hello,
I’m getting on other server this error from an API when attempting to connect to my site
403 Forbidden
403
Forbidden
Access to this resource on the server is denied!
Proudly powered by LiteSpeed Web Server
Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control ove>
I get an answer in other forum that most likely mod_security blocked the request.
I searched here but Im not clear if is possible to whitelist that server/address. It is possible?
any idea how to fix it?
Best regards,
Try connect and then go see from error logs what modsecurity rule block your API.
Try connect and then go see from error logs what modsecurity rule block your API.
you were right. Now I am not sure how to proceed. If I just need to disable some filters or add a whitelist.
What do you suggest?
2023-04-26 23:33:52.199820 [INFO] [28342] [172.70.110.250:20292:HTTP2-1#paramicafe.cl] [Module:mod_security] ModSecurity: Warning. Matched "Operator Within' with parameter GET HEAD POST OPTIONS’ against variable REQUEST_METHOD' (Value: PUT’ ) [file “/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-911-METHOD-ENFORCEMENT.conf”] [line “27”] [id “911100”] [rev “”] [msg “Method is not allowed by policy”] [data “PUT”] [severity “2”] [ver “OWASP_CRS/3.3.2”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [tag “paranoia-level/1”] [tag “OWASP_CRS”] [tag “capec/1000/210/272/220/274”] [tag “PCI/12.1”] [hostname “paramicafe.cl”] [uri “/wp-json/wc/v3/products/7511”] [unique_id “168255203211.810381”] [ref “v0,3”]
2023-04-26 23:33:52.200472 [INFO] [28342] [172.70.110.250:20292:HTTP2-1#paramicafe.cl] [Module:mod_security]Intervention status code triggered: 403
2023-04-26 23:33:52.200482 [INFO] [28342] [172.70.110.250:20292:HTTP2-1#paramicafe.cl] [Module:mod_security]Log Message: [client 172.70.110.250] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter 5’ against variable TX:ANOMALY_SCORE' (Value: 5’ ) [file “/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf”] [line “80”] [id “949110”] [rev “”] [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [data “”] [severity “2”] [ver “OWASP_CRS/3.3.2”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [hostname “paramicafe.cl”] [uri “/wp-json/wc/v3/products/7511”] [unique_id “168255203211.810381”] [ref “”]
regards
Try add this SecRule REQUEST_HEADERS:Host "@endsWith paramicafe.cl" \ "id:1002,\ phase:1,\ pass,\ nolog,\ ctl:ruleRemoveById=911100" to modsecurity rules on panel security section. Or if you have only one site on server go modsecurity rule packages and disable that rule.
If API calling always from same IP then make rule what allow only that IP so you keep rule protecting site and not disable it totally.
Hi,
I’ve added that rule and problem continue.
I have now this.
SecRule ARGS “../” “t:normalisePathWin,id:99999,severity:4,msg:‘Drive Access’ ,log,auditlog,deny”,
SecRule REQUEST_HEADERS:Host “@endsWith paramicafe.cl” \ “id:1002,\ phase:1,\ pass,\ nolog,\ ctl:ruleRemoveById=911100”
The API call from 2 IPs address, so I need to add a command like this?
*SecRule REMOTE_ADDR “@ipMatch 203.0.113.0/24,192.0.2.2” “id:3,phase:1,t:none,log,pass,ctl:ruleRemoveById=55666”
Best regards,