CyberPanel Community

Can't Manage website after enabling Modsecurity

20 replies
jo
josephgodwinke #2

Hello @RitZz

  1. Have you diagnosed the issue on client side first?
  2. Did you add any modSec rules at https://SERVER_URL:8090/firewall/modSecRules?
  3. Set SecDebugLogLevel to 9 restart LSWS, visit said link and post contents of server’s error log
Ri
Rituraj #3

Mod sec rules

3315×471 44.5 KB

server error log
1510×1839 565 KB

jo
josephgodwinke #4
  1. Run command touch /usr/local/CyberCP/debug && reboot and reissue the ssl for hostname and post the contents of nano /home/cyberpanel/error-logs.txt
Ri
Rituraj #5

image
image2898×510 164 KB

jo
josephgodwinke #6

Let’s start from the beginning the error is 403 forbidden error after your enabled modsecurity.

  1. Check if you are using a VPN. disable it
  2. Clear browser cache
  3. Disable modsecurity to see if problem goes away. If it does we need to find out which rule file is conflicting and then turn off that specific rule file.
  4. In extreme cases check your server AV for possible infections (last resort if all fails)
Ri
Rituraj #7
  1. Tried with VPN as well as without. No difference.
  2. Cleared browser cache, incognito mode, different browser. no luck
  3. Disabling Modsecurity makes the problem go away. That’s how I am using the server rn
  4. Imunify360 says no infections detected.
Ri
Rituraj #9

removed them all completely. added them from a different cyberpanel thread.

image
image1414×506 13.3 KB

these rules were there by default and the problem still persists.

Ri
Rituraj #11

Doesn’t help. 403 forbidden

Ri
Rituraj #13

Not sure how to do that, In the control panel it only gives a button to access imunify 360

jo
josephgodwinke #14

Run systemctl stop imunify-antivirus OR RHEL based service imunify-antivirus stop

Ri
Rituraj #15

imunify stopped. still 403-

jo
josephys #16

You receive 403 forbidden error because Modsecurity is protecting you when the Inbound Anomaly Score Exceeds the number.

In your LOG file (/usr/local/lsws/logs/error.log) you will see:

...[INFO] ...HTTP2-1#dashboard.domain.com] [Module:mod_security] ModSecurity: Warning. Matched "Operator `... against variable `TX:EXTENSION' (Value: `.com/' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1015"] [id "920440"] [rev ""] [msg "URL file extension is restricted by policy"] [data ".com"] ... [hostname "dashboard.domain.com"] [uri "/websites/domain.com"]...
...[INFO] ...HTTP2-1#dashboard.domain.com] [Module:mod_security]Intervention status code triggered: 403
...[INFO] ...HTTP2-1#dashboard.domain.com] [Module:mod_security]Log Message: [client 223.73.114.21] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] ...[tag "attack-generic"] [hostname "dashboard.domain.com"] [uri "/websites/domain.com"]...

To solve this, you need to override the ModSecurity Rules activated in the OWASP package:

Goto Cyberpanel > Security > ModSecurity Rules, add into the next line:

SecRule REQUEST_BASENAME "@beginsWith /websites" "id:920440, phase:2,allow"

Save the rule and you will be allowed to manage your websites.

Yes, this should be something Cyberpanel can add automatically after adding Owasp Rule Pack.

Have a happy management.

Tr
Trung #17

I added this line but it still doesn’t work.

SecRule REQUEST_BASENAME “@beginsWith /websites” “id:920440, phase:2,allow”

EB
Eros Bruno #19

Hi, I recommend you use these two.

SecRule REQUEST_URI "@beginsWith /websites/" "id:10000,phase:1,nolog,pass,ctl:ruleRemoveById=920440"

SecRule REQUEST_URI "@beginsWith /filemanager/" "id:10001,phase:1,nolog,pass,ctl:ruleRemoveById=920440"
Tr
Trung #20

Still can’t. Below are my error details recorded in the log:

[Module:mod_security] ModSecurity: Warning. Matched "Operator Within' with parameter .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .ln (150 characters omitted)’ against variable TX:EXTENSION' (Value: .com/’ ) [file “/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf”] [line “1015”] [id “920440”] [rev “”] [msg “URL file extension is restricted by policy”] [data “.com”] [severity “2”] [ver “OWASP_CRS/3.3.2”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-protocol”] [tag “paranoia-level/1”] [tag “OWASP_CRS”] [tag “capec/1000/210/272”] [tag “PCI/6.5.10”] [hostname “subdomain.vn-t.com”] [uri “/websites/vn-t.com”] [unique_id “170106424650.002166”] [ref “o4,4o5,3v14,8o71,5t:urlDecodeUni,t:lowercase”]
[Module:mod_security]Intervention status code triggered: 403
[Module:mod_security]Log Message: [client id] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter 5’ against variable TX:ANOMALY_SCORE' (Value: 5’ ) [file “/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf”] [line “80”] [id “949110”] [rev “”] [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [data “”] [severity “2”] [ver “OWASP_CRS/3.3.2”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [hostname “subdomain.vn-t.com”] [uri “/websites/vn-t.com”] [unique_id “170106424650.002166”] [ref “”]

Help me. Thanks you!

EB
Eros Bruno #21

There is a syntax error, post the entire contents of your ModSecurity rules here.

Tr
Trung #22

Here you are:

SecRule ARGS “../” “t:normalisePathWin,id:99999,severity:4,msg:‘Drive Access’ ,log,auditlog,deny”,

Sign in to reply