• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Please be aware: Kaspersky Anti-Virus has been deprecated and is no longer available for installation on the current Plesk release (18.0.63).
    Starting from Plesk Obsidian 18.0.64, the extension will be automatically removed from the servers it is installed on. For details and recommended actions, see the Feature and Deprecation Plan and the deprecation FAQ.

Question ModSecurity "Access denied with code 403"

C

Colonel36

New Pleskian
Server operating system version
Ubuntu 20.04
Plesk version and microupdate number
Plesk Obsidian18.0.57
Hello, @Colonel36. We are sorry to see your question was not addressed earlier. Does that issue occur for a particular domain name or it is global for the server? Did you exclude the rules server-wide or for the given domain name only? If it on a domain-basis my guess would be that there are too many rules conflicting with the website code and some of them might not be added.
 
Could you please provide a log excerpt of the 403 error where it states the rule ID? Please also show which IDs were excluded.
 
Hi, and thanks for getting back.
Here is the log excerpt:
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 144.217.240.177] ModSecurity: Access denied with code 403 (phase 2). Match of "rbl nxdomain.v2.rbl.imunify.com." against "TX:rbl_ip" required. [file "/etc/apache2/modsecurity.d/rules/custom/013_i360_infectors.conf"] [line "636"] [id "77316861"] [msg "IM360 WAF: Block IP which is in the infectors RBL||MVN:TX:rbl_ip||MV:02-41.144.217.240.177||T:APACHE||"] [severity "CRITICAL"] [tag "service_i360custom"] [hostname "77.68.120.152"] [uri "/hello.world"] [unique_id "ZsFfQM5oLquRevRcmHhSpwAAAEg"]
Action: Intercepted (phase 2)
Stopwatch: 1723948864519548 46153 (- - -)
Stopwatch2: 1723948864519548 46153; combined=43168, p1=89, p2=42774, p3=0, p4=0, p5=305, sr=34, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"
and the codes
33303
33329
77316861

Many thanks
 
Where did you disabled these rules?

Your using the Imunify360 ModSecurity ruleset. If I am not mistaken those rules are to be disabled in the Imunify360 extension itself, not in Plesk. (But I might be mistaken. It's been a while since I've used Imunify360).
 
I'm was using the rules in Web Application Firewall.
I have now changed the Rule Set to Comodo but the log error is still there?
Thanks for the support
 
Strange. Is the Imunify360 extension still installed and do you use it? If so, and you don't need Imunify360, you can try to uninstall it. However if you do like to use Imunify360, but just not the WAF I recommend opening a support ticket with Imunify to get help on achieving that.
 
Many thanks for getting back in touch.
I've tried to uninstall the Immunify, but it is still there and won't budge!?
 
You must log in or register to reply here.

Similar threads

F
Issue SQLmap attack detected (ID: 218500) on blank page
Replies
3
Views
506
Bitpalast
Bitpalast
K
Question modsecurity
Replies
2
Views
338
Knutsford
K
A
Question Some security questions
Replies
2
Views
566
amba1980
A
R
Issue Problem with web application firewall - file extension is restricted by policy
Replies
3
Views
1K
Linulex
Linulex
N
Resolved ModSecurity / WCF call / 403
Replies
2
Views
1K
newbe
N
Back
Top