Articles in this section

Fail2Ban bans the IP address of a website visitor: ModSecurity: collection_store: Failed to access DBM file "/var/lib/mod_security/apache-default_SESSION": Resource deadlock avoided

Gabriel Aznarez
Updated
Plesk for Linux kb: technical

Applicable to:

  • Plesk for Linux

Symptoms

  • The Apache error log for a Plesk domain contains errors similar to the following examples:

    [error][client 203.0.113.2:0] ModSecurity: collection_store: Failed to access DBM file "/var/lib/mod_security/apache-default_SESSION": Resource deadlock avoided [hostname "example.com"] [uri "/images/slider/3870.jpeg"] [unique_id "ZRpjIgzA4up"], referer: https://example.com/somepath/2
    [error][client 203.0.113.2:0] ModSecurity: collections_remove_stale: Failed deleting collection (name "SESSION", key "jt69t3bu1l7pelg2i3pl299lrk"): Internal error (specific information not available) [hostname "example.com"] [uri "/images/slider/3871.jpeg"] [unique_id "ZRploq2J4K-FYldo1QPd-QBBBBA"], referer: https://example.com/somepath/2 
    [error][client 203.0.113.2:0] ModSecurity: collection_store: Failed to exclusively lock DBM file "/var/lib/mod_security/apache-default_SESSION": Resource deadlock avoided [hostname "example.com"] [uri "/images/slider/3872.jpeg"] [unique_id "ZRpv0K2J4K"], referer: https://example.com/somepath/2
    [error][client 203.0.113.2] ModSecurity: collection_store: Failed to access DBM file "/var/lib/mod_security/apache-default_SESSION": Resource deadlock avoided [hostname "example.com"] [uri "/images/slider/3873.jpeg"] [unique_id "ZRpv0NRWFYU"], referer: https://example.com/somepath/2

  • The /var/log/fail2ban.log file contains entries such as the following ones:

    fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2
    fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2
    fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2
    fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2
    fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2
    fail2ban.actions [47008]: NOTICE [plesk-modsecurity] Ban 203.0.113.2

  • The enabled Fail2Ban jail plesk-modsecurity-jail bans the website visitor IP address after the Resource deadlock avoided error is repeated in the apache's site log the Number of failures before the IP address is banned (by default 5).
  • Plesk Obsidian running on a RHEL-based operating system
  • SELinux is in Enforcing mode

Cause

By design ModSecurity logs all domains relevant records in one single log file not allowing simultaneous entries as the file is being used and locked for concurrent logging.

Resolution

As a workaround modify Fail2ban filters to ignore such false positives caused by the concurrent log manipulation attempts from ModSecurity:

  1. Connect to the server via SSH.

  2. Navigate to /etc/fail2ban/filter.d/:

    # cd /etc/fail2ban/filter.d/

  3. Make a backup of the plesk-modsecurity jail configuration file for Fail2Ban with:

    # cp -a plesk-modsecurity.conf plesk-modsecurity.conf-bak

  4. Edit the jail configuration file and adjust the ignoreregex section by adding the collection_store and collections_remove_stale entries as follows:

    Note: There must be a tab before collection_store and collections_remove_stale for the configuration to work.

    [Definition]
    failregex = ^Apache-Error:\s.*?\s\[client\s<HOST>\]
    ignoreregex = collection_store|collections_remove_stale

  5. Save the changes to the file
  6. Go to Plesk > Tools & Settings > IP Address Banning (Fail2Ban) > Jails
  7. Switch the plesk-modsecurity jail Off
  8. Switch the plesk-modsecurity jail On again to reflect the change
Alternatively the plesk-modsecurity jail can be disabled entirely from Fail2Ban

Warning: This option will entirely switch off the banning of IP addresses by Fail2Ban if the causes are related to Web Application Firewall (ModSecurity) rules

1. Log into Plesk.

2. Go to Tools & Settings > IP Address Banning (Fail2Ban) > Jails

3. Switch plesk-modsecurity jail Off

Was this article helpful?

Comments

6 comments
Date Votes
  • Avatar
    Daniel Fellner

    Hi,

    I tried to add collections_remove_stale into the conf file, but I cannot enable the modsecurity jail.

    This would be a great feature if it worked! :)

    1
  • Avatar
    Unknown User

    Doesn't work. 

    The directives:

    collection_store
    collections_remove_stale

    Seem to be invalid

    0
  • Avatar
    Unknown User

    The collection_store and collections_remove_stale need to be in the same column/tab as the ignore regex value. Article doesn't show this correctly.

    ignoreregex = ^\[.*?\]\s\S*\s<HOST>\s.*\s\1
                           collection_store
                           collections_remove_stale

    1
  • Avatar
    Josh McKenzie

    So replace the current definition with the ones you provided?
     

    0
  • Avatar
    LRob.fr Web Hosting

    Solution from this article didn't work for me.

    I had success with the following:

    failregex = ^(?:\[.*?\]\s\S*)\s<HOST>\s

    ignoreregex = .*collection_store.* 
             .*collections_remove_stale.* 
             ^.*\s5\.6\.7\.8\s.*5\.6\.7\.8.*
    0
  • Avatar
    Gabriel Aznarez

    Hello,

    Thank you for your comment and the shared ‘failregex’ and ‘ignoreregex’ parameters that worked on your side, Please consider to submit a request to Plesk Support to discuss these settings further.

    Thanks

    0

Please sign in to leave a comment.