• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question ModSecurity triggered and disabled webserver and can't get it back online

Q

qtwrk

Basic Pleskian
Hi, recently I just got a serious problem.
I set up with OWASP ModSecurity , it's very stricted for it describes so I am tuning my website and disabling some rules that conflict with my website.
but sometimes , a rule is triggered and webserver just went offline , I checked process Nginx and Httpd were there , but chrome just respond "ERR_CONNECTION_TIMED_OUT"

No matter what I do , reboot server , disable completely ModSecurity , just can't bring it back online.
 
Linulex said:
Do you have the mod security rule enabled in fail2ban?

Regards
Jan
Click to expand...

hmmmm , thanks for the reply
I am not sure what exactly do you want to say with fail2ban.

but this is my setting, hmmm , you think modsecurity triggered fail2ban and lock myself out ?

speaking of that , it could be. because it's not always "being disabled", it could be due to multiple trigger when I was tuning it , and eventually it bans me.

and then , here goes other problem.
if, myself got banned by fail2ban, which means i have no access through web interface, I don't remember I was able to use SSH or not , but I do have VNC, so how can I unban myself ?

fail2ban.JPG
 
you can unban yourself via plesk.

If you get yourself banned via fail2ban, you can always enter via another way.
fail2ban works on the port it bans you for. If you trigger a rule that bans you for apache, it only bans you on port 80. You can enter via plesk or ssh then and unban yourself.

The plesk-modesurity rule is active, changes are that you have triggered that

if you where testing a wordpress, its also possible you have triggered the plesk-wordpress rule.

But whatever you where testing, if you kept testing once it was clear again you even might have triggered the recidive rule.

regards
Jan
 
Last edited:
To add to this:

a fail2ban rule for mod_security is a bad idea that breaks more then it solves. Both do the same thing: stop bad people from doing bad things on a website.

But if a legit user makes a mistake (like yourself now), like making a normal posting that has words like "insert into where" (insert the herbs into the chicken there where you can) in them that triggers a cross-query rule, when they try to fix the posting and trigger the rule a few times, they will get banned for 30 or more minutes from all websites by fail2ban.

For repeat offenders like script kiddies, you can better install mod_evasive. Not exact the same, i know, but attackers use scripts and try and try again, real users pause and think about there error. But fail2ban doesn't know "pauzes". All it knows is: have i seen this ip address 5 times within 10 minutes (or whatever your setup is).

security is good and needed, but security must not become a witch hunt.

just my 2 cents

Regards
Jan
 
You must log in or register to reply here.

Similar threads

blueberry
Input OWASP triggered on legitimate traffic from Googlebot!
Replies
2
Views
914
Bitpalast
Bitpalast
michaeljoseph01
Question Imunify360 or fail2ban PLEASE give me your input
Replies
6
Views
4K
The 8th
The 8th
Back
Top