• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Issue ModSecurity: Issue with Comodo rules set?

Azurel

Azurel

Silver Pleskian
I use Plesk Obsidian with centOS 7.8 and changed from atomic to comodo modsecurity rules. After this a moderators of my project was banned. Reason its showed up two times in "plesk-modsecurity" and get a jail for "recidive" (banned for a week)

/var/log/modsec_audit.log
--b0bd2d59-A--
[04/Aug/2020:17:12:01 +0200] Xyl6wLFCz9we-GcmRYPKZwAAAAM USER_IPv4 40716 SERVER_IPv4 7081
--b0bd2d59-B--
GET /folder/index?text=%E3%82%A8%E3%83%AB%E3%83%95%E5%85%AC%E7%88%B5%E3%81%AF%E5%91%AA%E3%82%8F%E3%82%8C%E4%BB%A4%E5%AC%A2%E3%82%92%E3%82%A4%E3%83%A4%E3%82%A4%E3%83%A4%E5%A8%B6%E3%82%8B&quick-search=&char=all&q=true HTTP/1.0
Host: www.example.de
X-Real-IP: USER_IPv4
Connection: close
user-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
accept-language: de-CH,de;q=0.8,en-US;q=0.5,en;q=0.3
accept-encoding: gzip, deflate, br
referer: https://www.example.de/
authorization: Basic REMOVED
upgrade-insecure-requests: 1
cookie: REMOVED

--b0bd2d59-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/7.4.8
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Webkit-CSP: default-src 'self';img-src * 'self' data:;font-src 'self' *.gstatic.com;style-src 'self' 'unsafe-inline' *.example.de *.googleapis.com;script-src 'self' 'nonce-gtXL2sEaAefP' *.example.de *.example.com *.google.com *.googlesyndication.com;frame-src 'self' 'nonce-gtXL2sEaAefP' *.youtube.com *.facebook.com *.amazon-adsystem.com *.vimeo.com *.dailymotion.com;connect-src 'self' api.jikan.moe;
X-Content-Security-Policy: default-src 'self';img-src * 'self' data:;font-src 'self' *.gstatic.com;style-src 'self' 'unsafe-inline' *.example.de *.googleapis.com;script-src 'self' 'nonce-gtXL2sEaAefP' *.example.de *.example.com *.google.com *.googlesyndication.com;frame-src 'self' 'nonce-gtXL2sEaAefP' *.youtube.com *.facebook.com *.amazon-adsystem.com *.vimeo.com *.dailymotion.com;connect-src 'self' api.jikan.moe;
Content-Security-Policy: upgrade-insecure-requests
Upgrade-Insecure-Requests: 1
Strict-Transport-Security: max-age=31536000
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin
X-Content-Age: 12
Set-Cookie: key=value; expires=Wed, 05-Aug-2020 03:12:01 GMT; Max-Age=43200; path=/; domain=.example.de; secure; HttpOnly
Connection: close
Content-Type: text/html; charset=utf-8

--b0bd2d59-H--
Message: collections_remove_stale: Failed to access DBM file "/var/cache/modsecurity/global": No such file or directory
Message: collections_remove_stale: Failed to access DBM file "/var/cache/modsecurity/ip": No such file or directory
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Handler: proxy:unix:///var/www/vhosts/system/example.de/php-fpm.sock|fcgi://127.0.0.1:9000
Stopwatch: 1596553920214099 1023775 (- - -)
Stopwatch2: 1596553920214099 1023775; combined=32643, p1=1031, p2=30927, p3=0, p4=0, p5=445, sr=27, sw=0, l=0, gc=240
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"

--b0bd2d59-Z--
Click to expand...

--0d086038-A--
[04/Aug/2020:16:05:53 +0200] XylrQam5mugGmg2ui-f5GgAAAAQ USER_IPv4 38102 SERVER_IPv4 7081
--0d086038-B--
POST /ajax/manage/notifications HTTP/1.0
Host: www.example.de
X-Real-IP: USER_IPv4
Connection: close
Content-Length: 59
user-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
accept: application/json, text/javascript, /; q=0.01
accept-language: de-CH,de;q=0.8,en-US;q=0.5,en;q=0.3
accept-encoding: gzip, deflate, br
referer: https://www.example.de/
content-type: application/x-www-form-urlencoded; charset=UTF-8
x-requested-with: XMLHttpRequest
origin: https://www.example.de/
authorization: Basic REMOVED
cookie: REMOVED

--0d086038-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/7.4.8
Set-Cookie: key=value; expires=Wed, 05-Aug-2020 02:05:53 GMT; Max-Age=43200; path=/; domain=.example.de; secure; HttpOnly
Connection: close
Content-Type: text/html; charset=UTF-8

--0d086038-H--
Message: collections_remove_stale: Failed to access DBM file "/var/cache/modsecurity/global": No such file or directory
Message: collections_remove_stale: Failed to access DBM file "/var/cache/modsecurity/ip": No such file or directory
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Handler: proxy:unix:///var/www/vhosts/system/example.de/php-fpm.sock|fcgi://127.0.0.1:9000
Stopwatch: 1596549953690309 83409 (- - -)
Stopwatch2: 1596549953690309 83409; combined=16522, p1=859, p2=15132, p3=0, p4=0, p5=341, sr=23, sw=0, l=0, gc=190
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"

--0d086038-Z--
Click to expand...

More and more user get banned. Because Plesk Obsidian don't show+sort with a datetime object I must now remove ~800 bans.
 
Last edited:
I have take a look in error.log and found the lines for hundreds users when rules set from Comodo is enabled. With Atomic there are no issues.

[Tue Aug 04 16:05:53.773474 2020] [:error] [pid 16755] [client USER_IPv4:38102] [client USER_IPv4] ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cache/modsecurity/global": No such file or directory [hostname "www.example.de"] [uri "/index.php"] [unique_id "XylrQam5mugGmg2ui-f5GgAAAAQ"], referer: https://www.example.de/
[Tue Aug 04 16:05:53.773539 2020] [:error] [pid 16755] [client USER_IPv4:38102] [client USER_IPv4] ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cache/modsecurity/ip": No such file or directory [hostname "www.example.de"] [uri "/index.php"] [unique_id "XylrQam5mugGmg2ui-f5GgAAAAQ"], referer: https://www.example.de/
Code: 
# ls -ld /var/cache/modsecurity/
ls: cannot access /var/cache/modsecurity/: No such file or directory

I see this bug exists since 3 years in plesk.

I have created a report
 
Last edited:
You must log in or register to reply here.

Similar threads

S
Issue Need Help Whitelisting GTM Noscript in Comodo WAF Rule 214540 on Plesk
Replies
1
Views
274
alvarezcruz
alvarezcruz
S
Resolved FORBIDDEN ACCESS
Replies
2
Views
3K
soliu
S
T
Issue Host settings and htaccess behavior in nginx proxy mode
Replies
3
Views
3K
Peter Debik
P
Azurel
Forwarded to devs Modsecurity issue with Comodo rules set. Missing folder: /var/cache/modsecurity/
Replies
2
Views
2K
IgorG
IgorG
Azurel
Issue Extension ModSecurity issues with matomo?
Replies
3
Views
4K
Azurel
Azurel
Back
Top