Modsecurity rule identification

Discussion in 'ISPConfig 3 Priority Support' started by Stelios, Oct 5, 2022.

  1. Stelios

    Stelios Active Member HowtoForge Supporter

    Hi all,

    I got a wordpress website that doesn't load any image due to 403 errors related with modsecurity rules.
    The problem is that under logs I can't find any ID in order to exclude it.
    Example log;

    root@web2:/etc/modsecurity/rules# cat /var/log/apache2/modsec_audit.log
    --cf1b3b19-A--
    [05/Oct/2022:17:24:43 +0300] Yz2TqyB8mvixTGU9pbt2YgAAAAs 95.217.8.124 57148 168.119.122.191 443
    --cf1b3b19-B--
    GET /wp-content/uploads/2020/02/enjoyHorizontalSmall.png HTTP/1.1
    Host: www. mydomain.com
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
    Accept: image/avif,image/webp,*/*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Connection: keep-alive
    Referer: https://www. mydomain.com/services/sea-kayak-day-trips/
    Cookie: _ga_BBH3GWJ9TN=GS1.1.1664976416.16.1.1664976818.0.0.0; _ga=GA1.2.1009653014.1659290474; pixelcat_id=ffd99a6f85; _fbp=fb.1.1659290482963.1375261013; _gid=GA1.2.1329457654.1664976417; wp-wpml_current_admin_language_d41d8cd98f00b204e9800998ecf8427e=en; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do%26editor%3Dhtml%26hidetb%3D1%26siteorigin_panels_setting_tab%3Dgeneral%26advImgDetails%3Dshow%26imgsize%3Dthumbnail%26posts_list_mode%3Dlist%26editor_plain_text_paste_warning%3D2%26uploader%3D1%26widgets_access%3Doff; wp-settings-time-1=1664976540; wp-wpml_current_language=en; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_9556babef9a00f397ce0d793bc31de77=stelios%7C1665149331%7CE799uvyO4cqmkF4eny6ON2AlsT2SxfHpLq84tnyt5Dc%7Ccdcbca2167a0a92bd90e6aacca7608125ba901051faf71e5d9b5ed59dd21ae4c
    Sec-Fetch-Dest: image
    Sec-Fetch-Mode: no-cors
    Sec-Fetch-Site: same-origin

    --cf1b3b19-F--
    HTTP/1.1 403 Forbidden
    Last-Modified: Fri, 13 Nov 2020 16:54:10 GMT
    ETag: "91a-5b3ffe09d7080"
    Accept-Ranges: bytes
    Content-Length: 2330
    Cache-Control: max-age=7200, private, must-revalidate
    Keep-Alive: timeout=5, max=99
    Connection: Keep-Alive
    Content-Type: text/html

    --cf1b3b19-H--
    Stopwatch: 1664979883090168 7513 (- - -)
    Stopwatch2: 1664979883090168 7513; combined=5981, p1=1068, p2=4812, p3=0, p4=0, p5=101, sr=126, sw=0, l=0, gc=0
    Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/4.0.0-rc1.
    Server: Apache
    Engine-Mode: "ENABLED"

    --cf1b3b19-Z--
     
    Stelios, Oct 5, 2022
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    And what is in the error.log of the affected website?
     
    till, Oct 6, 2022
    #2
  3. Stelios

    Stelios Active Member HowtoForge Supporter

    Sorry for the late reply, it was finally a firewall plugin in the Wordpress that was causing the issue.
     
    Stelios, Oct 16, 2022
    #3
    till likes this.

Share This Page