Fail2Ban bans the IP address of a website visitor: ModSecurity: collection_store: Failed to access DBM file “/var/lib/mod_security/apache-default_SESSION”: Resource deadlock avoided

Symptoms

• The Apache error log for a Plesk domain contains errors similar to the following examples:

  [error][client 203.0.113.2:0] ModSecurity: collection_store: Failed to access DBM file "/var/lib/mod_security/apache-default_SESSION": Resource deadlock avoided [hostname "example.com"] [uri "/images/slider/3870.jpeg"] [unique_id "ZRpjIgzA4up"], referer: https://example.com/somepath/2
  [error][client 203.0.113.2] ModSecurity: collections_remove_stale: Failed deleting collection (name "SESSION", key "jt69t3bu1l7pelg2i3pl299lrk"): external error (specific information not available) [hostname "example.com"] [uri "/images/slider/3871.jpeg"] [unique_id "ZRploq2J4K-FYldo1QPd-QBBBBA"], referer: https://example.com/somepath/2
  [error][client 203.0.113.2:0] [client 203.0.113.2] ModSecurity: collection_store: Failed to exclusively lock DBM file "/var/lib/mod_security/apache-default_SESSION": Resource deadlock avoided [hostname "example.com"] [uri "/images/slider/3872.jpeg"] [unique_id "ZRpv0K2J4K"], referer: https://example.com/somepath/2
  [error][client 203.0.113.2] ModSecurity: collection_store: Failed to access DBM file "/var/lib/mod_security/apache-default_SESSION": Resource deadlock avoided [hostname "example.com"] [uri "/images/slider/3873.jpeg"] [unique_id "ZRpv0NRWFYU"], referer: https://example.com/somepath/2

• The /var/log/fail2ban.log file contains entries such as the following ones:

  fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2 - 2023-10-01 20:50:00
  fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2 - 2023-10-01 20:54:18
  fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2 - 2023-10-01 20:54:18
  fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2 - 2023-10-01 20:54:18
  fail2ban.filter [47008]: INFO [plesk-modsecurity] Found 203.0.113.2 - 2023-10-01 20:54:18
  fail2ban.actions [47008]: NOTICE [plesk-modsecurity] Ban 203.0.113.2

• The enabled Fail2Ban jail plesk-modsecurity-jail bans the website visitor IP address after the Resource deadlock avoided error is repeated in the apache's site log the Number of failures before the IP address is banned (by default 5).

• Plesk Obsidian running on a RHEL-based operating system

• SELinux is in Enforcing mode

Cause

ModSecurity logs all domains relevant records in one only log file, then this does not allow simultaneous log entries because the file is being used and hence locked for concurrent logging. This inconvenience with the ModSecurity design is tied single instance of logs use for all domains instead of using multiple files for separate domains.

Resolution

1. Connect to the server via SSH.

2. Navigate to /etc/fail2ban/filter.d/:

   # cd /etc/fail2ban/filter.d/

3. Make a backup of the plesk-modsecurity jail configuration file for Fail2Ban with:

   # cp -a plesk-modsecurity.conf plesk-modsecurity.conf-bak

4. Edit the jail configuration file and adjust the ignoreregex section by adding the collection_store and collections_remove_stale entries as follows:

   ignoreregex = ^[.*?]sS*s<HOST>s.*s1
   collection_store
   collections_remove_stale

5. Save the changes to the file

6. Go to Plesk > Tools & Settings > IP Address Banning (Fail2Ban) > Jails

7. Switch the plesk-modsecurity jail Off

8. Switch the plesk-modsecurity jail On again