Plesk 10.3 & Mod_Security

[Michael Goeller]

On my site mmo-game.eu I am getting a good amount of SPAM comments a day (they are filtered by a wordpress plugin) and sadly slowly intrusion attempts slowly start to happen more often. The site got defaced last year for a few hours and I fear this is going to happen again sooner or later.

This eventually lead me to install mod_security and honestly I am a bit overwhelmed atm

basically I did these steps:

wget -q -O - http://www.atomicorp.com/installers/atomic | sh
wget -q -O - http://www.atomicorp.com/installers/plesk |sh
yum install mod_security
cd /etc/httpd/modsecurity.d/
wget http://updates.atomicorp.com/channels/rules/delayed/modsec-2.5-free-latest.tar.gz
tar -zxvf modsec-2.5-free-latest.tar.gz
/etc/init.d/httpd restart

Then I added the exceptions for wordpress:

nano /etc/httpd/modsecurity.d/modsec/00_asl_custom_exclude.conf

<LocationMatch "/wp-admin/post.php">
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/admin-ajax.php">
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/page.php">
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/options.php">
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/theme-editor.php">
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-content/plugins/">
SecRuleRemoveById 300015 340151 1234234 340153 1234234 300016 300017 950907 950005 950006 960008 960011 960904 959006
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-includes/">
SecRuleRemoveById 960010 960012 950006 959006
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-content/themes/">
SecRuleRemoveById 340151 340153 1234234 950006 959006
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-cron.php">
SecRuleRemoveById 960015
</LocationMatch>

<LocationMatch "/feed">
SecRuleRemoveById 960015
</LocationMatch>

<LocationMatch "/category/feed">
SecRuleRemoveById 960015
</LocationMatch>

But now I seem to have issues with logging in to Plesk, Login page does not appear, instead the log shows:

2011-11-03 10:30:21: (mod_fastcgi.c.2588) FastCGI-stderr: PHP Fatal error: Call to a member function getContext() on a non-object in /usr/local/psa/admin/plib/Navigation.php on line 54

all children busy, launch additional (total 3, limit 30)

I have found 2 related posts here, one that suggsted to update PHP, but I have the latest PHP and the other one with ciphers did not apply.

Can anyone point me the way on how to fix this issue?

Thanks

 

[Michael Goeller]

Hmh ... I have removed mod_security, but the problem persists.

yum remove mod_security
/etc/init.d/httpd restart

Since that did not fix it I though the repair function might do something good

/usr/local/psa/bootstrapper/pp10.12.0-bootstrapper/bootstrapper.sh repair

which resulted in

Changing shell for popuser.
Shell not changed.
Changing shell for mhandlers-user.
Shell not changed.
config updated
===> Updated /etc/psa/psa.conf
===> Preparing upgrade
mysqldump: Got error: 1033: Incorrect information in file: './psa/APSApplicationItems.frm' when using LOCK TABLES
Stopping psa... done
Stopping mail handlers tmpfs storage
psa is stopped
Stopping psa... done
Stopping mail handlers tmpfs storage

**** Product repair started.

===> Checking for previous installation ... found.
Create user 'psaadm' and group 'psaadm'
Checking for the group 'psaadm'...
Group 'psaadm' already exists

Checking for the user 'psaadm'...
User 'psaadm' already exists

Create group swkey-data
Checking for the group 'swkey-data'...
Group 'swkey-data' already exists

Checking for the group 'swkey-data'...
Trying to add supplementary group 'swkey-data' for user 'psaadm'... already there
Create Mail accounts
Checking for the group 'popuser'...
Group 'popuser' already exists

Checking for the user 'popuser'...
User 'popuser' already exists

Checking for the user 'mhandlers-user'...
User 'mhandlers-user' already exists

Trying to got legacy variables... done
Trying to save legacy variables... done
Checking for the system groups and users necessary for ftp server...
Checking for the group 'psaftp'...
Group 'psaftp' already exists

Checking for the user 'psaftp'...
User 'psaftp' already exists

Trying to start service mysqld... mysqld (pid 18368) is running...
done
Checking for the system groups and users necessary for Apache...
Checking for the group 'apache'...
Group 'apache' already exists

Checking for the user 'apache'...
User 'apache' already exists

===> Checking for the necessary system accounts
Checking for the system groups and users necessary for MySQL...
Checking for the group 'mysql'...
Group 'mysql' already exists

Checking for the user 'mysql'...
User 'mysql' already exists

Checking for the system groups and users necessary for admin server...
Checking for the group 'psaadm'...
Group 'psaadm' already exists

Checking for the user 'psaadm'...
User 'psaadm' already exists

Checking for the group 'psaserv'...
Group 'psaserv' already exists

Checking for the group 'psaserv'...
Trying to add supplementary group 'psaserv' for user 'apache'... already there
Checking for the group 'psaserv'...
Trying to add supplementary group 'psaserv' for user 'psaftp'... already there
Checking for the group 'psaserv'...
Trying to add supplementary group 'psaserv' for user 'psaadm'... already there
Checking for the group 'psacln'...
Group 'psacln' already exists

Trying to start service mysqld... mysqld (pid 18368) is running...
done
Trying to establish test connection... connected
done
Trying to backup MySQL database... done
MySQL databases are dumped to /var/lib/psa/dumps/mysql.preupgrade.10.12.0-10.12.0.20111103-122540.dump.gz
Checking that /usr/local/psa/bin/chrootsh registered as login shell...
/usr/local/psa/bin/chrootsh already registered as a login shell


Create PPSB support group
Checking for the group 'psasb'...
Group 'psasb' already exists

Checking for the group 'psasb'...
Trying to add supplementary group 'psasb' for user 'psaadm'... already there
Checking for the group 'psasb'...
Trying to add supplementary group 'psasb' for user 'apache'... already there

===> Performing safe prep-install database actions


===> Upgrading database

Trying to start service mysqld... mysqld (pid 18368) is running...
done
Trying to establish test connection... connected
done
Trying to find psa database... ERROR 1033 (HY000) at line 1: Incorrect information in file: './psa/misc.frm'
ERROR 1235 (42000) at line 1: Cannot call SHOW INNODB STATUS because skip-innodb is defined
DATABASE ERROR!!!
Database psa found, but version undefined

ERROR while trying to find psa database
Check the error reason(see log file: /tmp/plesk_10.3.1_installation.log), fix and try again

***** problem report *****
ERROR while trying to find psa database
Check the error reason(see log file: /tmp/plesk_10.3.1_installation.log), fix and try again

So I thought the error might be related to MYSQL, so here is my config

[client]
port = 3306
socket = /var/lib/mysql/mysql.sock

[mysqld]
port = 3306
socket = /var/lib/mysql/mysql.sock
datadir = /var/lib/mysql
skip-locking
max_allowed_packet = 1M
thread_cache_size = 4
max_connections = 100
myisam_sort_buffer_size = 8M
key_buffer_size = 32M
query_cache_size=48M
query_cache_limit=1M
query_cache_type=1
sort_buffer_size = 512K
read_rnd_buffer_size = 512K
join_buffer_size = 1024K
max_join_size = 4MB
open_files_limit = 3233
table_cache = 1536
max_heap_table_size = 80M
tmp_table_size = 80M
read_buffer_size = 512K
net_buffer_length = 8K
innodb_data_file_path = ibdata1:10M:autoextend
innodb_log_group_home_dir = ./
innodb_buffer_pool_size = 80M
innodb_additional_mem_pool_size = 4M
innodb_log_file_size = 16M
innodb_log_buffer_size = 4M
innodb_flush_log_at_trx_commit = 1
innodb_lock_wait_timeout = 50

[mysqldump]
quick
max_allowed_packet = 16M

[mysql]
no-auto-rehash

[myisamchk]
key_buffer_size = 20M
sort_buffer_size = 20M
read_buffer = 2M
write_buffer = 2M

[mysqlhotcopy]
interactive-timeout

It seems that the repair stopped PSA, when I try to manually start it I get this message

/etc/init.d/psa start
Starting psa... done
Starting xinetd service... done
Starting named service... done
Starting mysqld service... done
Starting postgresql service... not installed
Starting psa-spamassassin service... done
Plesk: Starting Mail Server... already started
ERROR 1033 (HY000) at line 1: Incorrect information in file: './psa/DomainServices.frm'
Starting mail handlers tmpfs storage
ERROR 1033 (HY000) at line 1: Incorrect information in file: './psa/sessions.frm'
Starting psa... done
ERROR 1033 (HY000) at line 1: Incorrect information in file: './psa/misc.frm'

 

[Michael Goeller]

I used a backup from 2 days ago and the system is running again. But nevertheless it would be nice to know how to solve this problem.