Plesk 12.x / Linux :: ModSecurity With Atomic Rules
Jun 9, 2015
I have a Real Time Web Application Security Rules Subscription. I change the ModSecurity Rule Setup and add the Atomic LoginData to Plesk. All looks fine but the ModSecurity Log is now empty.
- Debian 7 with all Updates
- Plesk Version 12.0.18 Update #49
Output from: ~# aum -df upgrade asl
[URL] ....
View 1 Replies
ADVERTISEMENT
Jun 18, 2014
Once Atomic Basic is enabled, the following error appears:
Code:
Failed to install the ModSecurity rule set: modsecurity_ctl failed: gpg: key 4520AFA9: "Atomicorp (Atomicorp Official Signing Key) <support@atomicorp.com>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 gpg: Signature made Tue Jun 17 16:53:49 2014 CEST using RSA key ID 4520AFA9 gpg: Good signature from "Atomicorp (Atomicorp Official Signing Key)
[Code] .....
OS Debian 7.5
Plesk version 12.0.18 Update #4, last updated at June 18, 2014 02:51 AM
View 19 Replies
View Related
Jul 8, 2015
I have 2 server with CENTOS 7 and PLESK 12. In 1 server yum repository atomic is enabled, in the other is disabled. It should be enabled?
View 12 Replies
View Related
Nov 18, 2014
For some time now the Autoinstaller fails and the Plesk control panel becomes inoperable until I run the stop and then start command for the plesk control panel. Looking at the error log: autoinstaller3.log I see the following output:
WARNING: Third-party Yum repository 'atomic' is enabled, installation may fail.
Since you use one or more 3rd-party repos (say, atomic), be careful when installing different package versions from different repos as this may lead to installation failures. For example, you may encounter a problem if you first install PHP from a 3rd-party repo and then upgrade it using the Parallels repo. To avoid such situations, install and upgdare packages from the same repo.
Traceback (most recent call last):
File "/usr/local/psa/bin/yum_install", line 194, in <module>
main()
File "/usr/local/psa/bin/yum_install", line 189, in main
[code]....
The Yum utility failed to install the required packages.Attention! Your software might be inoperable.contact product technical support.Click to expand...
View 2 Replies
View Related
Aug 1, 2014
I want to create logrotate in logrotate.d for modsecurity log.
I find following code, but it don't works.
Code:
/var/log/modsec_audit.log {
rotate 7
compress
missingok
notifempty
sharedscripts
postrotate
/sbin/service httpd reload > /dev/null 2>/dev/null || true
endscript
}
View 1 Replies
View Related
May 26, 2015
I currently have the Web Application Firewall (ModSecurity) installed but would like a visual interface to block IP's, subnets etc.. Can I install the Plesk firewall as well without any conflict with the Web Application Firewall?
View 3 Replies
View Related
Oct 24, 2014
I have enabled modsecurity system and in 1 day the modsec_audit.log file has grown to more than 700Mb. Is there any way to reduce the number of messages that this module logs?
View 4 Replies
View Related
Jun 12, 2014
Error when trying to set atomic subscription rule:
Failed to install the ModSecurity rule set: SecReadStateLimit is depricated, use SecConnReadStateLimit instead.
Syntax error on line 70 of /etc/httpd/conf/modsecurity.d/rules/atomic/modsec/00_asl_zz_strict.conf:
Error creating rule: Could not add entry "127.0.0.0/8" from: 127.0.0.0/8.
In directory /etc/httpd/conf/modsecurity.d/rules I have only: atomic.new modsecurity_crs-plesk tortix tortix.backup
There is no file 00_asl_zz_strict.conf
View 8 Replies
View Related
Sep 9, 2014
Why isnt Plesk 12 configuring firewalld under CentOS 7 correctly? We have to manuella enable port 8443 and all other ports manually with firewall-cmd..
View 1 Replies
View Related
May 18, 2014
I am running Plesk 11.5.30 Update #44, Postfix 2.8.14 and Spamassassin 3.3.1 on a Red Hat Enterprise Linux Server 6.5 server. I am looking to update the rules within Spamassassin. I have had a bit of a look and see that a crontab has been created but its a bash script with a comment saying it has been disabled by psa-spamassassin package (/etc/cron.d/sa-update).
Code:
#!/bin/sh
# This task was disabled by psa-spamassassin package
exit 0
Is there a reason why it has been disabled by Plesk? If I update the rules, will it break something?
I have recently added into Postfix RBLs to reduce the amount of SPAM my customers is getting and this is my next step in a list of things that I would like to change.
View 1 Replies
View Related
Nov 9, 2014
Applying Plesk firewall changes? I make my change, apply and get to:
Status: Applying in progress. If your browser shows connection error messages, or if this screen does not disappear in more than 30 seconds, go to previous page.
And there things stay. Going back to look at the firewall I can see the change haven't been applied, and going to apply just results in the same. No error, just no anything. It also took numerous attempts to get firewall modification to be swtich on although finally at about the eighth attempt changes were enabled. Only now I can't apply them ...
View 5 Replies
View Related
Oct 3, 2014
Plesk 12.x
CentOS 6.5
Any method for copying the Firewall (extension) rules from one server to another.
View 2 Replies
View Related
Aug 17, 2014
I am using the plesk firewall and trying to set up SSH rule which only allows from my IP but deny from everywhere else. In previous versions this worked fine by adding an ip selecting Allow from selected sources, deny from others and the icon in the rules would be orange with the lines
allow incoming from xxx.xxx.xxx.xx
Deny incoming from all others
However this no longer works as the deny from all others is not appearing and is not being generated in the iptables by plesk.
View 1 Replies
View Related
Jul 2, 2015
I just have installed plesk panel and when i get to the "Firewall" tool, then clicked on "Enable Firewall Rules Management", proftpd has stopped working properly.URLs....I have preinstalled the server 2 times, and every time i try to edit the firewall rules, proftpd got broken.
View 10 Replies
View Related
Jul 25, 2014
I would like to know if is possible to export Plesk firewall rules from Plesk 9.5.4 to Plesk 11.5.30 with panel.
View 2 Replies
View Related
Jul 24, 2008
I am having an issue with redirecting our local (inside network) traffic to our new web server via iptables in Linux. The setup we have right now is a Linux server (old web server and current firewall) and a new Windows 2003 server for the new web server.
Linux IP: 192.168.0.1
New Server IP: 192.168.0.22
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.22:80
The above works great for everyone outside the office but the internal network still sees the old web server (same box as this firewall).
I thought I could redirect the older server's ip to the new server for the internal office but this did nothing.
-A PREROUTING -p tcp -d 192.168.0.1 --dport 80 -j DNAT --to-destination 192.168.0.22:80
I then changed the 192.168.0.1 to our real ip number and this might be closer but the website now times out (packets getting lost maybe?).
View 3 Replies
View Related
Sep 26, 2007
Im actually under ddos attack.
I'll be life long grateful is some one can tell me how to allow only my IP address to access the whole vps server, to add ddos protection on it in the end.
I already try, but i'm a dummy already on linux interface.
View 3 Replies
View Related
Mar 18, 2007
I recently leased a dedicated server and it has somethign called modsecurity installed and I "think" it is causing me a slight problem. I installed Tikiwiki (using FANTASTICO as teh installer) to put a wiki on my site. Problem: When I edit a page and hit "Save." I get "FOBIDDEN you do not have permission to access /tiki/tiki-editpage.php on this server". After playing around with it all day, I finally asked my server management folks if they could figure out the issue and they said it looked like a "modsecurity" issue. If I understand correctly, modsecurity will clocu URLs that have certain characteristics.
my questions are:
1) How can I determine exactly which modsecurity rule is being violated and
2) How can I remove just taht rule so that things will work with the wiki program?
View 4 Replies
View Related
Nov 30, 2007
I have a site on my server that is running a Flash splash-page and ModSecurity keeps getting tripped when anyone accesses the page.
I am running the default configuration supplied by CPanel 11. The rule that is getting tripped is the XSS rule.
Here is some more info:
Code:
Pattern match "(?:�(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)�W*?=|abort�)|(?:l(?:owsrc�W*?�(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)�W*? ..." at ARGS:texts. [id "950004"] [msg "Cross-site Scripting (XSS) Attack. Matched signature <src="http:>"] [severity "CRITICAL"]
[30/Nov/2007:12:11:10 --0500] hFuubkMPEAcAAHVLfHgAAAAL 76.118.117.41 62197 67.15.16.7 80
--f2de940f-B--
GET /widgets/business_splash5.swf?nazvanie=Bob+Brewer&skip_intro=SKIP+INTRO&button=gpage.html&
;sloganss=&titl=&zvuk=downloads/DTH_final.mp3&pic1=http://bobbrewer.info/images/bb2_serie
s2.jpg&pic2=http://bobbrewer.info/images/bb2_series2.jpg&pic3=http://bobbrewer.info/images/bb
3_series3.jpg&pic4=http://bobbrewer.info/images/bb_series2.jpg&texts=%3cP+align%3dcenter%3e%3
cFONT+face%3d%22Comic+Sans+MS%22+color%3d%23ffff00+size%3d5%3eBobby+Brewer+Guitarist%3c/FONT%3e%3c/P%
3e++%3cP+align%3dcenter%3e%3cA+class%3dRE+href%3d%22undefined%22%3e%3cIMG+height%3d128+alt%3d%22%22+h
space%3d0+src%3d%22http://bobbrewer.info/images/bb2_series2.jpg%22+width%3d170+border%3d0%3e%3c/A%3e%
3c/P%3e&colorline1=%23BEC7DB&colorline2=%235B71A4&colorline3=%2333ffff&colorline4=&am
p;colorline5=%23BEC7DB&colorname=%2333ffff&colorline6=%235B71A4&colorline7=%23BEC7DB&
colorline8=&colorline9=%23BEC7DB&colorline10=&colorline11=%235B71A4&colorline12=%2333
ffff&colorline13=%23BEC7DB&colortitle=%23000000&colorline14=%2333ffff&colorline17=%23
33ffff&colorline17=%23BEC7DB&colorpolosa2=%235B71A4&colorpolosa1=%23BEC7DB HTTP/1.1
Accept: */*
Referer: http://bobbrewer.info/index.html
x-flash-version: 9,0,28,0
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
Host: bobbrewer.info
Connection: Keep-Alive
--f2de940f-F--
HTTP/1.1 406 Not Acceptable
Content-Length: 455
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--f2de940f-H--
Message: Access denied with code 406 (phase 2). Pattern match "(?:�(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:e
lec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)�W*?=|abort�)|(?:l(?:owsrc�W*?�(?:(?:ja
va|vb)script|shell)|ivescript)|(?:href|url)�W*? ..." at ARGS:texts. [id "950004"] [msg "Cross-site Scripting (XSS) Attack. Matched signature <src="http:>"] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Stopwatch: 1196442670313070 6595 (855 5738 -)
Producer: ModSecurity v2.1.3 (Apache 2.x)
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a DAV/2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1
The code in his web page that I think is tripping this is:
Code:
<!-- widgets/business_splash5.swf -->
<OBJECT WIDTH="550" HEIGHT="400" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553
540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflas
h.cab#version=7,0,0,0" align="middle" valign="top">
<PARAM NAME=movie VALUE="widgets/business_splash5.swf?nazvanie=Bob+Brewer&skip
_intro=SKIP+INTRO&button=gpage.html&sloganss=&titl=&zvuk=downloads/DTH_final.mp3
&pic1=http://bobbrewer.info/images/bb2_series2.jpg&pic2=http://bobbrewer.info/im
ages/bb2_series2.jpg&pic3=http://bobbrewer.info/images/bb3_series3.jpg&pic4=http
://bobbrewer.info/images/bb_series2.jpg&texts=%3cP+align%3dcenter%3e%3cFONT+face
%3d%22Comic+Sans+MS%22+color%3d%23ffff00+size%3d5%3eBobby+Brewer+Guitarist%3c/FO
NT%3e%3c/P%3e++%3cP+align%3dcenter%3e%3cA+class%3dRE+href%3d%22undefined%22%3e%3
cIMG+height%3d128+alt%3d%22%22+hspace%3d0+src%3d%22http://bobbrewer.info/images/
bb2_series2.jpg%22+width%3d170+border%3d0%3e%3c/A%3e%3c/P%3e&colorline1=%23BEC7D
B&colorline2=%235B71A4&colorline3=%2333ffff&colorline4=&colorline5=%23BEC7DB&col
orname=%2333ffff&colorline6=%235B71A4&colorline7=%23BEC7DB&colorline8=&colorline
9=%23BEC7DB&colorline10=&colorline11=%235B71A4&colorline12=%2333ffff&colorline13
=%23BEC7DB&colortitle=%23000000&colorline14=%2333ffff&colorline17=%2333ffff&colo
rline17=%23BEC7DB&colorpolosa2=%235B71A4&colorpolosa1=%23BEC7DB">
<PARAM NAME="scale" VALUE="noscale">
<PARAM NAME=quality VALUE=high>
<PARAM name="wmode" value="transparent">
<EMBED wmode="transparent" quality="high" WIDTH="550" HEIGHT="400"
src="widgets/business_splash5.swf?nazvanie=Bob+Brewer&skip_intro=SKIP+I
NTRO&button=gpage.html&sloganss=&titl=&zvuk=downloads/DTH_final.mp3&pic1=http://
bobbrewer.info/images/bb2_series2.jpg&pic2=http://bobbrewer.info/images/bb2_seri
es2.jpg&pic3=http://bobbrewer.info/images/bb3_series3.jpg&pic4=http://bobbrewer.
info/images/bb_series2.jpg&texts=%3cP+align%3dcenter%3e%3cFONT+face%3d%22Comic+S
ans+MS%22+color%3d%23ffff00+size%3d5%3eBobby+Brewer+Guitarist%3c/FONT%3e%3c/P%3e
++%3cP+align%3dcenter%3e%3cA+class%3dRE+href%3d%22undefined%22%3e%3cIMG+height%3
d128+alt%3d%22%22+hspace%3d0+src%3d%22http://bobbrewer.info/images/bb2_series2.j
pg%22+width%3d170+border%3d0%3e%3c/A%3e%3c/P%3e&colorline1=%23BEC7DB&colorline2=
%235B71A4&colorline3=%2333ffff&colorline4=&colorline5=%23BEC7DB&colorname=%2333f
fff&colorline6=%235B71A4&colorline7=%23BEC7DB&colorline8=&colorline9=%23BEC7DB&c
olorline10=&colorline11=%235B71A4&colorline12=%2333ffff&colorline13=%23BEC7DB&co
lortitle=%23000000&colorline14=%2333ffff&colorline17=%2333ffff&colorline17=%23BE
C7DB&colorpolosa2=%235B71A4&colorpolosa1=%23BEC7DB"
type="application/x-shockwave-flash" pluginspage=[url]
View 2 Replies
View Related
Feb 22, 2008
how i can install modsecurity 2.5.0?
View 3 Replies
View Related
Oct 3, 2006
Upon reviewing my modsecurity log today, I found an interesting hit from google.
-------------------
Requesting IP: 66.249.65.67 is http://ws.arin.net/cgi-bin/whois.pl?...t=66.249.65.67
Date: 2006-10-03
Time: 07:10:16
Handler: mod_gzip_handler
Get: /page/index/1&show=25,07,2005?php%20echo%20$bmc_vars%5B'site_url'%5D;%20?%3E/profile.php?id=1
Mod_Security-Message: Access denied with code 406. Pattern match "echo " at THE_REQUEST
Mod_Security-Action: 406
------------
The rule that set off this 406 response was:
SecFilterSelective THE_REQUEST "echo "
What I find interesting is that I do not have any such URL structure on this website that google requested.
View 2 Replies
View Related
May 29, 2007
I am running apache 1.3 + modsecurity 1 my problem is i can not use ajax coz of modsecurity is there any way to make ajax work with modsecurity on apache 1 coz i know it's work on apache 2
View 1 Replies
View Related
Oct 20, 2007
where I can find or get the latest, and with better design ruleset for modsecurity? I have one, but it is really old.
View 1 Replies
View Related
Sep 19, 2008
i installed it from whm
cpanel > Manage Plugins > Name: modsecurity > Install and Keep Updated
but its not working
( i think this is add-one for make configuration in Plugins options )
so i want to install it from ssh
i have apache 2.2.9
php 5
View 10 Replies
View Related
Oct 17, 2007
We have a small Hosting reseller account at eNom. We have a new customer that moved his website from another hosting company to ours. The website is on a shared IP. Enom also uses a internal IP for internal use associated to the domain.
The problem we have is that AOL users can not see the website. As far as we can tell no other ISP's are having this problem. Everyone can see it except AOL users.
When AOL users go to the site they get "Page can not be found". After several calls to eNom support and them triple checking the DNS we still have the problem.
I looked at the error log for the website this morning. I found several errors. I looked up the IP's with the errors and they all pointed back to AOL.. See below for two examples of the errors....
Is this a server problem or DNS?
What do these errors mean and what do I do about it?
The domain is http://2hotlicks.com . They sell Hot Sauce.. Would AOL block it because of the keywords in the Domain name?
[Wed Oct 17 08:11:56 2007] [error] [client 207.200.116.7] ModSecurity: Access denied with code 400 (phase 2). Pattern match "(?:\bhttp.(?:0\.9|1\.[01])|<(?:html|meta)\b)" at REQUEST_HEADERS:Via. [id "950911"] [msg "HTTP Response Splitting Attack. Matched signature <http/1.1>"] [severity "ALERT"] [hostname "www.2hotlicks.com"] [uri "/"] [unique_id "uPWvAgoHAlYAAA25N5AAAAAI"]
[Tue Oct 16 13:11:20 2007] [error] [client 207.200.116.137] ModSecurity: Access denied with code 400 (phase 2). Pattern match "(?:\bhttp.(?:0\.9|1\.[01])|<(?:html|meta)\b)" at REQUEST_HEADERS:Via. [id "950911"] [msg "HTTP Response Splitting Attack. Matched signature <http/1.1>"] [severity "ALERT"] [hostname "www.2hotlicks.com"] [uri "/combos.htm"] [unique_id "yddhwAoHAlYAAEEfgyEAAAAi"]
View 2 Replies
View Related
Sep 7, 2014
After install the ModSecurity Web Application Firewall for Apache no button for manageing module is displayed in plesk.
Installation was successful. How can I repair the button in plesk / webbased manage mod_security?
View 13 Replies
View Related
Jul 12, 2007
So I've been working on getting the modsecurity upload scan function to work for over 4 hours now and i'm done with this junk to say the least.
Using modsec 1.9
Cpanel 10x
Apache 1.3
in the modsec.conf
SecUploadDir /tmp
SecUploadApproveScript /usr/local/apache/htdocs/upload_scan.pl
All I get in the audit_log is:
Access denied with code 406. Error verifying files: Received no output from the approver script (execution failed?) "/usr/local/apache/htdocs/upload_scan.pl" ....
View 1 Replies
View Related
Aug 9, 2006
I signed up with Lunarpages a while back for a dedicated server for my business. Good price, managed hosting rocks, decent disk space... little problem once with a huge power outage, but **** happens, cool.
All is well until I wake up this morning to an email a minute about a failed cron job. It smells fishy, so I contact LUnar pages support to see whats up.
They inform me that some asswad had managed to brute force into my server using a temporary account I set up a while back for some tech support. (I prefaced this with 'im an idiot', so no you know why)
Either way, my server now has a rootkit, plus other **** im sure im not aware of... so they propose to move me to a brand new fresh box. im thinking they are gonna charge me a fee for this, a fee for that... no way. All is free of charge.
Im ****ting kittens now.
so im resetting everything up, and i manage to look myself out of my database...(i told you I was an idiot.. and this was a looooong day already)
they fix it. again. no problem...
If you are looking for a dedicated server, go to lunarpages. otherwise you are a freaking idiot as far as I am concerned...
Lunarpages, I love you, I want your babies...
PS: I am in no way affiliated with lunarpages... however, if they want to give me a free year on their servers, i wouldnt complain... *hint hint*
View 0 Replies
View Related
Jul 2, 2009
One of my low knowledge area's is Iptables Rule's I just normally use APF/CSF.
However on a VPS Host node, I basically want to block all access to a certain port let's say 1234 apart from a certain IP address.
However I don't want to block this port on any of the VPS's on the Node, so what Iptable Rule(s) would I need to put into a bash script on startup.
View 7 Replies
View Related
