403 error can't solve

[otakudes]

I have two sites I'm running suPHP on. One is a static site. I started getting a 403 error a few days ago. I have tried checking file permissions (folder 755, file 644), group permissions user:user. Everything looks okay. Nothing is showing up in my error log for this. I made some fatal changes on my .htaccess file to make sure error log is working. It is. Any ideas what I missed? I'm hoping something simple. I tried reloading a backup from a couple months ago and the error is still showing up

manuel's web site map

www.manuelsweb.com

 

[andrew.n]

What does /usr/local/apache/logs/error_log say?

 

[otakudes]

I'm viewing /var/log/apache2/error_log. It appears to be the same as your error log. It doesn't mention the 403 error.

 

[andrew.n]

Do you get the same for html, php extensions as well?

 

[otakudes]

Yes. It doesn't look like error log is recording these. I do see a few 403 in the log though

[Wed Feb 17 18:30:20.914720 2021] [:error] [pid 9120] [client 171.25.193.20:21335] [client 171.25.193.20] ModSecurity: Access denied with code 403 (phase 2). Match of "rbl nxd
[Wed Feb 17 18:31:55.921580 2021] [:error] [pid 14492] [client 31.220.40.240:50748] [client 31.220.40.240] ModSecurity: Warning. String match "/.env" at REQUEST_FILENAME. [fil
[Wed Feb 17 18:31:55.990894 2021] [:error] [pid 9120] [client 31.220.40.240:50740] [client 31.220.40.240] ModSecurity: Access denied with code 403 (phase 2). Match of "rbl nxd

 

[otakudes]

It's ModSecurity. I set Rules Engine to Do Not Process Rules and pages loaded again. I need to figure out why.

EDIT:
I disabled cPanels OWASP rules. ConfigServer has it's own. Maybe they were conflicting.

 

[andrew.n]

Glad you figured it out!

 

[cPRex]

You may get more details by checking the /etc/apache2/logs/modsec_audit.log file on the system as that would have specific details on what modsec is doing.

 

[otakudes]

You may get more details by checking the /etc/apache2/logs/modsec_audit.log file on the system as that would have specific details on what modsec is doing.

It appears to be rule# 911100 but I have no idea why it would do this.

 

[cPRex]

It's nothing you're doing wrong - sometimes ModSecurity just gives false positives, as any security tool sometimes can.

You can try disabling that rule on the server to see if that gets things working well. We have an article that explains that process here: How can I disable a ModSecurity rule?

 

[otakudes]

I had to uninstall OWASP rules in EasyApache. I had them disabled but cPanel reenabled them causing the error again.

 

[cPRex]

I would not expect cPanel to activate a set of rules on the system. If you are able to reproduce that issue, can you let me know the steps you took to make that happen so I can do some testing on my end?