Plesk 12 log

Customer support forums for the modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the real time modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
wmgilligan
Forum User
Forum User
Posts: 8
Joined: Tue Sep 14, 2010 10:27 am

Plesk 12 log

Unread post by wmgilligan »

Hi,
I just started using the free 10 day trial.
I have Plesk 12.5 on CentOS 7

In detect only mod - it seems to be working fine, but I have questions on something in the log, and what would happen if I switched it on from detect only.

The log shows (multiple times)..
==============
Message: [file "/etc/httpd/conf/modsecurity.d/rules/atomic/modsec/20_asl_useragents.conf"] [line "369"] [id "397989"] [rev "1"] [msg "Atomicorp.com WAF Rules: Fake MSIE 6.0 detected"] [severity "WARNING"] Warning. Match of "rx (MS Web Services Client Protocol|WormlyBot)" against "REQUEST_HEADERS:User-Agent" required.
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Stopwatch: 1461675133625308 2960 (- - -)
Stopwatch2: 1461675133625308 2960; combined=1391, p1=72, p2=1254, p3=16, p4=29, p5=20, sr=6, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); 0.
Server: Apache
Engine-Mode: "DETECTION_ONLY"
===============

What is this telling me?
It looks like ALS detected the wormly bot pretending to be MSIE 6.0 - correct?

What would happen if ALS was actually on? Would it block this?

What is wormly bot (besides a bot... is it destructive?

Thanks!
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Plesk 12 log

Unread post by mikeshinn »

Thanks for the questions. The short answer is yes, ASL would block this if it was in block mode. If you use the ASL gui, just use the ASL gui to look at modsecurity events. Dont bother with audit_log events, they really arent human friendly. The ASL gui will present these events in an easy to understand human readable format, so you wont need to look at the debug audit_log. So I recommend you use the ASL gui.

As for what that debug information from your audit_log events means, these are the parts and what they mean:

[file "/etc/httpd/conf/modsecurity.d/rules/atomic/modsec/20_asl_useragents.conf"]

The rule file that contains the rule triggered.

[line "369"]

Line in the rule file that contains the beginning of the rule triggered (rules may span many many lines, and even additional files, this is just the start of the match, but not necessary the start of the entire logic tree that got to there)

[id "397989"]

The unique rule id.

[rev "1"]

The revision of the rule (this is optional).

[msg "Atomicorp.com WAF Rules: Fake MSIE 6.0 detected"]

The message statement for the rule.

[severity "WARNING"] Warning.

The severity level for the rule.

Match of "rx (MS Web Services Client Protocol|WormlyBot)" against "REQUEST_HEADERS:User-Agent" required.

Debugging information that communicates what part of the rule chain was the last one triggered as part of the match. In this case its a regular expression that says "Anything but these agents". So to answer your question, that means "Not WormlyBot".

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s

Debugging information related to the way apache is going to handle this condition, for instance will it change the error code, allow the request, deny it, etc.

Stopwatch: 1461675133625308 2960 (- - -)

Timing information that details the work effort involved in processing the rule on that system at that time given the load on the system.

Stopwatch2: 1461675133625308 2960; combined=1391, p1=72, p2=1254, p3=16, p4=29, p5=20, sr=6, sw=0, l=0, gc=0

Timing information that details the work effort involved (the stop point) in processing the rule on that system at that time given the load on the system.

Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); 0.

The version and type of modsecurity loaded into the webserver at time, and the version of the rules loaded. This tells me the system isnt using ASL but something else to load the rules, as ASL would have set 0 to the version of the rules. If you are using ASL, check to make sure its managing modsecurity and not Plesk.

Server: Apache

The web server type.

Engine-Mode: "DETECTION_ONLY"

The mode the engine is in.

You can also find each rule documented in our wiki, which will explain what the rule does in ways that the apache audit_logs could never do:

https://www.atomicorp.com/wiki/index.ph ... WAF_397989
wmgilligan
Forum User
Forum User
Posts: 8
Joined: Tue Sep 14, 2010 10:27 am

Re: Plesk 12 log

Unread post by wmgilligan »

Where is the GUI in Plesk 12.5?
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Plesk 12 log

Unread post by mikeshinn »

https://your_host_name_or_ip:30000
wmgilligan
Forum User
Forum User
Posts: 8
Joined: Tue Sep 14, 2010 10:27 am

Re: Plesk 12 log

Unread post by wmgilligan »

I think I am missing some information....

I went thru the "web application firewall" in Plesk 12.5.30 and selected the Atomic Mod Security (subscription) option.
And entered username, etc - thats it...
There is much other info provided - so I suspect I am missing that...

Going to the url you give ends up with: "This site can’t be reached"

B
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Plesk 12 log

Unread post by mikeshinn »

Ah, that explains it, you dont have ASL installed just the modsecurity rules. If you want to use the full ASL suite, you'll need to install ASL. Just add a trial license to your account from the URL below:

https://www.atomicorp.com/amember/member

and install ASL as root with this command:

wget -q -O - https://updates.atomicorp.com/installers/asl |sh

Please shoot an email to support AT atomicorp DOT com if you'd like us to do this for you.
wmgilligan
Forum User
Forum User
Posts: 8
Joined: Tue Sep 14, 2010 10:27 am

Re: Plesk 12 log

Unread post by wmgilligan »

Thanks for the info.

Before I move forward and do this install - I experienced an issue last night that seems directly tied to the trial subscription?

Last night Plesk attempted to update the rules, but it failed.
When that happened, it seems my whole server was essentially off line.

I do have CSF/LFD running as well - they said they thought it was that, but when I logged into Plesk, there was a bright error message from modsecurity saying an update failed. The log from last night shows (which is the exact time it also stopped responding):

Can you tell if this is related?
====
[Fri Apr 29 21:06:54.673744 2016] [ssl:warn] [pid 23258:tid 139766497531968] AH01909: RSA certificate configured for default-199_193_116_131:443 does NOT include an ID which matches the server name
[Fri Apr 29 21:06:54.674072 2016] [ssl:warn] [pid 23258:tid 139766497531968] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Fri Apr 29 21:06:54.674090 2016] [:notice] [pid 23258:tid 139766497531968] ModSecurity: Loaded 0 rules from: 'https://updates.atomicorp.com/channels/ ... ators.conf'.
[Fri Apr 29 21:06:54.674092 2016] [:notice] [pid 23258:tid 139766497531968] ModSecurity: Problems loading external resources: Failed to download: "https://updates.atomicorp.com/channels/ ... ators.conf" error: Couldn't resolve host name.
[Fri Apr 29 21:06:54.684276 2016] [mpm_event:notice] [pid 23258:tid 139766497531968] AH00489: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips Apache mod_fcgid/2.3.9 mod_perl/2.0.9-dev Perl/v5.16.3 configured -- resuming normal operations
[Fri Apr 29 21:06:54.684297 2016] [core:notice] [pid 23258:tid 139766497531968] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
====
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Plesk 12 log

Unread post by faris »

I can't comment on this particular incident, but in general ASL is pretty resilient, and rolls back if problems are detected. For example, if apache fails to restart after new rules are downloaded and installed for any reason, the rules are rolled back, and apache restarted.

In this case all that seems to have happened is that the server couldn't resolve the download domain. That would be a minor issue which would not take your server down. In fact the firewall issue may well have prevented the download from happening, so the failed download would just be a symptom of the root cause, rather than the cause. This is just a guess of course. Again I emphasise I can't comment on your particular issue. I'm just making general comments.

Incidentally, I'd suggest allowing the ASL guys to install the trial for you. As you have various other things installed, like a third party firewall, it might be a good idea to let them take a look and make sure there are no conflicts.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
wmgilligan
Forum User
Forum User
Posts: 8
Joined: Tue Sep 14, 2010 10:27 am

Re: Plesk 12 log

Unread post by wmgilligan »

Ok thanks.

I am going to contemplate this a few days - and makre sure the server is stable.
Then I like your suggestion.

Thanks,
Bill
Post Reply