403 Forbidden after installing Mod_security

  • Posted November 3, 2013


I installed Mod_security on Ubuntu 12.04 x32 following this tutorial:

and now I receive 403 Forbidden error on every page/folder on my website: You don’t have permission to access / on this server You don’t have permission to access /phpmyadmin on this server

I created /etc/modsecurity/modsecurity_custom_rules.conf and I could probably add custom rule for every specific case i.e. <Directory “/var/www/somefolder”> <IfModule security2_module> SecRuleEngine Off </IfModule> </Directory>

but is there a simpler way to add more general rules?

Also is it normal after installing Mod_security to get blocked completely or I did something wrong during the installation?

Thanks in advance


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

check the status of SELinux <br> <br># vi /etc/selinux/config
<br># SELINUX=disabled -> SELINUX=enforcing <br>save & exit <br># setenforce 0 <br> <br>It will be fine! <br>

you get? Good … I had this problem installing zpanel with apache2 … and I only comment on the <directory> … / etc/apache2/apache2.conf, al the virtual host worked nicely <br> <br>OS: Ubuntu 12 LTS

apache2/error.log is full with this crap: <br> <br>ModSecurity: Access denied with code 403 (phase 1). Match of “streq %{SESSION.IP_HASH}” against “TX:ip_hash”$

Any other ideas guys? <br>

I don’t think I have any experimental routes enabled. I did very few changes in /etc/modsecurity/modsecurity.conf (I.e. SecRuleEngine On; SecResponseBodyAccess Off)

Try disabling the experimental routes.

Thank you Kamal. <br>Tried, unfortunately it doesn’t work: <br> <br>Forbidden <br>You don’t have permission to access / on this server.

Try clearing your cookies and see if that fixes it.

Copy from the apache2/modsec_audit.log: <br> <br>–37e37562-H– <br>Message: Access denied with code 403 (phase 1). Match of “streq %{SESSION.IP_HASH}” against “TX:ip_hash” required. [file “/etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf”] [line “35”] [id “981059”] [msg “Warning - Sticky SessionID Data Changed - IP Address Mismatch.”] <br>Action: Intercepted (phase 1) <br>Stopwatch: 1383499867684968 2258 (- - -) <br>Stopwatch2: 1383499867684968 2258; combined=634, p1=407, p2=0, p3=0, p4=0, p5=177, sr=109, sw=50, l=0, gc=0 <br>Response-Body-Transformed: Dechunked <br>Producer: ModSecurity for Apache/2.6.3 (; OWASP_CRS/2.2.5; core ruleset/2.2.0. <br>Server: Apache/2.2.22 (Ubuntu) <br>WebApp-Info: “default” “ljo70mlrrc3rc9fh8ishmfjhu4” “”