Applicable to:
- Plesk for Linux
Symptoms
-
The Apache error log for a Plesk domain contains errors similar to the following examples:
[error][client 203.0.113.2:0] ModSecurity: collection_store: Failed to access DBM file "/var/lib/mod_security/apache-default_SESSION": Resource deadlock avoided [hostname "example.com"] [uri "/images/slider/3870.jpeg"] [unique_id "ZRpjIgzA4up"], referer: https://example.com/somepath/2
[error][client 203.0.113.2] ModSecurity: collections_remove_stale: Failed deleting collection (name "SESSION", key "jt69t3bu1l7pelg2i3pl299lrk"): Internal error (specific information not available) [hostname "example.com"] [uri "/images/slider/3871.jpeg"] [unique_id "ZRploq2J4K-FYldo1QPd-QBBBBA"], referer: https://example.com/somepath/2
[error][client 203.0.113.2:0] [client 203.0.113.2] ModSecurity: collection_store: Failed to exclusively lock DBM file "/var/lib/mod_security/apache-default_SESSION": Resource deadlock avoided [hostname "example.com"] [uri "/images/slider/3872.jpeg"] [unique_id "ZRpv0K2J4K"], referer: https://example.com/somepath/2
[error][client 203.0.113.2] ModSecurity: collection_store: Failed to access DBM file "/var/lib/mod_security/apache-default_SESSION": Resource deadlock avoided [hostname "example.com"] [uri "/images/slider/3873.jpeg"] [unique_id "ZRpv0NRWFYU"], referer: https://example.com/somepath/2 -
The
/var/log/fail2ban.log
file contains entries such as the following ones:fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2 - 2023-10-01 20:50:00
fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2 - 2023-10-01 20:54:18
fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2 - 2023-10-01 20:54:18
fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2 - 2023-10-01 20:54:18
fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2 - 2023-10-01 20:54:18
fail2ban.actions [47008]: NOTICE [plesk-modsecurity] Ban 203.0.113.2 -
The enabled Fail2Ban jail plesk-modsecurity-jail bans the website visitor IP address after the
Resource deadlock avoided
error is repeated in the apache's site log the Number of failures before the IP address is banned (by default 5). -
Plesk Obsidian running on a RHEL-based operating system
-
SELinux is in Enforcing mode
Cause
ModSecurity logs all domains relevant records in one only log file, then this does not allow simultaneous log entries because the file is being used and hence locked for concurrent logging. This inconvenience with the ModSecurity design is tied single instance of logs use for all domains instead of using multiple files for separate domains.
Resolution
-
Connect to the server via SSH.
-
Navigate to
/etc/fail2ban/filter.d/
:# cd /etc/fail2ban/filter.d/
-
Make a backup of the plesk-modsecurity jail configuration file for Fail2Ban with:
# cp -a plesk-modsecurity.conf plesk-modsecurity.conf-bak
-
Edit the jail configuration file and adjust the
ignoreregex
section by adding thecollection_store
andcollections_remove_stale
entries as follows:Note: There must be a tab before
collection_store
andcollections_remove_stale
for the configuration to work.ignoreregex = ^\[.*?\]\s\S*\s<HOST>\s.*\s\1
collection_store
collections_remove_stale -
Save the changes to the file
-
Go to Plesk > Tools & Settings > IP Address Banning (Fail2Ban) > Jails
-
Switch the plesk-modsecurity jail Off
-
Switch the plesk-modsecurity jail On again
Warning: This option will entirely switch off the banning of IP addresses by Fail2Ban if the causes are related to Web Application Firewall (ModSecurity) rules
2. Go to Tools & Settings > IP Address Banning (Fail2Ban) > Jails
3. Switch plesk-modsecurity jail Off
Comments
3 comments
Hi,
I tried to add collections_remove_stale into the conf file, but I cannot enable the modsecurity jail.
This would be a great feature if it worked! :)
Doesn't work.
The directives:
collection_store
collections_remove_stale
Seem to be invalid
The collection_store and collections_remove_stale need to be in the same column/tab as the ignore regex value. Article doesn't show this correctly.
ignoreregex = ^\[.*?\]\s\S*\s<HOST>\s.*\s\1
collection_store
collections_remove_stale
Please sign in to leave a comment.