Symptoms
-
Apache cannot be started and the following error is displayed:
Template_Exception: AH00526: Syntax error on line 24 of /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/tortix_waf.conf:
ModSecurity: failed to load IPs from: /etc/asl/whitelist Could not open ipmatch file "/etc/asl/whitelist": No such file or directory -
Not possible to enable ModSecurity:
modsecurity_ctl failed: START httpd_modules_ctl --enable security2,unique_id apache_control_adapter[29113]: apache_action(restart): invoke_httpd_action failed, trying second time
modsecurity_ctl failed: [Errno 2] No such file or directory: '/var/asl/bin/aum': '/var/asl/bin/aum' -
Tools & Settings > Web Application Firewall shows the following error:
Failed to update the ModSecurity rule set: modsecurity_ctl failed: Command '['sed', '-i', '-e', 's#^MODSEC_RULES_PATH\\s*=.*#MODSEC_RULES_PATH="/etc/httpd/conf/modsecurity.d/rules/tortix/modsec"#g', '-e', 's#^RESTART_APACHE\\s*=.*#RESTART_APACHE="no"#g', '-e', 's#^AUTOMATIC_UPDATES\\s*=.*#AUTOMATIC_UPDATES="no"#g', '-e', 's#^MODSEC_50_PLESK\\s*=.*#MODSEC_50_PLESK="yes"#g', '/etc/asl/config']' returned non-zero exit status 2.
-
Atomic standard ruleset is in use.
Cause
Issue on Atomic side. Fixed 6.0.48-29386.
Resolution
- Connect to the server via SSH.
- Update Aum utility:
# aum -u
- Log into Plesk
- Switch ModSecurity to another ruleset (e.g. Comodo) in Tools and settings > Web application firewall (Modsecurity)
Or via CLI:
-
Connect to the server via SSH
# plesk bin server_pref --update-web-app-firewall -waf-rule-set comodo_free
Note: I'll leave it as internal because when Atomic fixes the issue it will be easier to switch back via UI and not mess with this file.
-
Connect to the server via SSH
-
Create the
/etc/asl/whitelist
file with your favorite command-line text editor and enter the following as content within it:127.0.0.1/8
-
Save the changes
- Adjust permissions to the file:
# chown tortix:root /etc/asl/whitelist -
Go to Tools and settings > Web application firewall (Modsecurity)
-
Turn the WAF on and switch to the Atomic ruleset
Comments
13 comments
Very bad bug! Many thanks for the workaround but this is causing a lot of unexpected downtime.
Ahh Atomic... I'm using Atomic Advanced (bought from Plesk). I hope you resolve this issue quickly. Workaround works. Thanks.
In the future, I hope Plesk team can develop a method to do a configtest of mod_sec rules before they are applied on a Plesk server.
Hello Steve,
The thing is, the error happens due to a missing file from Atomic installation and config file syntax is perfectly okay. So there is no way to pre-test it from the Plesk side.
Because of this bug, I've switched off Mod Security and now I can't turn it back on.. Even if I try to use Comodo.
modsecurity_ctl failed: START httpd_modules_ctl --enable security2,unique_id apache_control_adapter[38496]: apache_action(restart): invoke_httpd_action failed, trying second time
EDIT: I was able to enable it by running the CLI command provided in the article, and then putting modsec back on in plesk.
Will this page be updated once the bug is fixed?
I was wondering the same thing. I broke one of my servers trying to find out if the problem is fixed. I applied Atomic Advanced Rule set, no errors. But then i discovered that the web server is not servig content correctly. In some instances i was getting a Apache default page.
I ended up deinstalling modesecurity and disabling Reverse Proxy Server (nginx).
Some level of communication from Plesk and/or Atomic here would be great. I was told by Plesk support to follow this page for updates. It's concerning many days have passed with no information.
Donnie Weaver hi!, we have direct communication with Atomic internally. Once they fix the issue we will publish it in this article.
I see this post is updated but I don't see any fix. News?
Filippo Casti the supposed solution is "aum -u"
I don't think so. I can lunch "aum -u" and the update goes fine but when I try to switch from "Comodo" to "Atomic Standard free" I have this error:
"modsecurity_ctl failed: [Errno 2] No such file or directory: '/var/asl/bin/aum': '/var/asl/bin/aum"
I was able to enable Atomic rule after running "aum -u" but the rules list is empty. Seems like it's still broken.
Please sign in to leave a comment.