Question Multiple 403 errors by Modsec after Update version: 18.0.60.1 → 18.0.61.5

[Pascal_Netenvie]

Server operating system version

Debian 11.9

Plesk version and microupdate number

18.0.61mu5

Hello,
Today 2 servers had Plesk upgraded to v 18.0.61mu5,
and on those 2 servers we started to have lot of 403 errors returned by Modsecurity with Owasp rules.

Is there some change about this ?
Can it come from Nginx upgrade ?
Do you have an idea ... ?

We had to switch to Comodo to get back to normal behaviour.

Regards !

 

[Pascal_Netenvie]

I see there was an Updated OWASP ModSecurity CRS to version 4.2.0 in 18.0.61 ...
Perhaps it come from this.

 

[Kaspar@Plesk]

The OWASP rule set got updated to 4.2.0 with Plesk 18.0.61.

 

[Pascal_Netenvie]

Ok it come from that.
New rules are much more restrictive.
We had to switch to Comodo.

 

[danami]

@Kaspar@Plesk You should note that coreruleset v4.3.0 has already been released (likely because of issues with 4.2.0):

Releases · coreruleset/coreruleset

OWASP CRS (Official Repository). Contribute to coreruleset/coreruleset development by creating an account on GitHub.

github.com

Plesk might want to update to that.

 

[Kaspar@Plesk]

@danami thanks, will relay that internally

 

[trialotto]

@danami thanks, will relay that internally

@Kaspar@Plesk

It would be keep the OWASP ruleset updated on a more frequent basis.

In a not so far away past, Plesk did continue to use (old) rulesets that were vulnerable, even though security patches were released already.

In addition, Plesk Team could consider to mitigate too strict OWASP rulesets for WordPress based sites - a script could suffice to change that one setting.

More importantly, the Atomicorp ruleset is working like a charm out-of-the-box when installed manually, but installation via Plesk GUI is still troublesome.

In my humble opinion, a WAF ruleset should help Plesk users (and not be a root cause of stress due to all kinds of impediments).

Is there any roadmap for future improvements concerning the WAF, rulesets and the method of configuration via Plesk GUI?

Kind regards....

 

[Pascal_Netenvie]

Yes security is a main concern today so Plesk should add up to date ruleset and specific rules to protect known CMS as Wordpress, Joomla, Drupal, Prestashop, & Magento at min.

 

[Kaspar@Plesk]

There are currently no immediate plans on improving the WAF feature in Plesk (other than to continue with regularly updating the rule sets). But if you add your suggestions to the UserVoice page they might be considered.

 

[trialotto]

There are currently no immediate plans on improving the WAF feature in Plesk (other than to continue with regularly updating the rule sets). But if you add your suggestions to the UserVoice page they might be considered.

@Kaspar@Plesk

Improving the WAF is not really the question here.

In essence, it has more to do with REINSTATING functionality that has been present before.

For instance, the excellent (free and paid-for) Atomicorp rulesets should be supported - it does not work like a charm like it used to do before.

The Plesk GUI gives all kinds of issues and error notifications when attempting to activate the Atomicorp rulesets (this was not the case in the past) and this is only the result of the package that Plesk compiles themselves.

Stated differently, Atomicorp did resolve some issues from their side, but Plesk failed to update the package they provide - as a remarkable result, the excellent (!!!) Atomicorp rulesets cannot be or cannot be easily installed via Plesk GUI.

It would be much better to set the Atomicorp rulesets as the default rulesets for the WAF.

I am simply surprised by the fact that this incompatibility issue is still present and/or affecting security of both Plesk instances as sites hosted with Plesk.

Kind regards....

 

[Kaspar@Plesk]

Sorry to read that the Atomicorp rulesets causes you issues. We're currently (actively) working on support for the Atomicorp rulesets for use with Plesk on newer OSes. However I have no ETA on when support becomes available.