• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question ModSecurity "Access denied with code 403"

Colonel36

New Pleskian
Server operating system version
Ubuntu 20.04
Plesk version and microupdate number
Plesk Obsidian18.0.57
Hello, @Colonel36. We are sorry to see your question was not addressed earlier. Does that issue occur for a particular domain name or it is global for the server? Did you exclude the rules server-wide or for the given domain name only? If it on a domain-basis my guess would be that there are too many rules conflicting with the website code and some of them might not be added.
 
Could you please provide a log excerpt of the 403 error where it states the rule ID? Please also show which IDs were excluded.
 
Hi, and thanks for getting back.
Here is the log excerpt:
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 144.217.240.177] ModSecurity: Access denied with code 403 (phase 2). Match of "rbl nxdomain.v2.rbl.imunify.com." against "TX:rbl_ip" required. [file "/etc/apache2/modsecurity.d/rules/custom/013_i360_infectors.conf"] [line "636"] [id "77316861"] [msg "IM360 WAF: Block IP which is in the infectors RBL||MVN:TX:rbl_ip||MV:02-41.144.217.240.177||T:APACHE||"] [severity "CRITICAL"] [tag "service_i360custom"] [hostname "77.68.120.152"] [uri "/hello.world"] [unique_id "ZsFfQM5oLquRevRcmHhSpwAAAEg"]
Action: Intercepted (phase 2)
Stopwatch: 1723948864519548 46153 (- - -)
Stopwatch2: 1723948864519548 46153; combined=43168, p1=89, p2=42774, p3=0, p4=0, p5=305, sr=34, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"
and the codes
33303
33329
77316861

Many thanks
 
Where did you disabled these rules?

Your using the Imunify360 ModSecurity ruleset. If I am not mistaken those rules are to be disabled in the Imunify360 extension itself, not in Plesk. (But I might be mistaken. It's been a while since I've used Imunify360).
 
I'm was using the rules in Web Application Firewall.
I have now changed the Rule Set to Comodo but the log error is still there?
Thanks for the support
 
Strange. Is the Imunify360 extension still installed and do you use it? If so, and you don't need Imunify360, you can try to uninstall it. However if you do like to use Imunify360, but just not the WAF I recommend opening a support ticket with Imunify to get help on achieving that.
 
Many thanks for getting back in touch.
I've tried to uninstall the Immunify, but it is still there and won't budge!?
 
Back
Top