Comodo rule-set does not work: Failed to write to DBM file "/var/cache/modsecurity/ip": Invalid argument

Follow

Comments

20 comments

  • Avatar
    Gerasimos Perentidis

    There is a typo in this  command:

    /usr/local/psa/bin/sw-engine-pleskrun /usr/local/psa/admin/plib/DailyMaintainance/script.php –f UpdateModSecurityRuleSet

    The  –f   does NOT have a dash character when you paste it to SSH console.

    Change it to a proper dash  (  -  ) before executing the command.
    Otherwise it will try to run all the daily maintenance commands and it will take forever to complete.

  • Avatar
    Nikolay Zhmuk

    @Gerasimos Perentidis thanks for the input. The article has been updated.

  • Avatar
    Alban Staehli

    Have tried step 1 to 3, still have the exact same error message.

  • Avatar
    Iman GM (Edited )

    Hi,

    I have the same problem but this didn't help me ... By the way, I've disabled all Tags and then enable them one by one and finally figured out that my problem was with "initialization" collection.

    Not sure why this is happening and is there anyway to fix it instead of disabling the collection...

    Yours,
    Iman

  • Avatar
    Nikolay Zhmuk

    @Alban Staehli @Iman GM I suggest you to contact regular support for further investigation https://support.plesk.com/hc/en-us/requests/new

  • Avatar
    John Donson (Edited )

    Could not figure out why all my websites where offline for the past 5 hours..

    So after messing around for an hour I found this page by googling the subject of this page after finding in the modsecurity log.

    Anyway when I run the first fix :

    # /usr/local/psa/bin/sw-engine-pleskrun /usr/local/psa/admin/plib/DailyMaintainance/script.php -f UpdateModSecurityRuleSet

     I thought it was separate commands and didn't notice it was actually one command, so embarrassingly I could understand why it was just hanging..  

    But after it did the update the problem persisted.

    I also had a modsecurity log file of 60mb and that killed everything too so had to manually delete it.

    So I had to follow through with the rest of the security fixes right down to turning off brute force.

    And now finally the sites are back up after un-banning everyone in fail2ban.

    Hope my lessons help someone.

    UPDATE: Noticed the ModSecurity firewall wasn't working at all. So disabled it and then re-enabled it. Now its working again but the log file is filling up like nobodys business with tons of 'Message: collection_store: Failed to write to DBM file "/var/cache/modsecurity/ip": Invalid argument' - HELP? Anyone?

    UPDATE2: And now I am banned from my own server. Going to try to get remote console up.

    UPDATE3: Disabled Fail2Ban and Re-Enabled it. Also the Nginx server had died too. This is all not going well. Seems Nginx and Apache are now falling over repeatedly.

    This is what is spamming the log file (all similar)...

    --a0560e23-A--<br>
    [04/Oct/2017:07:35:16 +0000] WdSPNEkkg8YDz@ZhxFwQJgAAAJM 81.123.123.123 50222 81.123.123.123 7080<br>
    --a0560e23-B--<br>
    GET /assets/img/portlet-expand-icon-white.png HTTP/1.0<br>
    Host: www.secret.com<br>
    X-Real-IP: 81.123.123.123<br>
    X-Accel-Internal: /internal-nginx-static-location<br>
    Connection: close<br>
    Accept: image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5<br>
    User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.0 Mobile/14G60 Safari/602.1<br>
    Accept-Language: en-gb<br>
    Referer: http://www.privatedomain.com<br>
    Accept-Encoding: gzip, deflate<br>
    <br>
    --a0560e23-F--<br>
    HTTP/1.1 200 OK<br>
    X-Accel-Version: 0.01<br>
    Last-Modified: Tue, 18 Mar 2014 12:16:22 GMT<br>
    ETag: "f0-4f4e0810ff180"<br>
    Accept-Ranges: bytes<br>
    Content-Length: 240<br>
    X-Powered-By: PleskLin<br>
    Connection: close<br>
    Content-Type: image/png<br>
    <br>
    --a0560e23-H--<br>
    Message: collection_store: Failed to write to DBM file "/var/cache/modsecurity/ip": Invalid argument<br>
    Stopwatch: 1507102516243940 4994 (- - -)<br>
    Stopwatch2: 1507102516243940 4994; combined=3591, p1=261, p2=2985, p3=30, p4=48, p5=168, sr=39, sw=99, l=0, gc=0<br>
    Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); CWAF_Apache.<br>
    Server: Apache<br>
    Engine-Mode: "ENABLED"<br>
    <br>
    --a0560e23-Z--<br>

    -----------------

    UPDATE 4: Server is just not responding.. tried restarting HTTPD, NGINX and disabling FAIL2BAN via console. But nothing is coming up. Not a good day.

     

    UPDATE 5: Rebooted. Still issue. Even with FAIL2BAN deactivated I could still not even see the console. Eventually I VPN'd to a new IP and then pulled up the Plesk control panel and killed Comodo/ModSecurity. There are now thousands of IP's in the Fail2Ban list. (very popular website is hosted on this server)

    So there is something else in the Comodo/ModSecurity that is causing an issue.

    Here is another example.

    --b43bba1b-A--
    [04/Oct/2017:09:41:15 +0000] WdSsu4OyryonButxnLDzXwAAANU 81.123.123.123 58346 181.123.123.123 7080
    --b43bba1b-B--
    GET /assets/img/sidebar.jpg HTTP/1.0
    Host: www.privatedomain.com
    X-Real-IP: 71.123.123.123
    X-Accel-Internal: /internal-nginx-static-location
    Connection: close
    Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
    Referer: http://www.privatedomain.com/
    Accept-Language: en-GB
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393
    Accept-Encoding: gzip, deflate
    If-Modified-Since: Tue, 18 Mar 2014 12:16:20 GMT
    If-None-Match: "237-4f4e080f16d00"

    --b43bba1b-F--
    HTTP/1.1 304 Not Modified
    X-Accel-Version: 0.01
    Last-Modified: Tue, 18 Mar 2014 12:16:20 GMT
    ETag: "237-4f4e080f16d00"
    Accept-Ranges: bytes
    Content-Length: 0
    X-Powered-By: PleskLin
    Connection: close
    Content-Type: image/jpeg

    --b43bba1b-H--
    Message: collection_store: Failed to write to DBM file "/var/cache/modsecurity/ip": Invalid argument
    Stopwatch: 1507110075728832 5010 (- - -)
    Stopwatch2: 1507110075728832 5010; combined=3669, p1=327, p2=3023, p3=28, p4=77, p5=141, sr=41, sw=73, l=0, gc=0
    Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); CWAF_Apache.
    Server: Apache
    Engine-Mode: "ENABLED"

    --b43bba1b-Z--

    ------------------------------------

    UPDATE 6: I am stuck. HELP. No ModSecurity Active. Vulnerable and can't activate Comodo without getting everyone banned.

    SOS - HELP - SOS - HELP!

    UPDATE 7: Well 5 hours have passed - No help - My comment is still pending approval and I hope my websites don't get hacked while I wait.

  • Avatar
    Rob Taylor

    I am also seeing this same issue starting today, I have followed the recommended steps with no postive result.

    I have disabled the 'Initialization' collection as mentioned by Iman and that does appear to have resolved the issue.

    Can you update this article with any further information / permanent fixes?

    Thanks
    Rob

  • Avatar
    Alban Staehli (Edited )

    Just to mention the removal of collection initialization for COMODO brought even more issue (Could not set variable "ip.dos_counter" as the collection does not exist.).

    Therefore, I switched to Atomic -> basic rule is empty, nothing gets downloaded to the /etc/httpd/conf/modsecurity.d/rules/ path. And the WAF doesn't seem to work with no rules...

    So I found that you can actually get a registration for 1 year time for free at
    https://www.atomicorp.com/amember/cart/index/product/id/104/c/6

    And use the subscription mode.

  • Avatar
    Adrian Gomez
    the error continues to exist doing all those steps, other ideas?
    Thanks
  • Avatar
    Alex Davydov

    Have tried ALL steps, still have same error.

  • Avatar
    Benjamin Zeußel

    None of the suggested options worked for me.

    Deactivating the "initialization" collection, as @Iman GM mentioned, was the only working method for me.

  • Avatar
    Alex Davydov

    Comodo just released 1.142 which does fully fix problem 

  • Avatar
    Natalia Astashenko

    @Alex Davydov Thank you for sharing the information. 

    @John Donson @Rob Taylor @Alban Staehli @Adrian Gomez @Alex Davydov @Benjamin Zeußel Please try to update the rule set using the command:

    # /usr/local/psa/bin/sw-engine-pleskrun /usr/local/psa/admin/plib/DailyMaintainance/script.php -f UpdateModSecurityRuleSet

    Installed version can be checked in the following way:

    # cat /etc/httpd/conf/modsecurity.d/rules/comodo/rules.dat

    If it does not help, contact Comodo or ModSecurity support to investigate the issue further.

  • Avatar
    Benjamin Zeußel (Edited )

    @Natalia Astashenko: after the auto update yesterday, everything seems to work again.

     

    On Ubuntu the location of the rules.dat is "/etc/apache2/...

    So here is the command for copy&paste:

    # cat /etc/apache2/conf/modsecurity.d/rules/comodo/rules.dat

  • Avatar
    Alban Staehli

    @Natalia Astashenko @Alex Davydov

    Thx - since the update to comodo rules 1.142, the issue is fixed.

  • Avatar
    Natalia Astashenko

    @Benjamin Zeußel Thank you. I have updated the article accordingly.

  • Avatar
    Alban Staehli (Edited )

    Have another issue now when accessing WP admin sections - have reported to Comodo. Below errors bringing false-positive ban:

    Message: Could not set variable "SESSION.TIMEOUT" as the collection does not exist.
    Message: Could not set variable "SESSION.wp_add" as the collection does not exist.
    Message: Could not expire variable "SESSION.wp_add" as the collection does not exist.

  • Avatar
    Alban Staehli

    In regards to cleaning ip.pag & ip.dir, here's the way I do it with modsec-sdbm-util. I don't think just the -k option without any other parameters work.

    #!/bin/sh

    /path/to/modsec-sdbm-util -D /var/cache/modsecurity -v -n /var/cache/modsecurity/ip.pag
    /usr/bin/rm -f /var/cache/modsecurity/ip.pag
    /usr/bin/rm -f /var/cache/modsecurity/ip.dir
    /usr/bin/chown apache:apache /var/cache/modsecurity/new_db.pag
    /usr/bin/chown apache:apache /var/cache/modsecurity/new_db.dir
    /usr/bin/mv -f /var/cache/modsecurity/new_db.pag /var/cache/modsecurity/ip.pag
    /usr/bin/mv -f /var/cache/modsecurity/new_db.dir /var/cache/modsecurity/ip.dir
  • Avatar
    Alban Staehli

    Still encountering this problem with version 1.149 of Comodo and the regularly running script calling 

    modsec-sdbm-util
  • Avatar
    Denis Bykov

    @Alban, in order to address the issue properly, further investigation is required. I can be the separate issue.

    I suggest contacting regular support for further investigation: https://support.plesk.com/hc/en-us/articles/213409109

Please sign in to leave a comment.

Have more questions? Submit a request