Issue Modsecurity stops working every night

[ivanes82]

Server operating system version

AlmaLinux 8.10

Plesk version and microupdate number

Plesk Obsidian 18.0.66 #1

I have been noticing for a while that when I disable and re-enable modsecurity, it starts to block malicious attacks, but after a day there is no more ip blocking, and the logs are completely blank. This made me suspicious, and although in the plesk interface modsecurity is shown as active, I have the feeling that it is not working.

I have created a rule for modsecurity, so that when visiting a url on my server if modsecurity is running it shows error 403, and if it is not it shows error 404. I have put that when this rule is activated it does not register in the log, so that it does not block the ip.

This is the modsecurity rule:

<IfModule mod_security2.c>
SecRule REQUEST_URI "@streq /checkmodsecurity" "id:1000001,phase:1,t:none,deny,status:403,nolog,msg:'Regla para chequeo de modsecurity'"
</IfModule>

I then created a script that checks this url every 5 minutes, and if visiting the url results in 403, it does nothing, but if it results in 404, it sends me an email telling me that modsecurity is not working, and reactivates modsecurity with the command “/usr/sbin/plesk sbin modsecurity_ctl --enable”.

Since then I have found that modsecurity stops working every night between 3:15am and 3:20am, and that running the command “/usr/sbin/plesk sbin modsecurity_ctl --enable” makes it work again.

Since then there is no more blank modsecurity log and modsecurity blocks as expected.

Is this a modsecurity bug in plesk. Also to say that even though modsecurity stops working, in the plesk interface it shows as active, which leads to confusion, implying that the server is protected, but it is not.

 

[Sebahat.hadzhi]

Hello, @ivanes82 Could you please enable Plesk debug mode, then enable ModSecurity, and run to confirm it is active:

plesk sbin modsecurity_ctl --status

and provide us with the entries logged at /var/log/plesk/panel.log at the time of the occurrence of the issue. Thank you in advance!

 

[ivanes82]

Running “plesk sbin modsecurity_ctl --status” resulted in disabled.

The panel.ini logs set to debug show nothing.

As a consequence of having automatic modsecurity updates disabled, because there is a bug that when updating the rules leaves selinux permissive PPPM-14747, I have a cron job that updates the atomic rules manually, using the command aum -u.

I have found that running aum -u to update the rules manually keeps modsecurity working perfectly, but when running the command “plesk sbin modsecurity_ctl --status” it disables modsecurity. I understand that this command runs on maintenance tasks automatically, and when it does it disables modsecurity.

To reproduce the error:

# plesk sbin sbin modsecurity_ctl --status
result: Enabled

# aum -u

# plesk sbin modsecurity_ctl --status
result: Disabled

Best regards.

 

[cmandoyle]

Because there is an issue that causes selinux permissive PPPM-14747 to occur when automated modsecurity updates are disabled, I have a cron job that manually updates the atomic rules using the command aum -u.

When I manually update the rules using aum -u, modsecurity continues to function flawlessly; however, when I use the command "plesk sbin modsecurity_ctl --status," modsecurity is disabled. I am aware that this program automatically disables modsecurity when it executes maintenance activities.

 

[Sebahat.hadzhi]

Thank you for the update. Running aum -u manually is generally not expected by customers and can interfere with Plesk configuration files. It appears that in this particular case it removes /etc/httpd/conf.d/security2.conf. Until PPPM-14747 is fixed what you can do is:

1. Execute the following command:
   

   plesk sbin modsecurity_ctl --enable-ruleset --apache --ruleset tortix --enable

2. : Make the config file immutable:
   

   chattr +i /etc/httpd/conf.d/security2.conf

Note that after the big is fixed, it is important to adjust the security2.conf file and remove the immutable flag:

chattr -i /etc/httpd/conf.d/security2.conf

 

[ivanes82]

Thank you very much, I will try it.

 

[ivanes82]

I am now getting this, and the modsecurity rules are not updated.

I have the paid atomic rules.

I didn't get to use chattr +i /etc/httpd/conf.d/security2.conf. simply running /usr/sbin/plesk sbin modsecurity_ctl --enable fixed it.

[1;36mAtomic Updater[0m

Analyzing system ... done

error: account validation failed

[1;36mChecking for updates ...[0m

Core packages : 6.0.59-32440 update available

Atomicorp WAF Rules : 202501022303 update available

 

[ivanes82]

Don't mind me, today was the automatic renewal, is there any way to change the payment for a plesk plugin from monthly to yearly?

I bought atomic monthly to test it, and now I want to change it to annual, but I don't know how to do it.

 

[Sebahat.hadzhi]

Unfortunately, it's not possible to change the current billing cycle. You need to cancel the current subscription and purchase a new one. More details here.

 

[ivanes82]

I cancelled the automatic renewal before it was due for renewal. Even so it is still active and when I try to buy a new license, it does not let me enter my server id.

The subscription has been cancelled. Your license is valid until
2025-01-03
Reactivate subscription
License status:
active

 

[Sebahat.hadzhi]

@ivanes82 , could you please provide me with the extension key in a private message so I can forward it to our Customer Care team for a further check? Alternatively, you can directly get in touch with them.

 

[ivanes82]

This has been fixed in the Plesk Obsidian 18.0.66, #2 update.

I don't understand the lack of transparency by not publishing it in the log. I think it is important to upgrade to this version, since disabling selinux is quite serious.