Ariful
January 29, 2024, 4:57am
1
*Server Setup: Latest Cyberpanel+Openlitespeed+ModSec (OWASP Core Rule Set activate from cyberpanel).
*Problem: Login with Google trigger 403.
To fix the issue I add this code with Default CP ModSec Rules(as the photo):
<locationmatch “/my-account/google/oauth2callback*”>
SecRuleRemoveById 949110
But No Luck!!
Here is the error log:
2024-01-29 12:32:20.537518 [INFO] [4300] [172.68.242.101:11658-12#sorboprothomalo.com ] [Module:mod_security]Intervention status code triggered: 403
2024-01-29 12:32:20.537568 [INFO] [4300] [172.68.242.101:11658-12#sorboprothomalo.com ] [Module:mod_security]Log Message: [client 172.68.242.101] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter
5’ against variable TX:ANOMALY_SCORE' (Value:
5’ ) [file “/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf”] [line “80”] [id “949110”] [rev “”] [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [data “”] [severity “2”] [ver “OWASP_CRS/3.3.2”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [hostname “sorboprothomalo.com ”] [uri “/my-account/google/oauth2callback”] [unique_id “170650274014.446625”] [ref “”]
*** Is there any good soul to help me ?
opened 08:24PM - 13 Jan 24 UTC
closed 07:43AM - 15 Jan 24 UTC
If we activate OWASP ModSecurity Core Rules some menus on cyberpanel like: Websi… te->List->Manage, Access Logs, File Manager and more cannot be accessed with 403 Forbiden.
This is the error shows at Logs->Error Logs
```
2024-01-13 21:31:21.644932 [INFO] [41359] [109.234.233.130:28677-Q:71253EC7BC775419-56#cp.eakteam.com] [Module:mod_security] ModSecurity: Warning. Matched "Operator `Within' with parameter `.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .ln (150 characters omitted)' against variable `TX:EXTENSION' (Value: `.com/' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1015"] [id "920440"] [rev ""] [msg "URL file extension is restricted by policy"] [data ".com"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "cp.eakteam.com"] [uri "/websites/eakteam.com"] [unique_id "170518148174.130653"] [ref "o7,4o8,3v14,11o71,5t:urlDecodeUni,t:lowercase"]
2024-01-13 21:31:21.654301 [INFO] [41359] [109.234.233.130:28677-Q:71253EC7BC775419-56#cp.eakteam.com] [Module:mod_security]Intervention status code triggered: 403
2024-01-13 21:31:21.654340 [INFO] [41359] [109.234.233.130:28677-Q:71253EC7BC775419-56#cp.eakteam.com] [Module:mod_security]Log Message: [client 109.234.233.130] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "cp.eakteam.com"] [uri "/websites/eakteam.com"] [unique_id "170518148174.130653"] [ref ""]
```
It's the rule number 18 -> `REQUEST-949-BLOCKING-EVALUATION` which is causing the 403 Forbiden
Is thie the case with you ?
Ariful
January 29, 2024, 10:27am
3
Hello sir, thanks for your response.
My problem is different from what you mentioned. I don’t access CyberPanel from any proxy and my CyberPanel Dashboard, Menus, Options and everything else are OK.
(I am using OWASP Core Rule Set activate from cyberpanel )
**** My problem is that I don’t know how to disable some specific ModSec Rule IDS. CyberPanel has option to disable specific RULE GROUP (such as 900, 901, 905 etc). But it is very dangerous from Security point of view !!**
**** Sir you know that, every server host many domains. Even some host hundreds. That’s why disabling one RULE Group is Dangerous and is not practical for Security Reasons.**
**** The practical solution for “MODSEC TRIGGER 403 ISSUE” is to DISABLE SPECIFIC RULE IDS (such as 950109, 950901, 958291) just for SPECIFIC DOMAIN.**
**** my question is that, How to DISABLE SPECIFIC RULE IDS just for SPECIFIC DOMAIN. I know that, It can be done by adding code on :8090/firewall/modSecRules. But I don’t know the code for CyberPanel. Please HELP…
OK. I understand the problem now.
Open a ticket here: https://platform.cyberpersons.com/
Provide the site where google login is having issues, also provider access to CyberPanel.
I will have to see how we can get around this problem.
Ariful
January 29, 2024, 2:55pm
5
Hello Sir, as per your instruction, I create a ticket on https://platform.cyberpersons.com/ .
Please Investigate.
I added this and it seems to go through
SecRuleRemoveById 930120
SecRuleRemoveById 949110
Ariful
January 30, 2024, 6:11am
10
Hello Sir, many many thanks to you.
Issue Solved.