• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Problem with Modsecurity 2.9. Error: Could not set variable "ip.brute_force_counter" and Could not set variable "ip.xmlrpc_counter" as the collection

ic3_2k

New Pleskian
Server operating system version
Almalinux 8.9
Plesk version and microupdate number
18.0.59 #2
Hello,

I have a problem with the WAF, if I enable it and configure to use 2.9 (apache) with every single visit I got a register with that 2 errors, and fail2ban got crazy blocking all visitors IP.
In the log file this is the register saved:

Code:
Message: Could not set variable "ip.xmlrpc_counter" as the collection does not exist.
Message: Could not set variable "ip.brute_force_counter" as the collection does not exist.
Apache-Error: [file "apache2_util.c"] [line 277] [level 3] [client 47.128.63.199] ModSecurity: Could not set variable "ip.xmlrpc_counter" as the collection does not exist. [hostname "c*******.com"] [uri "/img/logo-1660745973.jpg"] [unique_id "ZgVgQVdtYdAwqReLwcyDAwAAABc"]
Apache-Error: [file "apache2_util.c"] [line 277] [level 3] [client 47.128.63.199] ModSecurity: Could not set variable "ip.brute_force_counter" as the collection does not exist. [hostname "c*********.com"] [uri "/img/logo-1660745973.jpg"] [unique_id "ZgVgQVdtYdAwqReLwcyDAwAAABc"]
Stopwatch: 1711628353557358 808 (- - -)
Stopwatch2: 1711628353557358 808; combined=108, p1=50, p2=42, p3=0, p4=0, p5=16, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

If I change to use Modsecurity 3.0 (nginx) the result is the opposite, no single request logged, no matter if I cal ulr.com/../../../etc/passwd or if I try to simulate SQLi


Tried to find info about, but can't find one single result from google nor bing, can please someone helpme to solve this?
 
Please contact Plesk support on this topic. It will need to be checked on your server.

To sign-in to support please go to https://support.plesk.com

If you experience login issues, please see this KB article:
https://support.plesk.com/hc/en-us/...rt-plesk-com-and-password-reset-does-not-work

If you bought your license from a reseller, your reseller should provide support for you. If the reseller does not provide support, here is an alternative:
https://support.plesk.com/hc/en-us/articles/12388090147095-How-to-get-support-directly-from-Plesk-
 
Back
Top