_stale: Failed to access DBM file "/var/cache/modsecurity/ip": No such file or directory
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Handler: proxy:unix:///var/www/vhosts/system/example.de/php-fpm.sock|fcgi://127.0.0.1:9000
Stopwatch: 1596553920214099 1023775 (- - -)
Stopwatch2: 1596553920214099 1023775; combined=32643, p1=1031, p2=30927, p3=0, p4=0, p5=445, sr=27, sw=0, l=0, gc=240
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"

--b0bd2d59-Z--
Click to expand...

--0d086038-A--
[04/Aug/2020:16:05:53 +0200] XylrQam5mugGmg2ui-f5GgAAAAQ USER_IPv4 38102 SERVER_IPv4 7081
--0d086038-B--
POST /ajax/manage/notifications HTTP/1.0
Host: www.example.de
X-Real-IP: USER_IPv4
Connection: close
Content-Length: 59
user-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
accept: application/json, text/javascript, /; q=0.01
accept-language: de-CH,de;q=0.8,en-US;q=0.5,en;q=0.3
accept-encoding: gzip, deflate, br
referer: https://www.example.de/
content-type: application/x-www-form-urlencoded; charset=UTF-8
x-requested-with: XMLHttpRequest
origin: https://www.example.de/
authorization: Basic REMOVED
cookie: REMOVED

--0d086038-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/7.4.8
Set-Cookie: key=value; expires=Wed, 05-Aug-2020 02:05:53 GMT; Max-Age=43200; path=/; domain=.example.de; secure; HttpOnly
Connection: close
Content-Type: text/html; charset=UTF-8

--0d086038-H--
Message: collections_remove_stale: Failed to access DBM file "/var/cache/modsecurity/global": No such file or directory
Message: collections_remove_stale: Failed to access DBM file "/var/cache/modsecurity/ip": No such file or directory
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Handler: proxy:unix:///var/www/vhosts/system/example.de/php-fpm.sock|fcgi://127.0.0.1:9000
Stopwatch: 1596549953690309 83409 (- - -)
Stopwatch2: 1596549953690309 83409; combined=16522, p1=859, p2=15132, p3=0, p4=0, p5=341, sr=23, sw=0, l=0, gc=190
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"

--0d086038-Z--
Click to expand...

More and more user get banned. Because Plesk Obsidian don't show+sort with a datetime object I must now remove ~800 bans.
 
Last edited:
I have take a look in error.log and found the lines for hundreds users when rules set from Comodo is enabled. With Atomic there are no issues.

[Tue Aug 04 16:05:53.773474 2020] [:error] [pid 16755] [client USER_IPv4:38102] [client USER_IPv4] ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cache/modsecurity/global": No such file or directory [hostname "www.example.de"] [uri "/index.php"] [unique_id "XylrQam5mugGmg2ui-f5GgAAAAQ"], referer: https://www.example.de/
[Tue Aug 04 16:05:53.773539 2020] [:error] [pid 16755] [client USER_IPv4:38102] [client USER_IPv4] ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cache/modsecurity/ip": No such file or directory [hostname "www.example.de"] [uri "/index.php"] [unique_id "XylrQam5mugGmg2ui-f5GgAAAAQ"], referer: https://www.example.de/
Code: 
# ls -ld /var/cache/modsecurity/
ls: cannot access /var/cache/modsecurity/: No such file or directory

I see this bug exists since 3 years in plesk.

I have created a report
 
Last edited:
You must log in or register to reply here.

Similar threads

S
Resolved FORBIDDEN ACCESS
Replies
2
Views
3K
soliu
S
T
Issue Host settings and htaccess behavior in nginx proxy mode
Replies
3
Views
3K
Peter Debik
P
Azurel
Forwarded to devs Modsecurity issue with Comodo rules set. Missing folder: /var/cache/modsecurity/
Replies
2
Views
2K
IgorG
IgorG
Azurel
Issue Extension ModSecurity issues with matomo?
Replies
3
Views
4K
Azurel
Azurel
M
Issue modsecurity block wordpress admins
Replies
0
Views
3K
Michael Huber
M
Back
Top