Plesk & SocialBee have teamed up. Save 30% now!

Get the Deal

Knowledge Base

A website hosted in Plesk or the webmail page for it fails to load when ModSecurity is enabled

 
apachedevelopersdomainsdowntimefirewall

Symptoms

  • ModSecurity is installed and enabled in Tools & Settings > Web Application Firewall (ModSecurity) > Web application firewall mode > On.

  • A website hosted in Plesk fails to load or site is slow. It is not possible to perform operations on the website such as manage WordPress, access webmail, access robots.txt file and the following error might be displayed in the browser:

    ERR_CONNECTION_REFUSED

    403 Forbidden

    500 external Server Error

    ERR_CONNECTION_TIMED_OUT

    Service Unavailable. The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

    HTTP Error 403.0 - ModSecurity Action

  • Site Preview may not work with one of the errors above.

  • The webmail page for the website (webmail.example.com) in Plesk may not work with one of the errors above

  • A ModSecurity error message like below appears on the Logs page in Plesk at Domains > example.com > Logs or in Event Viewer > Application log:

    ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "example.com"] [uri "/robots.txt"] [unique_id "XPsROH8AAQEAABEiZFcAAABC"]

    OR

    ModSecurity: Warning. Match of "eq 0" against "&TX:PY_SCAN_FINISH" required. [file "/etc/apache2/modsecurity.d/rules/custom/000_i360_0.conf"] [line "182"] [id "77350128"] [msg "IM360 WAF: Scan time results||Py start:3542||Py finish:3555||Py time:13||Py duration:||Lua start:||Lua finish:||Lua time:||Lua duration:||T:APACHE||"] [severity "NOTICE"] [tag "service_i360"] [tag "noshow"] [hostname "example.com"] [uri "/"] [unique_id "Yz0dUZoB5aMQj0uRrk52CQAAAA0"]

    OR

    ModSecurity: Warning. Operator GT matched 5 at IP:slowloris_counter. [file "/etc/apache2/modsecurity.d/rules/comodo_free/11_HTTP_HTTPDoS.conf"] [line "17"] [id "230041"] [rev "1"] [msg "COMODO WAF: Slowloris HTTP DoS attack detected||example.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "HTTPDoS"] [hostname "example.com"] [uri "/image.php"] [unique_id "ZSk7tBKwrfI_pHFqQcZApAAAAI0"], referer: https://example.com/dashboard/edit-album?id_album=118142

Cause

ModSecurity Web Application Firewall is enabled with a very restrictive (strict) ruleset such as OWASP, Comodo, or a custom ruleset like Imunify360. Hence, some operations on the websites are blocked.

Resolution

If you are sure that it is false-positive detection, contact ruleset developers:

Atomicorp

Atomicorp support

Reporting to Atomicorp https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives

Comodo

Comodo support

Reporting to Comodo https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/falsepositive-report-thread-t104373.0.html

OWASP

Contact OWASP

Alternatively, consider one of the following options:

Read the full article
Related Posts
Knowledge Base

Hosting Wiki

Industry
Partners

industry-partner_ALIBABA
industry-partner_GOOGLEPARTNER
industry-partner_MICROSOFT
industry-partner_REDHAT-r2
industry-partner_ALIBABA
industry-partner_AUTOMATTIC
industry-partner_AWS
industry-partner_DIGITALOCEAN
industry-partner_SCALEWAY

Follow us:

Facebook Twitter Linkedin Youtube Github

© 2024 WebPros International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of WebPros International GmbH.

Managed with love with Plesk WP Toolkit