• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx

  • We are developing a new feature in Plesk that will help you promote your websites or business on social media. We want to conduct a one-hour online UX test to present the prototype and collect feedback. If you are interested in the feature, please book a meeting via this link.
    Thank you in advance!
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

ModSecurity not working

DariuszR

New Pleskian
I have ModSecurity installed and enabled for scanning and blocking but it does not block anything. Tried different rule sets including basic and paid Atomic and Comodo. Rule sets are downloaded fine to /etc/httpd/conf/modsecurity.d/rules/. It does write to modsec_audit.log but doesn't give 403 to anything. When try to test it with foo.php?foo= apache gives normal 404 not 403 as it should. Tried to reinstall module from plesk but it didn't help. Any suggestion?

edit: I found out what was the issue. After one of the Plesk updates security2.conf file was removed from /etc/httpd/conf.d and it was replaced by 00_mod_security.conf and because of that none of the rule sets was included in apache config. 00_mod_security.conf looks for rule sets in /etc/https/modsecurity.d/ and security2.conf looks in /etc/httpd/conf/modsecurity.d/ where they actually are. I have CrashPlan setup on the server so I was able to go back in time and look what was changed. It happened on 06/12/14 so it would be nice if some of the Plesk's developers checked what update caused that.
 
Last edited:
My Mod Security stopped working after a Plesk 12 update on 20th June.
I did not notice at first because it still continued to produce generic type messages but was not blocking anything.

Yesterday I set about putting it right - firstly the file 00_mod_security.conf had disappeared completely, so I re-installed the extension from the Plesk 12 control panel and I found the file 00_mod_security.conf in this directory - /etc/httpd/conf.d.

The contents of this file were not correct and I had to change

# Rule management is handled by ASL
Include modsecurity.d/00*exclude.conf
Include modsecurity.d/*asl*.conf
Include modsecurity.d/99*exclude.conf

to

# Rule management is handled by ASL
Include /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/00*exclude.conf
Include /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/*asl*.conf
Include /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/99*exclude.conf

I also had to make an adjustment to the following file
/etc/asl/config where the MODSEC_RULES_PATH was not correct

I set it to
MODSEC_RULES_PATH="/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"

Restarted Apache and tested with the following from the command line

wget http:// MY SERVER IP ADDRESS/foo.php?foo=http://www.example.com

This correctly generated a 403 Forbidden message.
 
Last edited:
modsecurity also not working here. Centos6.5/X64, Plesk 12.0.8 MU#5 and MU#6. 00_mod_security.conf is missing. Running aum -u gives

Checking versions ...

ASL version is current: [PASS]

Warning: fopen(): failed to open stream: No such file or directory in src/component/c_modsec.php on line 142
-------------------------------------------------------------------------------
Errors were encountered:

L CODE SOURCE MESSAGE
- ---- ----------------------------- ------------------------------------------
3 1 c_modsec::tortix_conf_generat An error occurred attempting to open file
/tmp/tmpYF9yjh/modsec/tortix_waf.conf.new
 
The file /tmp/tmpYF9yjh never existed on my installation

tortix_waf.conf is located in this directory..

/etc/httpd/conf/modsecurity.d/rules/tortix/modsec

Running aum -u gets me...

aum -u

Checking versions ...

ASL version is current: [PASS]

Warning: fopen(): failed to open stream: Not a directory in src/component/c_mod sec.php on line 142
-------------------------------------------------------------------------------
Errors were encountered:

L CODE SOURCE MESSAGE
- ---- ----------------------------- ------------------------------------------
3 1 c_modsec::tortix_conf_generat An error occurred attempting to open file
/etc/httpd/conf/modsecurity.d/rules/tortix
/modsec/50_plesk_basic_asl_rules.conf/tort
ix_waf.conf.new
 
Last edited:
eilko try this....
the contents of my /etc/httpd/conf.d/00_mod_security.conf are ....


LoadModule security2_module /etc/httpd/modules//mod_security2.so
LoadModule unique_id_module /etc/httpd/modules//mod_unique_id.so

<IfModule mod_security2.c>
# Basic configuration goes in here
Include /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/tortix_waf.conf

# Rule management is handled by ASL
Include /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/00*exclude.conf
Include /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/*asl*.conf
Include /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/99*exclude.conf

</IfModule>

Also in /etc/asl/config set the following...
MODSEC_RULES_PATH="/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"

restart apache and let us know the outcome.
 
I added the /etc/httpd/conf.d/00_mod_security.conf file. As configtest gave me a double load of mod_security2 and mod_unique_id, I didn't add those lines but sticked to the lines in /etc/httpd/conf/modsecurity.d/rules/tortix/plesk_init.conf:

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

Include /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/tortix_waf.conf
Include /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/00*exclude.conf
Include /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/*asl*.conf
Include /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/99*exclude.conf

I also changed /etc/asl/config as stated. All seems to work again.
 
Hmmm... almost :) When I run #aum upgrade to update the rules I get an error on the /etc/asl/config statement. I changed it to MODSEC_RULES_PATH="/etc/httpd/conf/modsecurity.d/rules/tortix/modsec" and now #aum upgrade runs fine and it updates the ruleset.
 
I had to make a new forum account as my other one wouldn't let me login....

eilko, your changes might be working for now but as the file you edited clearly states, any changes will be lost when the file is generated again

This might be tomorrow, next week, or who knows when - but they will be lost for sure.





/etc/httpd/conf/modsecurity.d/rules/tortix/plesk_init.conf:

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
 
To get it working again you just have to delete 00_mod_security.conf and create security2.conf with that content:

LoadModule security2_module modules/mod_security2.so

<IfModule security2_module>
SecDataDir /var/cache/modsecurity
Include "/etc/httpd/conf/modsecurity.d/*.conf"
</IfModule>

and enable unique_id_module in httpd.conf
 
Last edited:
On my brand new system, 00_modsecurity.conf was totally empty, except a warning. I put the "loadmodule" command in there:
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

LoadModule security2_module /etc/httpd/modules/mod_security2.so
 
Last edited:
Back
Top