Frequent 403 error

Discussion in 'ISPConfig 3 Priority Support' started by pawan, Jan 19, 2017.

  1. pawan

    pawan Member HowtoForge Supporter

    I am facing frequent 403 error, on website, in email-roundcube.
    I had installed mod-security.
    Thinking that the Apache mo-security may be creating the problem, I have disabled it, but the 403 error still persists.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    yes, that is very likely as mod-security shws a 403 when it blocks a request.

    Maybe it is not fully deactivated or apache has not been restarted after the config change. You should be able to see it in the mod security log files when it blocks a request.
     
  3. pawan

    pawan Member HowtoForge Supporter

    I have even restarted the server machine, still I am getting the error.
    BTW where I can check the logs for mod-security.
    I have checked the error log for vhost in var/log/ispconfig/http/relevant vhost error.log
    There I am getting for example -
    Code:
    [Fri Jan 20 14:06:41 2017] [error] [client 117.247.67.136] client denied by server configuration: /var/www/lions322c2.org/web/administrator/index.php, referer: http://lions322c2.org/administrator/index.php?option=com_media
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    They are normally in /var/log/apache2/ on Debian and Ubuntu and /var/log/httpd/ on CentOS.
     
  5. pawan

    pawan Member HowtoForge Supporter

    In that folder I can see
    • access.log
    • error.log
    • modsec_audit.log
    • suexec.log
    • other_vhosts_access.log
    the contents of modsec_audit.log is like this -
    Code:
    --5518f61a-A--
    [15/Jan/2017:07:59:10 +0530] WHredsCoAAoAAEkMtWIAAAAG 185.40.4.66 53966 192.168.0.10 80
    --5518f61a-B--
    GET /rss/catalog/notifystock/ HTTP/1.1
    Authorization: Basic c3lzdGVtX2JhY2t1cDpjb21wYXE=
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
    Referer: http://www.google.com/
    Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7
    Host: unitechindia.com
    Connection: Keep-Alive
    
    --5518f61a-F--
    HTTP/1.1 401 Unauthorized
    X-Powered-By: PHP/5.3.10-1ubuntu3.25
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Www-Authenticate: Basic realm="RSS Feeds"
    Set-Cookie: PHPSESSID=156d0759a99638283591322a7d8cf059; expires=Sun, 15-Jan-2017 03:29:10 GMT; path=/; domain=unitechindia.com; HttpOnly
    Vary: Accept-Encoding
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
    
    --5518f61a-H--
    Apache-Handler: fcgid-script
    Stopwatch: 1484447350560621 82162 (- - -)
    Stopwatch2: 1484447350560621 82162; combined=38, p1=23, p2=10, p3=0, p4=0, p5=5, sr=0, sw=0, l=0, gc=0
    Producer: ModSecurity for Apache/2.6.3 (http://www.modsecurity.org/).
    Server: Apache/2.2.22 (Ubuntu)
     
  6. pawan

    pawan Member HowtoForge Supporter

    I have noticed particular while accessing email account in roundcube.
    when I click on a email subject, preview pane shows okay. but once I click on another mail, I get 404.
    Then If I wait for some time and then click on the same email subject, the preview show okay.
    Can mod_evasive also cause this type of problem. As I have mod_evasive enabled.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, then it is caused by mod_evasive when the problem cures itself after a short time period. edit your mod_evasive config and make it less strict (allow more requests to a file in the given time frame).
     
  8. pawan

    pawan Member HowtoForge Supporter

    Thanks Till, that seem to have solved the problem.
     

Share This Page