Resolved Urgent / Big problem with apache/nginx [mod_evasive denylisting]

[christian.eden]

Current work-around we implement on our side :
exclude the mod_qos and mod_evasive under /etc/yum.conf
exclude=mod_evasive mod_qos
Then if that package has been installed (you can confirm via rpm -qa or yum info )

yum info  mod_evasive | grep -i repo
Repo        : installed
From repo   : epel
            : firewalls, routers, etc. mod_evasive presently reports abuses via

yum info  mod_qos | grep -i repo
Repo        : installed
From repo   : epel

You can run this command :

yum remove mod_qos mod_evasive -y && service httpd restart ( just to restart the apache with the right conf )

 

[Peter Debik]

Is there any permanent solution or we have to be worried about all the updates from now on?

The solution (workaround) that we can currently provide is:

https://support.plesk.com/hc/en-us/articles/14861542533911

The issue was brought in by an Atomic update that should actually fix the broken /etc/asl issue from before, but it also replaced mod_evasive. At the moment if you want to be sure that it won't happen again, the only solution is to remove mod_evasive (and disable it in Apache modules).

 

[gennolo]

I see an updated aum version had been pushed overnight :

aum-1:6.0.48-29386.el7.art.x86_64

I guess it contains a permanent fix for this problem?

 

[Peter Debik]

I think the concept of "permanent fix" does not match to "aum". It hasn't in the past, so likely it won't in the future. The problem is, too, that with such security services there are so many other aspects involved that there is always something that can fail. Just to make sure that the mod_evasive issue cannot bring your server down, I'd still recommend to have DOSWhitelist entries for 127.0.0.1 and your public IP in place in /etc/httpd/conf.d/mod_evasive.conf. We never know when a similar issue might return.

 

[Olly95]

I have had the same issue today and i have manged to stop this by disabling mod_evasive as mentioned on the ticket https://support.plesk.com/hc/en-us/articles/14861542533911

However, i am unable to resolve the issue using my external IP address like in the example below. I would rather add the IP Whitelist and not disable this but im not sure why its not working. Are these the only 2 entries needed? The IP in /var/log/messages is my internal IP


DOSWhitelist 127.0.0.1
DOSWhitelist <my external IP>

 

[Peter Debik]

@Olly95 Please show an excerpt of /etc/httpd/conf.d/mod_evasive.conf with your DOSWhitelist entries. Also please show an excerpt from the logs where that IP is still blacklisted. For both, please redact the IP address for privacy reasons.

 

[Olly95]

@Olly95 Please show an excerpt of /etc/httpd/conf.d/mod_evasive.conf with your DOSWhitelist entries. Also please show an excerpt from the logs where that IP is still blacklisted. For both, please redact the IP address for privacy reasons.

Hi Peter, thank you for your help. I changed this to my private IP and it worked fine thanks.

 

[frederic-lp]

Hello,

We had the same issue.
Please inform us when the problem will be fixed in order to reactivate mod_evasive.

 

[Peter Debik]

Does the above mentioned solution using DOSWhitelist not fit your requirements?

 

[tkalfaoglu]

Did you restart httpd?

Turns out I had bigger issues -- I had to reinstall every PHP package..

 

[tkalfaoglu]

Mod_evasive is very old code.. like untouched for 7 years.. -- yet very popular.. I'm surprised no one picked it up and improved it..
or at least, kept it up to date..

 

[akira9000]

Was anything pushed automatically last night? Been having the Apache 123 page appearing sporadically since the 26th. Been getting round it by turning off Apache and going entirely via Nginx on certain subs. Then this morning, everything back to normal, all my machines acting like this never happened.

 

[Dimitri-j]

I had problem with Apache 123 page and i do
aum -uf ; yum -y remove mod_evasive ; aum -u

like you provide on https://support.plesk.com/hc/en-us/articles/14861542533911

i restart server and now i cant run apache

Plz if you can provide me how to fix this problem

 

[Maarten.]

Mod_evasive is very old code.. like untouched for 7 years.. -- yet very popular.. I'm surprised no one picked it up and improved it..
or at least, kept it up to date..

It's so ancient that the README even mentions Frontpage:

KNOWN BUGS

- This module appears to conflict with the Microsoft Frontpage Extensions.
Frontpage sucks anyway, so if you're using Frontpage I assume you're asking
for problems, and not really interested in conserving server resources anyway.

 

[WebHostingAce]

This issue was really bad!

I think these are related to the May 26, 2023 update.

https://support.plesk.com/hc/en-us/articles/14861542533911-Plesk-websites-return-Apache-error-403-on-May-26-2023-client-denied-by-server-configuration

https://support.plesk.com/hc/en-us/articles/12388040127383--Site-on-Plesk-is-not-available-ModSecurity-Response-body-too-large

It is very unacceptable to install a Apache module to the server without the user's knowledge.

What are the other modules have been installed with this AUM update?

We were struggling for days due to this issue.

 

[Peter Debik]

It is very unacceptable to install a Apache module to the server without the user's knowledge.

Please let Atomic know about it.

I'd like to add that Plesk is in the process of taking precaution by using a kind of "shadow" algorithm for future updates so that vendors won't have this influence on user servers any longer.

Please also take into account that no technical system is perfect. The number of files and software involved became so large that it is impossible to predict all cases.