• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue modsecurity_ctl failed: HTTP Error 403: Forbidden Unable to download tortix rule set

VerenaE

New Pleskian
Hello,
since today the rule updates of mod_security Atomic Basic failes with the error message:
modsecurity_ctl failed: HTTP Error 403: Forbidden
Unable to download tortix rule set

I tried it on several servers and vservers, everywhere the same.

Is it a problem from Atomicorp or Plesk?

Should I do something or should I wait?

Thanks in advance,
Verena
 
Same here, since yesterday i get this error message.
I tried the suggestion from this Post:
https://talk.plesk.com/threads/issue-with-atomiccorp-rules-updates.340272/
pls. consider to use the ssh - command over the command line ( logged in as user "root" ):

/usr/local/psa/bin/sw-engine-pleskrun /usr/local/psa/admin/plib/DailyMaintainance/script.php UpdateModSecurityRuleSet

... and/or try to switch the actual rule-set and reverse it afterwards over your Plesk Control Panel ( => Home > Tools & Settings > Web Application Firewall ). ;)
But now i can't change back to the Atomic Ruleset...
 
Last edited:
Similar to me, on one of my server I have changed now to the OWASP Ruleset and can not go back to the atomic, the other server can still not be updated, the error message is still present. Tried to run the plesk micro updates too but nothing changed.

Reinstall of mod_security with the Plesk autoinstaller doesn't help also - if you do this, aum is gone and need to be installed and configured manually - I think because of the error.

It would be great if someone could help here.
 
Well. The problem on Atomic side.
There are two related issues - changed Atomic URLs for updating rules and problem with aum on CentOS7 when you see problem like

stderr: /var/asl/bin/aum: error while loading shared libraries: libphp-runtime_s-3.3a.so: cannot open shared object file: No such file or directory

First problem you can fix with update URLs manually in /usr/local/psa/lib/modules/python/pylib-modsec-atomic/plesk_atomic.py .
You can use this patch as a reference:

Code:
--- /usr/local/psa/lib/modules/python/pylib-modsec-atomic/plesk_atomic.py.orig    2015-08-26 19:20:58.000000000 +0600
+++ /usr/local/psa/lib/modules/python/pylib-modsec-atomic/plesk_atomic.py    2017-05-22 15:04:58.613893000 +0700
@@ -30,8 +39,8 @@

 AUTOGENERATED_CONFIGS = "#ATTENTION!\n#\n#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,\n#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.\n"

-AUM_PLESK_INSTALLER_NAME = "aum-plesk-installer"
-AUM_PLESK_INSTALLER_URL = "http://www.atomicorp.com/installers/" + AUM_PLESK_INSTALLER_NAME
+AUM_PLESK_INSTALLER_NAME = "aum"
+AUM_PLESK_INSTALLER_URL = "https://updates.atomicorp.com/installers/" + AUM_PLESK_INSTALLER_NAME
 AUM_PLESK_INSTALLER_SIGNATURE_URL = AUM_PLESK_INSTALLER_URL + ".asc"

 GPGHOMEDIR = "/var/lib/plesk/modsec/.gnupg"

Second problem on CentOS7 you can fix with the command:

# /usr/bin/cp -f /var/asl/bin/aum.static /var/asl/bin/aum

We are working on automatic fix in the nearest Plesk update.
 
thank you, changing the two lines in /usr/local/psa/lib/modules/python/pylib-modsec-atomic/plesk_atomic.py
and copying the file fixed this issue
updating via plesk php /usr/local/psa/admin/plib/DailyMaintainance/script.php -f UpdateModSecurityRuleSet daily
worked fine.
 
Change the two lines gives me...

plesk php /usr/local/psa/admin/plib/DailyMaintainance/script.php -f UpdateModSecurityRuleSet daily

[2017-05-24 08:52:02] ERR [util_exec] proc_close() failed ['/opt/psa/admin/bin/modsecurity_ctl' '--install' '--with-backup' '--ruleset' 'tortix'] with exit code [1]
[2017-05-24 08:52:02] ERR [panel] modsecurity_ctl failed: HTTP Error 403: Forbidden
Unable to download tortix rule set
 
I have the same problem with Ubuntu
I reinstalled ModSecurity and I got this error

Failed to install the ModSecurity rule set: modsecurity_ctl failed: HTTP Error 403: Forbidden Unable to download tortix rule set

Ubuntu
cp -f /var/asl/bin/aum.static /var/asl/bin/aum

I get:
cp: cannot stat '/var/asl/bin/aum.static': No such file or directory
 
Last edited:
@IgorG

With respect to your post and the bugreport

At the moment bugreport PPPM-6302 is under developer's investigation.

note the following.

The bug is very likely to be more complex than the suggested solution can support.

I will explain this statement later, as far as possible (tests are still being executed).

In essence, there seem to be issues with:

- the gpg keys
- the aum installer script (in particular, the --force-yes flag which should --allow or even "yes | apt-get .... " )

and also note that

- the patch in plesk_atomic.py is not required, if aum has been installed previously
- Atomic Basic Modsecurity gives some error notifications but does run the equivalent of aum -c && aum -uf
- Atomic Professional Modsecurity is an entirely different story: many issues with aum and/or updating or installing rulesets

In short, please have a look at the various scenario´s.......since a future bugfix cannot be relying on the patch in plesk_atomic.py alone.

Regards..............
 
For us the solution works on some machines. On some the modified /usr/local/psa/lib/modules/python/pylib-modsec-atomic/plesk_atomic.py throws a 403 while the original version works. But basically, yes, the hints are helpful.

No indication why it works on some and on others the .py-file must not be modified. Tested on versions 12.5, 17.0 and 17.5, but yet on two 17.5 machines that should have the same software on them the behavior is different and on two 17.0 machines that should also be the same setup the behavior of the update is different, too.
 
Last edited:
I get:
cp: cannot stat '/var/asl/bin/aum.static': No such file or directory

For Ubuntu edit plesk_atomic.py as IgorG said and then update as eilko said "sudo plesk php /usr/local/psa/admin/plib/DailyMaintainance/script.php -f UpdateModSecurityRuleSet daily"

For me it worked in ubuntu 14 + Onyx 17.0 + Atomic Basic & Ubuntu 16 + Onyx 17.5 + Atomic Basic
 
For us the solution works on some machines. On some the modified /usr/local/psa/lib/modules/python/pylib-modsec-atomic/plesk_atomic.py throws a 403 while the original version works. But basically, yes, the hints are helpful.

No indication why it works on some and on others the .py-file must not be modified. Tested on versions 12.5, 17.0 and 17.5, but yet on two 17.5 machines that should have the same software on them the behavior is different and on two 17.0 machines that should also be the same setup the behavior of the update is different, too.

@Peter Debik

I am currently testing all thinkable scenario´s (and a lot of them exist), since this particular issue with ModSecurity is not standard at all.

I can already tell you that the different behaviour on your machines is very likely to be related to the presence of aum.

The fact is that the patch in plesk_atomic.py does not matter, if aum has been installed previously.

In this case, aum will run from the config in /etc/asl/config and simply update rulesets properly.

I do have a question though: are you using a Ubuntu OS (and if yes, which version: 16.04.2 LTS?)

Regards......
 
Silently failed, not displaying the error on the panel at first, but on the ModSecurity page, new fail:

Code:
...
<[email protected]>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: Signature made Wed May 24 13:53:47 2017 CEST using RSA key ID 4520AFA9
gpg: BAD signature from "Atomicorp (Atomicorp Official Signing Key) <[email protected]>"
Command '['gpg', '--homedir', '/var/lib/plesk/modsec/.gnupg', '--verify', '/tmp/tmpJt3wAq/aum-plesk-installer.asc']' returned non-zero exit status 1
Unable to download tortix rule set

same as in https://talk.plesk.com/threads/modsecurity-failed-to-install-the-modsecurity-rule-set.343452/

Maybe linked to the change of the installer name? Does that need updates on signatures? Where to obtain the matching signatures, where to place them?
 
It is a pity that such an authoritative and oldest forum user @atomicturtle stopped coming here to the forum. His participation in this thread would be priceless.
 
Back
Top