• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Problem with Modsecurity 2.9. Error: Could not set variable "ip.brute_force_counter" and Could not set variable "ip.xmlrpc_counter" as the collection

ic3_2k

ic3_2k

New Pleskian
Server operating system version
Almalinux 8.9
Plesk version and microupdate number
18.0.59 #2
Hello,

I have a problem with the WAF, if I enable it and configure to use 2.9 (apache) with every single visit I got a register with that 2 errors, and fail2ban got crazy blocking all visitors IP.
In the log file this is the register saved:

Code: 
Message: Could not set variable "ip.xmlrpc_counter" as the collection does not exist.
Message: Could not set variable "ip.brute_force_counter" as the collection does not exist.
Apache-Error: [file "apache2_util.c"] [line 277] [level 3] [client 47.128.63.199] ModSecurity: Could not set variable "ip.xmlrpc_counter" as the collection does not exist. [hostname "c*******.com"] [uri "/img/logo-1660745973.jpg"] [unique_id "ZgVgQVdtYdAwqReLwcyDAwAAABc"]
Apache-Error: [file "apache2_util.c"] [line 277] [level 3] [client 47.128.63.199] ModSecurity: Could not set variable "ip.brute_force_counter" as the collection does not exist. [hostname "c*********.com"] [uri "/img/logo-1660745973.jpg"] [unique_id "ZgVgQVdtYdAwqReLwcyDAwAAABc"]
Stopwatch: 1711628353557358 808 (- - -)
Stopwatch2: 1711628353557358 808; combined=108, p1=50, p2=42, p3=0, p4=0, p5=16, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

If I change to use Modsecurity 3.0 (nginx) the result is the opposite, no single request logged, no matter if I cal ulr.com/../../../etc/passwd or if I try to simulate SQLi


Tried to find info about, but can't find one single result from google nor bing, can please someone helpme to solve this?
 
Please contact Plesk support on this topic. It will need to be checked on your server.

To sign-in to support please go to https://support.plesk.com

If you experience login issues, please see this KB article:
https://support.plesk.com/hc/en-us/...rt-plesk-com-and-password-reset-does-not-work

If you bought your license from a reseller, your reseller should provide support for you. If the reseller does not provide support, here is an alternative:
https://support.plesk.com/hc/en-us/articles/12388090147095-How-to-get-support-directly-from-Plesk-
 
You must log in or register to reply here.

Similar threads

R
Issue Problem with web application firewall - file extension is restricted by policy
Replies
3
Views
1K
Linulex
Linulex
Azurel
Issue ModSecurity: Issue with Comodo rules set?
Replies
1
Views
2K
Azurel
Azurel
Azurel
Forwarded to devs Modsecurity issue with Comodo rules set. Missing folder: /var/cache/modsecurity/
Replies
2
Views
1K
IgorG
IgorG
Winnstorm
Issue Problem with modsecurity atomicorp
Replies
6
Views
2K
UFHH01
U
B
Question Optimal nginx performance Wordpress
Replies
1
Views
8K
bkhayes
bkhayes
Back
Top