Applicable to:
- Plesk 12.5 for Linux
- Plesk Onyx for Linux
Symptoms
-
Cannot disable ModSecurity rules: Tools & Settings > Web Application Firewall > General > Switch off security rules list settings are ignored, however, the rule IDs are written to
/etc/httpd/conf/plesk.conf.d/server.conf
:CONFIG_TEXT: SecRuleEngine On
SecRuleRemoveById 340159 340162 340523 -
Access to a website page keeps being blocked with the following error:
CONFIG_TEXT: HTTP 403 Forbidden
-
The following entry appears in Subscriptions > example.com > Websites & Settings > example.com > Web Application Firewall > Logs:
CONFIG_TEXT: ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "731"] [id "340523"] [rev "5"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Remote File Injection attempt in ARGS (/manager/index.php)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [hostname "www.example.com"] [uri "/manager/index.php"] [unique_id "WShWeH8AAAEAAGUIpxEAAADA"]
Cause
Modsecurity issue MODSEC-274 : rules defined within
LocationMatch
cannot be excluded by
SecRuleRemoveById
directive.
Resolution
-
Go to Subscriptions > example.com > Websites & Settings > example.com > Web Application Firewall > Logs and retrieve the location and the rule ID matched. For example:
CONFIG_TEXT: ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "731"] [id "340523"] [rev "5"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Remote File Injection attempt in ARGS (/manager/index.php)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [hostname "www.example.com"] [uri "/manager/index.php"] [unique_id "WShWeH8AAAEAAGUIpxEAAADA"]
-
Go to Subscriptions > example.com > Websites & Domains Apache and nginx Settings > Additional Apache directives and add the following (replacing 1000001 with some unique ID):
<IfModule mod_security2.c>
SecRule REQUEST_FILENAME "@rx ^/manager/index.php$" "phase:1,id:'1000001',t:none,pass,ctl:ruleRemoveById=340523,ctl:ruleRemoveById=340524"
</IfModule> - Press OK to apply the changes.
Note: this issue affects only the rules defined using
LocationMatch
directive. For the other rules, removing via Tools & Settings > Web Application Firewall > General > Switch off security rules should work.
Comments
0 comments
Please sign in to leave a comment.