Question ModSecurity "Access denied with code 403"

[Colonel36]

Server operating system version

Ubuntu 20.04

Plesk version and microupdate number

Plesk Obsidian18.0.57

Hi.
I keep getting this error:
ModSecurity "Access denied with code 403"
I have followed instructions to add [ID: numbers] to web application mod security and added security rules to the switch off security rules. I got these from the log and from: https://support.plesk.com/hc/en-us/...plication-Firewall-ModSecurity-rules-in-Plesk
But the error is still there?

Any help would greatly be appreciated.

 

[Colonel36]

Apologies for asking again for help with this query.
Thanks

 

[Sebahat.hadzhi]

Hello, @Colonel36. We are sorry to see your question was not addressed earlier. Does that issue occur for a particular domain name or it is global for the server? Did you exclude the rules server-wide or for the given domain name only? If it on a domain-basis my guess would be that there are too many rules conflicting with the website code and some of them might not be added.

 

[Colonel36]

Hi and thanks for the reply, Sebahat.
The issue occurs with a domain. I excluded for the domain.

 

[Bitpalast]

Could you please provide a log excerpt of the 403 error where it states the rule ID? Please also show which IDs were excluded.

 

[Colonel36]

Hi, and thanks for getting back.
Here is the log excerpt:
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 144.217.240.177] ModSecurity: Access denied with code 403 (phase 2). Match of "rbl nxdomain.v2.rbl.imunify.com." against "TX:rbl_ip" required. [file "/etc/apache2/modsecurity.d/rules/custom/013_i360_infectors.conf"] [line "636"] [id "77316861"] [msg "IM360 WAF: Block IP which is in the infectors RBL||MVN:TX:rbl_ip||MV:02-41.144.217.240.177||T:APACHE||"] [severity "CRITICAL"] [tag "service_i360custom"] [hostname "77.68.120.152"] [uri "/hello.world"] [unique_id "ZsFfQM5oLquRevRcmHhSpwAAAEg"]
Action: Intercepted (phase 2)
Stopwatch: 1723948864519548 46153 (- - -)
Stopwatch2: 1723948864519548 46153; combined=43168, p1=89, p2=42774, p3=0, p4=0, p5=305, sr=34, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"
and the codes
33303
33329
77316861

Many thanks

 

[Kaspar]

Where did you disabled these rules?

Your using the Imunify360 ModSecurity ruleset. If I am not mistaken those rules are to be disabled in the Imunify360 extension itself, not in Plesk. (But I might be mistaken. It's been a while since I've used Imunify360).

 

[Colonel36]

I'm was using the rules in Web Application Firewall.
I have now changed the Rule Set to Comodo but the log error is still there?
Thanks for the support

 

[Kaspar]

I'm was using the rules in Web Application Firewall.
I have now changed the Rule Set to Comodo but the log error is still there?
Thanks for the support

The exact same errors with the IM360 WAF identifier shown in it?

 

[Colonel36]

Hi.
Yes, I get the same error with IM360WAF
Many thanks

 

[Kaspar]

Strange. Is the Imunify360 extension still installed and do you use it? If so, and you don't need Imunify360, you can try to uninstall it. However if you do like to use Imunify360, but just not the WAF I recommend opening a support ticket with Imunify to get help on achieving that.

 

[Colonel36]

Many thanks for getting back in touch.
I've tried to uninstall the Immunify, but it is still there and won't budge!?