• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Question Multiple 403 errors by Modsec after Update version: 18.0.60.1 → 18.0.61.5

Pascal_Netenvie

Regular Pleskian
Server operating system version
Debian 11.9
Plesk version and microupdate number
18.0.61mu5
Hello,
Today 2 servers had Plesk upgraded to v 18.0.61mu5,
and on those 2 servers we started to have lot of 403 errors returned by Modsecurity with Owasp rules.

Is there some change about this ?
Can it come from Nginx upgrade ?
Do you have an idea ... ?

We had to switch to Comodo to get back to normal behaviour.

Regards !
 
@danami thanks, will relay that internally

@Kaspar@Plesk

It would be keep the OWASP ruleset updated on a more frequent basis.

In a not so far away past, Plesk did continue to use (old) rulesets that were vulnerable, even though security patches were released already.

In addition, Plesk Team could consider to mitigate too strict OWASP rulesets for WordPress based sites - a script could suffice to change that one setting.

More importantly, the Atomicorp ruleset is working like a charm out-of-the-box when installed manually, but installation via Plesk GUI is still troublesome.

In my humble opinion, a WAF ruleset should help Plesk users (and not be a root cause of stress due to all kinds of impediments).

Is there any roadmap for future improvements concerning the WAF, rulesets and the method of configuration via Plesk GUI?

Kind regards....
 
Yes security is a main concern today so Plesk should add up to date ruleset and specific rules to protect known CMS as Wordpress, Joomla, Drupal, Prestashop, & Magento at min.
 
There are currently no immediate plans on improving the WAF feature in Plesk (other than to continue with regularly updating the rule sets). But if you add your suggestions to the UserVoice page they might be considered.
 
There are currently no immediate plans on improving the WAF feature in Plesk (other than to continue with regularly updating the rule sets). But if you add your suggestions to the UserVoice page they might be considered.
@Kaspar@Plesk

Improving the WAF is not really the question here.

In essence, it has more to do with REINSTATING functionality that has been present before.

For instance, the excellent (free and paid-for) Atomicorp rulesets should be supported - it does not work like a charm like it used to do before.

The Plesk GUI gives all kinds of issues and error notifications when attempting to activate the Atomicorp rulesets (this was not the case in the past) and this is only the result of the package that Plesk compiles themselves.

Stated differently, Atomicorp did resolve some issues from their side, but Plesk failed to update the package they provide - as a remarkable result, the excellent (!!!) Atomicorp rulesets cannot be or cannot be easily installed via Plesk GUI.

It would be much better to set the Atomicorp rulesets as the default rulesets for the WAF.

I am simply surprised by the fact that this incompatibility issue is still present and/or affecting security of both Plesk instances as sites hosted with Plesk.

Kind regards....
 
Sorry to read that the Atomicorp rulesets causes you issues. We're currently (actively) working on support for the Atomicorp rulesets for use with Plesk on newer OSes. However I have no ETA on when support becomes available.
 
Back
Top