Many web servers now use ModSecurity Web Application Firewall to block brute force attacks, spam campaigns, malware infections, and more.

But what if ModSecurity fails?

Today we’ll see how the error “ModSecurity failed to access DBM file” causes ModSecurity to crash and how our support engineers here at Server Management Services help web hosts, digital agencies, and other online service providers quickly detect and fix this error.

ModSecurity failed to access DBM file!

ModSecurity rules especially those involve tracking user IP addresses use the ip.pag and ip.dir located at “/var/cpanel/secdatadir/ ” to store the collected data. At times, due to permission errors, file corruption, etc., these files will be inaccessible to the mod_security program, and it fails to filter web traffic.

That causes the error:

ModSecurity: Failed to access DBM file

In reality, end users may not identify the change easily. The only symptom that the web hosts experience is relatively higher resource usage. This may be due to higher rate of brute force attacks as ModSecurity stopped processing the rules to block IP addresses attempting for the attack.

Now, we’ll see the common causes for this error, and how to fix them.

Common Scenarios

A variety of reasons can cause ModSecurity to stop working. Certainly the key part of resolving it is to find the exact error that made ModSecurity to halt. An analysis of the apache error log will definitely help to generate a clear idea of the error message.

For example, in the situation above, it is permission denied error to the file ‘”/var/cpanel/secdatadir/xxxxxxx-ip fille.

Scenario 1: Invalid argument

A sample error log for scenario issue looks as below:

Message: collection_store: Failed to write to DBM file "/var/cache/modsecurity/ip": Invalid argument 

This error is commonly related to the WAF/ web application firewall. Web application firewall filter, monitor, and block the traffic to/from a web application.

Recently, we saw such an issue where a recent update of the WAF corrupted the “/var/cache/modsecurity/ip.pag“. The solution here was of course to upgrade the WAF to a stable version and reset the “/var/cache/modsecurity/ip.pag” file.

Scenario 2: Permission denied

The most common form of the “ModSecurity failed to access DBM file” is the permission denied error.  As per cPanel’s official forums, there is a confirmed incompatibility for the Modsec module used by mod security to run with mod_ruid2.

Since it makes the apache process runs as the user and not as nobody, while running apache under mod_ruid2, apache cannot access the ip.pag and ip.dir files located in /var/cpanel/secdatadir/. Though some popular fix available online suggest changing the file permission of the “/var/cpanel/secdatadir/” to 777, it is not recommended. Besides this permission makes the file open to the world and easy to crack for a hacker.

Comparatively, switching to a combination of event and mod_suexec Multi-Processing Module is a safer solution. One can simply enable the Event MPM and disable the Worker MPM in the EA4 build profile. Once you start the next build, the EasyApache 4 update process will automatically take care of the installation.

[Need help to fix ModSecurity failed to access DBM file error? We are available 24×7]

Conclusion

In short, a variety of reasons can cause the ModSecurity failed to access DBM file error. Today we discussed the common reasons for this error and how our Support Engineers fix them.