Re: [mod-security-users] Collections_remove_stale: Failed deleting collection

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello Sophie,

You are touching on an interesting subject or problem depending
on the perspective. 

The pag-Files are rarely discussed in the community and I would
not be surprised if you hit an issue with ModSec. I for one hardly 
ever look at these files as they just seem to work. I have seen the
said error message before, but never paid too much attention
as I did not have that growth problem of the file.

Our apache servers are gracefully restarted once a day. I do not
know if that benefits the pag-files at all. But it might be a 
noteworthy detail.

Sorry for not being able to help you. But I would be curious to
read anything about the topic.

Ahoj,

Christian

On Thu, Aug 20, 2015 at 02:26:14PM +0200, Sophie Loewenthal wrote:
> Hi,
> 
>      I installed some rules for rate limiting was concerned by a message 
> in  modsec_audit.log.
> 
> My question: What does this error message really mean?
> 
> Message: collections_remove_stale: Failed deleting collection (name 
> "ip", key "213.56.235.241_ef6e1e02a3981d38a7faf3db672aa4a4bf7cb53c"): 
> Internal error
> 
> Some additional notes
> I thought this may be related to /var/lib/mod_security/ip.pag or 
> user.pag. So, I installed modsec-sdbm-util to see if this dB needed 
> shrinking periodically, was fragmented or should be emptied ( e.g > 
> ip.pag ) and still saw the messages.
> 
>   # modsec-sdbm-util -s ip.pag
> Opening file: ip.pag
> Database ready to be used.
>   [\] 720 records so far.
> Total of 726 elements processed.
> 0 elements removed.
> Expired elements: 6, inconsistent items: 0
> Fragmentation rate: 0.83% of the database is/was dirty data.
> 
>   # modsec-sdbm-util -s user.pag
> Opening file: user.pag
> Database ready to be used.
>   [-] 790 records so far.
> Total of 799 elements processed.
> 0 elements removed.
> Expired elements: 12, inconsistent items: 0
> Fragmentation rate: 1.50% of the database is/was dirty data.
> 
> 
> Some version information
> 
> mod_security-2.7.3-2.el6.x86_64
> modsec-sdbm-util v1.0
> 
> Activated rules,
> /etc/https/conf.d/mod_security.conf
> /etc/httpd/modsecurity.d/modsec_sophie.conf
> /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf
> 
> # cat /etc/httpd/modsecurity.d/modsec_sophie.conf
>    SecAction 
> initcol:ip=%{REMOTE_ADDR},pass,nolog,id:10000001,msg:Sophie_10000001
>    SecAction 
> "phase:5,deprecatevar:ip.somepathcounter=1/1,pass,nolog,id:10000002,msg:Sophie_10000002"
>    SecRule IP:SOMEPATHCOUNTER "@gt 60" 
> "phase:2,pause:300,deny,status:509,setenv:RATELIMITED,skip:1,nolog,id:10000003,msg:Sophie_10000003"
>    SecAction 
> "phase:2,pass,setvar:ip.somepathcounter=+1,nolog,id:10000004,msg:Sophie_10000004"
>    Header always set Retry-After "10" env=RATELIMITED
> ErrorDocument 509 "Rate Limit Exceeded"
> 
> 
> 
> Kind regards,
> Sophie
> 
> -- 
> Sophie Loewenthal
> System Engineer ITOPS / Trimble Transport & Logistics
> GSM:+32.471.900703
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

-- 
Christian Folini
Ringstrasse 2
CH-3639 Kiesen
+41 (0)31 301 60 71 (H)
+41 (0)79 220 23 76 (M)
mailto:chr...@ne... (Business)
mailto:chr...@ti... (Private)
http://www.christian-folini.ch