Question WAF (ModSecurity)

[WebHostingAce]

Server operating system version

AlmaLinux 8.10 (Cerulean Leopard)

Plesk version and microupdate number

Plesk Obsidian 18.0.75

With the growing security concerns lately, I wanted to ask whether the Comodo (free) ModSecurity rules are still actively maintained and kept up to date?

I’m open to using Atomic Advanced ModSecurity rules, however my understanding is that Atomic Advanced does not support NGINX on Plesk, which is a limitation for my setup.

Given this, what options do we currently have for a well-maintained WAF ruleset that works properly with NGINX + Plesk?

I would appreciate hearing what other users are currently using and recommending.

Thank you.

 

[scsa20]

The ModSecurity rules done by both Comodo and Atomic is managed by Comodo and Atomic respectfully. And as far as I'm aware, they're updated pretty frequently.

 

[ChristophRo]

The Comodo Ruleset does no longer get updates (latest change is from 2023 or so) but still covers all the basics.
You can use the OWASP ruleset, but in my experience this generates way to much false positives on a server with many different sites. (if enabled generally)

 

[WebHostingAce]

The Comodo Ruleset does no longer get updates (latest change is from 2023 or so) but still covers all the basics.

It looks like Comodo was sold to another company, and since then the WAF hasn’t been actively maintained.

In my experience, Comodo’s WAF still performs better than the free version of Atomic WAF.

I wanted to try the paid Atomic WAF. I signed up for a trial and entered the username and password in Plesk, but it didn’t work.

Atomic also claims their WAF works with NGINX, but I’m not sure why Plesk hasn’t implemented that functionality yet.

 

[WebHostingAce]

I’d like to try Atomic Advanced (purchased from Atomicorp).

However, when I enter my Atomic username and password in Plesk, they are not working.

I receive the following error:

Failed to install the ModSecurity rule set: The specified username or password is invalid.

The product I purchased (currently on free trial) is:

Atomic ModSecurity Rules: Remote-Edition : Atomicorp

Has anyone experienced this before?

 

[Sebahat.hadzhi]

@WebHostingAce , could you please check if /etc/asl/config or /etc/asl/license.key exist on the server? If yes, please double-check whether the credentials defined in the files match yours. If not, I would suggest opening a ticket with Atomicorp, they can involve our support team if necessary.

 

[WebHostingAce]

@Sebahat.hadzhi Thank you.

I have the /etc/asl/config file with

# Authentication Information
USERNAME="plesk_global_unpaid"
PASSWORD="nYk9teL4RXNa"

Also I have the /etc/asl/license.key

But when I enter my Atomic username and password in Plesk, they are not working.

Fails with,

Failed to install the ModSecurity rule set: The specified username or password is invalid.

 

[Sebahat.hadzhi]

plesk_global_unpaid is the user for the basic ruleset. Can you please try to manually update the credentials in the file and make sure they match the actual ones?

 

[WebHostingAce]

Thank you @Sebahat.hadzhi !

It didn't help. I'm trying to get support from atomicorp.com for this issue.

Do you know which directory we should have access to get the Advanced Rules from the Actomicorp?

https://updates.atomicorp.com/channels/asl-3.0/rules/

I can access the above using the Plesk basic ruleset username and password. But My username and password is not working there as well.

 

[Sebahat.hadzhi]

Do you know which directory we should have access to get the Advanced Rules from the Actomicorp?

I am not quite sure. I haven't signed for a trial on their end before and as far as I can see the same is bound to a subscription, so I am a bit reluctant to test that out.

 

[WebHostingAce]

@Sebahat.hadzhi Thank you for your reply.

I was trying to get support from Atomicorp, however it seems they are not very familiar with the option offered in Plesk.

I tested the following options with these results:

Atomic Standard (free, upgradeable to Atomic Advanced)
This does not seem to properly analyse the response body content.

OWASP (free)
As expected, there are many false positives.

Comodo (free)
The Nginx (ModSecurity 3.0) option often fails to download the ruleset, which sometimes prevents enabling this option for days.
The Apache (ModSecurity 2.9) option works and seems stable, but I’m unsure whether the ruleset is actively maintained.

Atomic Advanced (purchased from Atomicorp)
Fails to install with the error:
Failed to install the ModSecurity rule set: The specified username or password is invalid.

Custom rule set
Maintaining rules manually may not be practical when managing multiple servers.

 

[ChristophRo]

The Comodo (free) ruleset is exactly the same for Nginx and Apache - you can compare it yourself
- /etc/nginx/modsecurity.d/rules/owasp_modsecurity_crs_4-plesk
- /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_4-plesk

When selecting the Nginx Option, the download and automatic update of the ruleset does seem to throw an error quite often though, but I could not say why. (as there is no obvious reason to behave differently)
But apart from the annoying red error message in the Plesk GUI, the WAF still works perfectly fine. (as least I believe so)

As the Comodo (free) ruleset does no longer get updates anyway, we have disabled the auto-update option to get rid of this Plesk download/update error.

But yeah, why Plesk does manage to not throw the same error when using Comodo (free) for Apache2, that is beyond my comprehension...

 

[WebHostingAce]

@ChristophRo Thank you for your input.

To me, it seems that WAF is not very popular within the Plesk community. I believe that due to the number of false positives, many Plesk users prefer to keep it disabled.

However, with the growing security concerns lately, a WAF can be very useful in protecting against various types of attacks.

 

[Sebahat.hadzhi]

@WebHostingAce could you please provide me with your Atomic username and Plesk license key in a private message? I will ask our team if they can gather any further details about the license.