Applicable to:
- Plesk for Linux
Symptoms
-
The Apache error log for a Plesk domain contains errors similar to the following examples:
CONFIG_TEXT: [error][client 203.0.113.2:0] ModSecurity: collection_store: Failed to access DBM file "/var/lib/mod_security/apache-default_SESSION": Resource deadlock avoided [hostname "example.com"] [uri "/images/slider/3870.jpeg"] [unique_id "ZRpjIgzA4up"], referer: https://example.com/somepath/2
[error][client 203.0.113.2] ModSecurity: collections_remove_stale: Failed deleting collection (name "SESSION", key "jt69t3bu1l7pelg2i3pl299lrk"): Internal error (specific information not available) [hostname "example.com"] [uri "/images/slider/3871.jpeg"] [unique_id "ZRploq2J4K-FYldo1QPd-QBBBBA"], referer: https://example.com/somepath/2
[error][client 203.0.113.2:0] [client 203.0.113.2] ModSecurity: collection_store: Failed to exclusively lock DBM file "/var/lib/mod_security/apache-default_SESSION": Resource deadlock avoided [hostname "example.com"] [uri "/images/slider/3872.jpeg"] [unique_id "ZRpv0K2J4K"], referer: https://example.com/somepath/2
[error][client 203.0.113.2] ModSecurity: collection_store: Failed to access DBM file "/var/lib/mod_security/apache-default_SESSION": Resource deadlock avoided [hostname "example.com"] [uri "/images/slider/3873.jpeg"] [unique_id "ZRpv0NRWFYU"], referer: https://example.com/somepath/2 -
The
/var/log/fail2ban.logfile contains entries such as the following ones:CONFIG_TEXT: fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2 - 2023-10-01 20:50:00
fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2 - 2023-10-01 20:54:18
fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2 - 2023-10-01 20:54:18
fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2 - 2023-10-01 20:54:18
fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2 - 2023-10-01 20:54:18
fail2ban.actions [47008]: NOTICE [plesk-modsecurity] Ban 203.0.113.2 -
The enabled Fail2Ban jail plesk-modsecurity-jail bans the website visitor IP address after the
Resource deadlock avoidederror is repeated in the apache's site log the Number of failures before the IP address is banned (by default 5). -
Plesk Obsidian running on a RHEL-based operating system
-
SELinux is in Enforcing mode
Cause
ModSecurity logs all domains relevant records in one only log file, then this does not allow simultaneous log entries because the file is being used and hence locked for concurrent logging. This inconvenience with the ModSecurity design is tied single instance of logs use for all domains instead of using multiple files for separate domains.
Resolution
-
Connect to the server via SSH.
-
Navigate to
/etc/fail2ban/filter.d/:# cd /etc/fail2ban/filter.d/
-
Make a backup of the plesk-modsecurity jail configuration file for Fail2Ban with:
# cp -a plesk-modsecurity.conf plesk-modsecurity.conf-bak
-
Edit the jail configuration file and adjust the
ignoreregexsection by adding thecollection_storeandcollections_remove_staleentries as follows:CONFIG_TEXT: ignoreregex = ^\[.*?\]\s\S*\s<HOST>\s.*\s\1
collection_store
collections_remove_stale -
Save the changes to the file
-
Go to Plesk > Tools & Settings > IP Address Banning (Fail2Ban) > Jails
-
Switch the plesk-modsecurity jail Off
-
Switch the plesk-modsecurity jail On again
Warning: This option will entirely switch off the banning of IP addresses by Fail2Ban if the causes are related to Web Application Firewall (ModSecurity) rules
2. Go to Tools & Settings > IP Address Banning (Fail2Ban) > Jails
3. Switch plesk-modsecurity jail Off
Comments
1 comment
Hi,
I tried to add collections_remove_stale into the conf file, but I cannot enable the modsecurity jail.
This would be a great feature if it worked! :)
Please sign in to leave a comment.