• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved Web Application Firewall: Security rule IDs broken/reset

K

KlausO

New Pleskian
Server operating system version
AlmaLinux release 8.10 (Cerulean Leopard)
Plesk version and microupdate number
Plesk Obsidian 18.0.68
Hello,

this is an issue that first appeared last week after updating from Obsidian 18.0.67 to 18.0.68:

Our Web Application Firewall uses Comodo (free) with daily rule updates. We switched off the following security roles

211180
211170
210730
210040
210220

Whenever Comodo rules are changed our rules are replaced by

210710
222212
218500

The replacement occures after the daily update. It can be manually reproduced:

1. Open "Tools & Settings -> Web Application Firewall (ModSecurity)"
2. Enter your desired rules in "Security rule IDs"
3. Hit OK and open "Tools & Settings -> Web Application Firewall (ModSecurity)" again.

Your rules should be saved as expected in "Security rule IDs". They are also saved in server.conf and psa-database table WebServerSettingsParameters. Everything is working.

4. Open "Tools & Settings -> Web Application Firewall (ModSecurity) -> Settings" and disable updates (remove checkbox).
5. Hit OK and open "Tools & Settings -> Web Application Firewall (ModSecurity)" again.

Your rules are gone and 210710, 222212, 218500 are there.

We don't know if this is a bug or if we are missing something. Maybe custom rules are limited on AlamaLinux 8? What can be done? Thank you!
 
Thanks for the report, @KlausO . I was able to reproduce the behavior and will pass it for further investigation to our team. I will update you with more details as soon as possible.
 
No way! This must be a very bad joke! So many false positive rules are gone—that's really frustrating. I never thought I’d need to back this up as well. Please focus on quality control instead of unnecessary features! Now I have extra work to keep an eye on this again. Grrrrrrr
 
For all those who stumble across the topic in time. Under /var/lib/psa/dumps there is the file mysql.daily.dump.8.gz and in it I found my old rules. Search for

SQL: 
INSERT INTO `WebServerSettingsParameters` VALUES (1,'configPreset','fast'),(1,'filterById','HERE-ARE-YOUR-RULES'),(1,'ruleEngine','On'),(1,'ruleSet','comodo_free')
 
The behavior was recognized as a bug identified with ID PPP-67814. Thank you for bringing our attention to it, @KlausO . At this point, I cannot provide an ETA on when a fix will be released. You can monitor the change log here.

Azurel said:
Please focus on quality control instead of unnecessary features!
Click to expand...

I understand the potential negative impact of overriding the excluded rules could have and I am sorry for any possible inconvenience caused. However, the misconception that our team is neglecting existing issues or compromising quality control just because they are introducing new features is a bit unfair. I can assure you that automated and manual testing is in place. Unfortunately, there isn't a bulletproof method that will eliminate all possible software bugs.
 
Mistakes happen, but in this case, a crucial check was clearly missed – this urgently needs a hotfix. Comodo is good, but I had to disable around 20 rules because they were blocking hundreds of visitors due to false-positives. Now, I have to not only reapply the filters daily but also check if issues arise again. This is not just a minor typo.
 
Our team is already working on introducing a hotfix (PPP-67896) for this issue, which is scheduled for release in the upcoming week.
 
Plesk Obsidian 18.0.68 Update 2 rolling out today:

Fixed Product Issues

Linux

  • Enabling or disabling ModSecurity rule set updates no longer resets the rule IDs specified in the “Security rule IDs” textbox to their default values. (PPPM-14876)
Click to expand...
 
You must log in or register to reply here.

Similar threads

F
Issue SQLmap attack detected (ID: 218500) on blank page
Replies
5
Views
2K
abdulsemiu
A
R
Issue Problem with web application firewall - file extension is restricted by policy
Replies
3
Views
2K
Linulex
Linulex
F
Question Mod Security for apache or Nginx?
Replies
7
Views
3K
larryk
L
B
Issue ModSecurity rule exception not working
Replies
4
Views
3K
benjamin-lgba
B
R
Question Atomicorp WAF // 345114 "log4j"
Replies
1
Views
1K
weltonw
W
Back
Top