Issue ModSecurity with Atomic Basic Rule Set appear be not working

[WebHostingAce]

Server operating system version

CentOS 7

Plesk version and microupdate number

Version 18.0.53 Update #2

Hi,

I'm using ModSecurity with Atomic Basic Rule Set across number of servers.

Recently I have noticed the ModSecurity is not responding to any of these test explained this is support article.

https://support.plesk.com/hc/en-us/articles/12377281676567-How-to-test-ModSecurity-Atomic-Basic-rule-set-in-Plesk-

Upon checking on the ModSecurity Logs, they are empty for last 7 days (Rotated).

By turning off and turn back on fix the issue and the ModSecurity is reponding to the tests as expect.

Thank you.

 

[Peter Debik]

Maybe a previous update failed that caused this situation. Thank you for providing the solution to toggle ModSecurity off/on. Can I then set this entry to "resolved"?

 

[WebHostingAce]

@Peter Debik Thank you.

I manually updated Automic Rule Set. I can confirm it the the ModSecurity stopped responding to the tests again.

 

[jorge ceballos]

Hi,

A couple of days ago I noticed modsec_audit.log was empty as well as all the past week's logs after using Atomic's paid rules.
Please notice that this server was a casualty from Atomic's rules mistake past month and had been running Comodo's rules till the end of june when the paid-for Atomic rules were accepted again (could not make them work for 2 or 3 weeks after the error was suppousedly corrected).

After looking around and not finding anything really convincing related to this, followed the manual's advice:
Caution (Linux): If you select the Atomic ruleset, perform the following procedure to ensure that ModSecurity works fine. Run the aum -u command on the server. The Plesk modsecurity package will be replaced by that from the Atomic repository. Then run the following commands:

• plesk sbin modsecurity_ctl --disable
• plesk sbin modsecurity_ctl --enable
• service httpd restart
  
  

That made it.
Log started filling again.
Hope this helps
Regards

 

[WebHostingAce]

@jorge ceballos Thank you.

It seems to be keeps happening. After updating the AUM then disabled and enabled ModSecurity.

After a day or two logs are empty again.

Have you checked your logs again?

 

[jorge ceballos]

@jorge ceballos Thank you.

It seems to be keeps happening. After updating the AUM then disabled and enabled ModSecurity.

After a day or two logs are empty again.

Have you checked your logs again?

Hi,

Thanks for noticing, you are right. Same thing over here.
Dont really know if ModSec stops working, but logs definitely stop filling.

The issue continues then.

 

[WebHostingAce]

Update the AUM yesterday.

Then did,

• plesk sbin modsecurity_ctl --disable
• plesk sbin modsecurity_ctl --enable
• service httpd restart

Confirmed the ModSecurity is responding as expected. (https://support.plesk.com/hc/en-us/...t-ModSecurity-Atomic-Basic-rule-set-in-Plesk-)

When I checked this today, the Modsecurity seem to be not responding.

 

[Jonathan B]

Same here, every night it stops working, I have to restart the waf every morning.
It's frustrating, wafs have been having problems for months.
I have the paid version of Atomicorp.

 

[Peter Debik]

Could you please report it here with steps to reproduce: Reports

 

[Jonathan B]

Could you please report it here with steps to reproduce: Reports

Thank you Peter, unfortunately there is no procedure that allows me to reproduce the error. The waf seems to go down when apache is restarted overnight.
I've check panel.log and messages logs and they show no errors.

 

[jorge ceballos]

Hi,

Same behavior here.
By the log file hour, modSec stops responding daily at logs rotation - ( 4.00 am + minutes )

In the meanwhile as a temp solution, set a cron to run the AUM update, disable, enable modsec and restart apache.

Hopefully this may be corrected in a future update.

Regards