Applicable to:
- Plesk for Linux
- Plesk for Windows
Symptoms
-
ModSecurity is installed and enabled in Tools & Settings > Web Application Firewall (ModSecurity) > Web application firewall mode > On.
-
A website hosted in Plesk fails to load or site is slow. It is not possible to perform operations on the website such as manage WordPress, access webmail, access
robots.txtfile and the following error might be displayed in the browser:CONFIG_TEXT: ERR_CONNECTION_REFUSED
CONFIG_TEXT: 403 Forbidden
CONFIG_TEXT: 500 Internal Server Error
CONFIG_TEXT: ERR_CONNECTION_TIMED_OUT
CONFIG_TEXT: Service Unavailable. The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
CONFIG_TEXT: HTTP Error 403.0 - ModSecurity Action
-
Site Preview may not work with one of the errors above.
- The webmail page for the website (webmail.example.com) in Plesk may not work with one of the errors above
-
A ModSecurity error message like below appears on the Logs page in Plesk at Domains > example.com > Logs or in Event Viewer > Application log:
CONFIG_TEXT: ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "example.com"] [uri "/robots.txt"] [unique_id "XPsROH8AAQEAABEiZFcAAABC"]
OR
CONFIG_TEXT: ModSecurity: Warning. Match of "eq 0" against "&TX:PY_SCAN_FINISH" required. [file "/etc/apache2/modsecurity.d/rules/custom/000_i360_0.conf"] [line "182"] [id "77350128"] [msg "IM360 WAF: Scan time results||Py start:3542||Py finish:3555||Py time:13||Py duration:||Lua start:||Lua finish:||Lua time:||Lua duration:||T:APACHE||"] [severity "NOTICE"] [tag "service_i360"] [tag "noshow"] [hostname "example.com"] [uri "/"] [unique_id "Yz0dUZoB5aMQj0uRrk52CQAAAA0"]
OR
CONFIG_TEXT: ModSecurity: Warning. Operator GT matched 5 at IP:slowloris_counter. [file "/etc/apache2/modsecurity.d/rules/comodo_free/11_HTTP_HTTPDoS.conf"] [line "17"] [id "230041"] [rev "1"] [msg "COMODO WAF: Slowloris HTTP DoS attack detected||example.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "HTTPDoS"] [hostname "example.com"] [uri "/image.php"] [unique_id "ZSk7tBKwrfI_pHFqQcZApAAAAI0"], referer: https://example.com/dashboard/edit-album?id_album=118142
- Some content may be missing (like images or some scripts not working properly) or domain's functionality may not work properly.
- Unable to delete plugin inside Wordpress dashboard:
CONFIG_TEXT: <!DOCTYPE html> 403 Forbidden html
{overflow...
Server Error 403 Forbidden You do not have permission to access this document
- If the website is using Cloudflare, the following error might be shown:
PLESK_INFO: Error 521
Web server is down
Cause
ModSecurity Web Application Firewall is enabled with a very restrictive (strict) ruleset such as OWASP, Comodo, or a custom ruleset like Imunify360. Hence, some operations on the websites are blocked.
Resolution
If you are sure that it is false-positive detection, contact ruleset developers:
Reporting to Atomicorp https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives
Alternatively, consider one of the following options:
Comments
Dear Plesk support, please advise?
1-disabling rules at mod_security will decrease the websites security.
2-why in the first place Plesk enables mod_security for webmail, todays attachments of videos, pictures, and emails a HTML or XML will cause many false positives.
Please sign in to leave a comment.