• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • (Plesk for Windows):
    MySQL Connector/ODBC 3.51, 5.1, and 5.3 are no longer shipped with Plesk because they have reached end of life. MariaDB Connector/ODBC 64-bit 3.2.4 is now used instead.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue Web Application Firewall: Security rule IDs broken/reset

K

KlausO

New Pleskian
Server operating system version
AlmaLinux release 8.10 (Cerulean Leopard)
Plesk version and microupdate number
Plesk Obsidian 18.0.68
Hello,

this is an issue that first appeared last week after updating from Obsidian 18.0.67 to 18.0.68:

Our Web Application Firewall uses Comodo (free) with daily rule updates. We switched off the following security roles

211180
211170
210730
210040
210220

Whenever Comodo rules are changed our rules are replaced by

210710
222212
218500

The replacement occures after the daily update. It can be manually reproduced:

1. Open "Tools & Settings -> Web Application Firewall (ModSecurity)"
2. Enter your desired rules in "Security rule IDs"
3. Hit OK and open "Tools & Settings -> Web Application Firewall (ModSecurity)" again.

Your rules should be saved as expected in "Security rule IDs". They are also saved in server.conf and psa-database table WebServerSettingsParameters. Everything is working.

4. Open "Tools & Settings -> Web Application Firewall (ModSecurity) -> Settings" and disable updates (remove checkbox).
5. Hit OK and open "Tools & Settings -> Web Application Firewall (ModSecurity)" again.

Your rules are gone and 210710, 222212, 218500 are there.

We don't know if this is a bug or if we are missing something. Maybe custom rules are limited on AlamaLinux 8? What can be done? Thank you!
 
Thanks for the report, @KlausO . I was able to reproduce the behavior and will pass it for further investigation to our team. I will update you with more details as soon as possible.
 
No way! This must be a very bad joke! So many false positive rules are gone—that's really frustrating. I never thought I’d need to back this up as well. Please focus on quality control instead of unnecessary features! Now I have extra work to keep an eye on this again. Grrrrrrr
 
For all those who stumble across the topic in time. Under /var/lib/psa/dumps there is the file mysql.daily.dump.8.gz and in it I found my old rules. Search for

SQL: 
INSERT INTO `WebServerSettingsParameters` VALUES (1,'configPreset','fast'),(1,'filterById','HERE-ARE-YOUR-RULES'),(1,'ruleEngine','On'),(1,'ruleSet','comodo_free')
 
You must log in or register to reply here.

Similar threads

F
Issue SQLmap attack detected (ID: 218500) on blank page
Replies
5
Views
2K
abdulsemiu
A
R
Issue Problem with web application firewall - file extension is restricted by policy
Replies
3
Views
2K
Linulex
Linulex
F
Question Mod Security for apache or Nginx?
Replies
7
Views
3K
larryk
L
B
Issue ModSecurity rule exception not working
Replies
4
Views
2K
benjamin-lgba
B
R
Question Atomicorp WAF // 345114 "log4j"
Replies
1
Views
1K
weltonw
W
Back
Top