Author Topic: mod_security 403 forbidden  (Read 21140 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
mod_security 403 forbidden
« on: June 24, 2019, 03:10:32 PM »
recently i started getting these errors from mod-security : 403 Forbidden  You don't have permission to access /index.php on this server.

also if i go to : security/mod-security under Info i hit test i also get this 403 error.
i looked at the error log ,and tried to add the error id in: accounts/(server or specific website)/edit rules/Add ID Rule, but it didn't fix it.
i have tried to fix the permissions + restarted apache,  it didnt help, only disabling mod-security worked , any suggestions please on how to resolve this problem.


Offline
*
Re: mod_security 403 forbidden
« Reply #1 on: June 24, 2019, 06:30:16 PM »
I have the same problem. The mod security has a critical issue today. It break wordpress. All wordpress wp-admin folder became mal-function with forbidden 403 error. No permission to upload media, delete plugins, change users password, etc... Please fix. The security mod currently using is from comodo awf

Offline
*
Re: mod_security 403 forbidden
« Reply #2 on: June 24, 2019, 06:48:54 PM »
can you please check the log in this folders
Code: [Select]
/usr/local/apache/domlogs/
/usr/local/apache/logs/

Offline
*
Re: mod_security 403 forbidden
« Reply #3 on: June 24, 2019, 07:05:30 PM »
[Mon Jun 24 13:52:39.174547 2019] [:error] [pid 375:tid 140326513637120] [client 2601:2c0:4480:f71:6c71:da74:f288:9f4a:50436] [client 2601:2c0:4480:f71:6c71:da74:f288:9f4a] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:'\\\\xbf?\\\\x22|\\\\x22\\\\xbf?'|^\\\\+?$)" at ARGS_POST:aio_special_field. [file "/usr/local/apache/modsecurity-cwaf/rules/02_Global_Generic.conf"] [line "199"] [id "211290"] [rev "3"] [msg "COMODO WAF: XSS and SQLi vulnerability||baovn.news|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"] [hostname "baovn.news"] [uri "/login_xxx/"] [unique_id "XREb96tkxHFC-udTriUrbwAAAMo"], referer: https://baovn.news/login_xxx

Which is false positive. Actually, this is an enhance security feature from a wordpress security plugin. This plugin change the default wordpress login path abc.com/wp-login.php --> abc.com/yourlogin.

Offline
*
Re: mod_security 403 forbidden
« Reply #4 on: June 24, 2019, 07:38:25 PM »
can you please check the log in this folders
Code: [Select]
/usr/local/apache/domlogs/
/usr/local/apache/logs/

in my case i'm using joomla, and users cant access the sites, i cant delete the cache but i can login to the admin area , i have rebuilt apache but nothing happened.
i found many error messages with my ip :

[Mon Jun 24 17:14:29.827767 2019] [:error] [pid 17142:tid 139990130439936] [client xx.xxx.xx.xx:37134] [client xx.xxx.xx.xx] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:\\\\b(?:t(?:able_name\\\\b|extpos[^a-zA-Z0-9_]{1,}\\\\()|(?:a(?:ll_objects|tt(?:rel|typ)id)|column_(?:id|name)|mb_users|object_(?:id|(?:nam|typ)e)|pg_(?:attribute|class)|rownum|s(?:ubstr(?:ing){0,1}|ys(?:c(?:at|o(?:lumn|nstraint)s)|dba|ibm|(?:filegroup|o ..." at ARGS_NAMES:SELECT * FROM mysql.users. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "17"] [id "211540"] [rev "12"] [msg "COMODO WAF: Blind SQL Injection Attack||xx.xxx.xx.xx|F|2"] [data "Matched Data: SELECT * FROM mysql.users found within ARGS_NAMES:SELECT * FROM mysql.users: SELECT * FROM mysql.users"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "xx.xxx.xx.xx"] [uri "/index.php"] [unique_id "XRDo1aUNeTYAGI-gaMqN7wAAABM"]

Offline
*
Re: mod_security 403 forbidden
« Reply #5 on: June 25, 2019, 09:09:29 AM »
issue fixed ,i went through the error logs, collected the errors by id , added them to each & every account, for now that seems to be working.

Offline
*
Re: mod_security 403 forbidden
« Reply #6 on: June 25, 2019, 02:42:15 PM »
The rule 211290 if breaking many websites, how to stop it?

Offline
*
VPS & Dedicated server provider with included FREE Managed support for CWP.
http://www.studio4host.com/

*** Don't allow that your server or website is down, choose hosting provider with included expert managed support for your CWP.

Offline
*
Re: mod_security 403 forbidden
« Reply #8 on: June 26, 2019, 03:59:51 PM »
Correct, added the rule 211290 and website backed to normal. Thank you

Offline
*
Re: mod_security 403 forbidden
« Reply #9 on: June 26, 2019, 09:08:53 PM »
im sorry for the late answer

you have to check this
[client ##########]
this should be your IP ( if not its someone trying or tries to attack your site )


 [id "211290"]
this is should be in mod security, in disable rules
and should be like this
SecRuleRemoveById 211290

and it's not over some times it appears (id) one after one



this is my collection for my own server ( you should make your own rules because we are using different scripts )
but if you are a lazy main is here LOL





## Rules for the CWP ##
SecRuleRemoveById 960017
SecRuleRemoveById 960015
SecRuleRemoveById 960009
########################################
## Removed Rules for Joomla, WordPress and Drupal CMSs ##
########################################
## Joomla ##
SecRuleRemoveById 960024
SecRuleRemoveById 950120
SecRuleRemoveById 981173
SecRuleRemoveById 950901
SecRuleRemoveById 981257
SecRuleRemoveById 981245
SecRuleRemoveById 973338
SecRuleRemoveById 973300
SecRuleRemoveById 973304
SecRuleRemoveById 973333
SecRuleRemoveById 973333
## Wordpress ##
SecRuleRemoveById 981242
SecRuleRemoveById 981246
SecRuleRemoveById 981243
SecRuleRemoveById 959073
SecRuleRemoveById 958030
## Drupal ##
SecRuleRemoveById 981231
## Removed rules for the webftp_simple ##
SecRuleRemoveById 950922
SecRuleRemoveById 981000
SecRuleRemoveById 950109
## phpMyAdmin ##
SecRuleRemoveById 981205
SecRuleRemoveById 970901
SecRuleRemoveById 960904
SecRuleRemoveById 960915
SecRuleRemoveById 981318
SecRuleRemoveById 981320
SecRuleRemoveById 981240
## Rules for the CWP ##
SecRuleRemoveById 960017
SecRuleRemoveById 960015
SecRuleRemoveById 960009
SecRuleRemoveById 950007
SecRuleRemoveById 910006
SecRuleRemoveById 950000
SecRuleRemoveById 950001
SecRuleRemoveById 950005
SecRuleRemoveById 950006
SecRuleRemoveById 950117
SecRuleRemoveById 950907
SecRuleRemoveById 958039
SecRuleRemoveById 958051
SecRuleRemoveById 958291
SecRuleRemoveById 959006
SecRuleRemoveById 959151
SecRuleRemoveById 960008
SecRuleRemoveById 960010
SecRuleRemoveById 960011
SecRuleRemoveById 960012
SecRuleRemoveById 960035
SecRuleRemoveById 960335
SecRuleRemoveById 960904
SecRuleRemoveById 960915
SecRuleRemoveById 970003
SecRuleRemoveById 970015
SecRuleRemoveById 970903
SecRuleRemoveById 973301
SecRuleRemoveById 973302
SecRuleRemoveById 973306
SecRuleRemoveById 973316
SecRuleRemoveById 973330
SecRuleRemoveById 973331
SecRuleRemoveById 973332
SecRuleRemoveById 973334
SecRuleRemoveById 973335
SecRuleRemoveById 973336
SecRuleRemoveById 973344
SecRuleRemoveById 973347
SecRuleRemoveById 981172
SecRuleRemoveById 981248
SecRuleRemoveById 981255
SecRuleRemoveById 981256
SecRuleRemoveById 981317
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61

########################################
## Removed Rules for Joomla, WordPress and Drupal CMSs ##
########################################
## Joomla ##
SecRuleRemoveById 960024
SecRuleRemoveById 950120
SecRuleRemoveById 981173
SecRuleRemoveById 950901
SecRuleRemoveById 981257
SecRuleRemoveById 981245
SecRuleRemoveById 973338
SecRuleRemoveById 973300
SecRuleRemoveById 973304
SecRuleRemoveById 973333
SecRuleRemoveById 973333
SecRuleRemoveById 981242
SecRuleRemoveById 981246
SecRuleRemoveById 981243
SecRuleRemoveById 959073
SecRuleRemoveById 958030
SecRuleRemoveById 950103
SecRuleRemoveById 958018
SecRuleRemoveById 960000
SecRuleRemoveById 960006
SecRuleRemoveById 973305
SecRuleRemoveById 973308
SecRuleRemoveById 973337
SecRuleRemoveById 973346
SecRuleRemoveById 981004
SecRuleRemoveById 981240
SecRuleRemoveById 981249
SecRuleRemoveById 981260
SecRuleRemoveById 981319
SecRuleRemoveById 981320
SecRuleRemoveById 959070
SecRuleRemoveById 981231
SecRuleRemoveById 950922
SecRuleRemoveById 981000
SecRuleRemoveById 950109
SecRuleRemoveById 981205
SecRuleRemoveById 970901
SecRuleRemoveById 950109
SecRuleRemoveById 950922
SecRuleRemoveById 981000
SecRuleRemoveById 960032
SecRuleRemoveById 958407
SecRuleRemoveById 950911
SecRuleRemoveById 950911
SecRuleRemoveById 981244
SecRuleRemoveById 958407
SecRuleRemoveById 950002
SecRuleRemoveById 960038
SecRuleRemoveById 981001
SecRuleRemoveById 958057
SecRuleRemoveById 959072
SecRuleRemoveById 981277
SecRuleRemoveById 981241
SecRuleRemoveById 981318
SecRuleRemoveById 958056
SecRuleRemoveById 950108
SecRuleRemoveById 959071
SecRuleRemoveById 960020
SecRuleRemoveById 960911
SecRuleRemoveById 981250
SecRuleRemoveById 958049
SecRuleRemoveById 990012
SecRuleRemoveById 958976
SecRuleRemoveById 981227
SecRuleRemoveById 981253
SecRuleRemoveById 958422
SecRuleRemoveById 958011
SecRuleRemoveById 958006
SecRuleRemoveById 958406
SecRuleRemoveById 950107
SecRuleRemoveById 973322
SecRuleRemoveById 973321
SecRuleRemoveById 973314
SecRuleRemoveById 973348
SecRuleRemoveById 973329
SecRuleRemoveById 973310
SecRuleRemoveById 958405
SecRuleRemoveById 958409
SecRuleRemoveById 973303
SecRuleRemoveById 973315






Regards
 
« Last Edit: June 26, 2019, 09:14:22 PM by Mighty Dr.Wolf »