Articles in this section

See more

Fail2Ban bans the IP address of a website visitor: ModSecurity: collection_store: Failed to access DBM file "/var/lib/mod_security/apache-default_SESSION": Resource deadlock avoided

Avatar
Gabriel Aznarez
Updated
Plesk for Linux kb: technical

Applicable to:

  • Plesk for Linux

Symptoms

  • The Apache error log for a Plesk domain contains errors similar to the following examples:

    [error][client 203.0.113.2:0] ModSecurity: collection_store: Failed to access DBM file "/var/lib/mod_security/apache-default_SESSION": Resource deadlock avoided [hostname "example.com"] [uri "/images/slider/3870.jpeg"] [unique_id "ZRpjIgzA4up"], referer: https://example.com/somepath/2
    [error][client 203.0.113.2:0] ModSecurity: collections_remove_stale: Failed deleting collection (name "SESSION", key "jt69t3bu1l7pelg2i3pl299lrk"): Internal error (specific information not available) [hostname "example.com"] [uri "/images/slider/3871.jpeg"] [unique_id "ZRploq2J4K-FYldo1QPd-QBBBBA"], referer: https://example.com/somepath/2
    [error][client 203.0.113.2:0] ModSecurity: collection_store: Failed to exclusively lock DBM file "/var/lib/mod_security/apache-default_SESSION": Resource deadlock avoided [hostname "example.com"] [uri "/images/slider/3872.jpeg"] [unique_id "ZRpv0K2J4K"], referer: https://example.com/somepath/2
    [error][client 203.0.113.2] ModSecurity: collection_store: Failed to access DBM file "/var/lib/mod_security/apache-default_SESSION": Resource deadlock avoided [hostname "example.com"] [uri "/images/slider/3873.jpeg"] [unique_id "ZRpv0NRWFYU"], referer: https://example.com/somepath/2

  • The /var/log/fail2ban.log file contains entries such as the following ones:

    fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2 - 2023-10-01 20:50:00
    fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2 - 2023-10-01 20:54:18
    fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2 - 2023-10-01 20:54:18
    fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2 - 2023-10-01 20:54:18
    fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2 - 2023-10-01 20:54:18
    fail2ban.actions [47008]: NOTICE [plesk-modsecurity] Ban 203.0.113.2

  • The enabled Fail2Ban jail plesk-modsecurity-jail bans the website visitor IP address after the Resource deadlock avoided error is repeated in the apache's site log the Number of failures before the IP address is banned (by default 5).

  • Plesk Obsidian running on a RHEL-based operating system

  • SELinux is in Enforcing mode

Cause

By design ModSecurity logs all domains relevant records in one single log file not allowing simultaneous entries as the file is being used and locked for concurrent logging.

Resolution

As a workaround modify Fail2ban filters to ignore such false positives caused by the concurrent log manipulation attempts from ModSecurity:

  1. Connect to the server via SSH.

  2. Navigate to /etc/fail2ban/filter.d/:

    # cd /etc/fail2ban/filter.d/

  3. Make a backup of the plesk-modsecurity jail configuration file for Fail2Ban with:

    # cp -a plesk-modsecurity.conf plesk-modsecurity.conf-bak

  4. Edit the jail configuration file and adjust the ignoreregex section by adding the collection_store and collections_remove_stale entries as follows:

    Note: There must be a tab before collection_store and collections_remove_stale for the configuration to work.

    [Definition]
    failregex = ^Apache-Error:\s.*?\s[client\s<HOST>]
    ignoreregex = collection_store|collections_remove_stale

  5. Save the changes to the file

  6. Go to Plesk > Tools & Settings > IP Address Banning (Fail2Ban) > Jails

  7. Switch the plesk-modsecurity jail Off

  8. Switch the plesk-modsecurity jail On again to reflect the change

Alternatively the plesk-modsecurity jail can be disabled entirely from Fail2Ban

Warning: This option will entirely switch off the banning of IP addresses by Fail2Ban if the causes are related to Web Application Firewall (ModSecurity) rules

1. Log into Plesk.

2. Go to Tools & Settings > IP Address Banning (Fail2Ban) > Jails

3. Switch plesk-modsecurity jail Off

Comments

3 comments

Sort by Date Votes
  • Avatar
    Unknown User

    Hi,

    I tried to add collections_remove_stale into the conf file, but I cannot enable the modsecurity jail.

    This would be a great feature if it worked! :)

    1
  • Avatar
    Unknown User

    Doesn't work. 

    The directives:

    collection_store
    collections_remove_stale

    Seem to be invalid

    0
  • Avatar
    Unknown User

    The collection_store and collections_remove_stale need to be in the same column/tab as the ignore regex value. Article doesn't show this correctly.

    ignoreregex = ^\[.*?\]\s\S*\s<HOST>\s.*\s\1
                           collection_store
                           collections_remove_stale

    1

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles