• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question ModSecurity triggered and disabled webserver and can't get it back online

Q

qtwrk

Basic Pleskian
Hi, recently I just got a serious problem.
I set up with OWASP ModSecurity , it's very stricted for it describes so I am tuning my website and disabling some rules that conflict with my website.
but sometimes , a rule is triggered and webserver just went offline , I checked process Nginx and Httpd were there , but chrome just respond "ERR_CONNECTION_TIMED_OUT"

No matter what I do , reboot server , disable completely ModSecurity , just can't bring it back online.
 
Linulex said:
Do you have the mod security rule enabled in fail2ban?

Regards
Jan
Click to expand...

hmmmm , thanks for the reply
I am not sure what exactly do you want to say with fail2ban.

but this is my setting, hmmm , you think modsecurity triggered fail2ban and lock myself out ?

speaking of that , it could be. because it's not always "being disabled", it could be due to multiple trigger when I was tuning it , and eventually it bans me.

and then , here goes other problem.
if, myself got banned by fail2ban, which means i have no access through web interface, I don't remember I was able to use SSH or not , but I do have VNC, so how can I unban myself ?

fail2ban.JPG
 
you can unban yourself via plesk.

If you get yourself banned via fail2ban, you can always enter via another way.
fail2ban works on the port it bans you for. If you trigger a rule that bans you for apache, it only bans you on port 80. You can enter via plesk or ssh then and unban yourself.

The plesk-modesurity rule is active, changes are that you have triggered that

if you where testing a wordpress, its also possible you have triggered the plesk-wordpress rule.

But whatever you where testing, if you kept testing once it was clear again you even might have triggered the recidive rule.

regards
Jan
 
Last edited:
To add to this:

a fail2ban rule for mod_security is a bad idea that breaks more then it solves. Both do the same thing: stop bad people from doing bad things on a website.

But if a legit user makes a mistake (like yourself now), like making a normal posting that has words like "insert into where" (insert the herbs into the chicken there where you can) in them that triggers a cross-query rule, when they try to fix the posting and trigger the rule a few times, they will get banned for 30 or more minutes from all websites by fail2ban.

For repeat offenders like script kiddies, you can better install mod_evasive. Not exact the same, i know, but attackers use scripts and try and try again, real users pause and think about there error. But fail2ban doesn't know "pauzes". All it knows is: have i seen this ip address 5 times within 10 minutes (or whatever your setup is).

security is good and needed, but security must not become a witch hunt.

just my 2 cents

Regards
Jan
 
You must log in or register to reply here.

Similar threads

blueberry
Input OWASP triggered on legitimate traffic from Googlebot!
Replies
2
Views
767
Bitpalast
Bitpalast
michaeljoseph01
Question Imunify360 or fail2ban PLEASE give me your input
Replies
6
Views
3K
The 8th
The 8th
Back
Top