mod_evasive + 403 Forbidden (i-MSCP)

**FloRet88** · Mar 17th 2017

Hello @ all!

I searched the forum and found this thread: https://i-mscp.net/index.php/Thread/2863-403-Forbidden/

We get from time to time an Forbidden-Error 403 with enabled mod_evasive. When we deactivate this, all works fine.

Has anyone the solution to let mod_evasive work perfect together with I-MSCP? Or is the only solution to deactivate it?

Infos:

OS: Debian 8.7
PHP-FPM
PluginSwitcher
Let´s Encrypt

Best regards.

**Nuxwin** · Mar 19th 2017

@FloRet88

I presume here that you use the PanelRedirect plugin, right ? The control panel is run through Nginx instance and therefore, the Apache evasive module shouldn't have any impact, excepted if you use the PanelRedirect plugin. Anyway, if you got a 403 error, that mean that your evasive parameters are too sensitive. You don't provide us any log and thus, it is difficult for us to help you regarding that issue. There should be at least log lines about 403 answer in your Apache logs, for the URL you're trying to reach.

**FloRet88** · Mar 20th 2017

Hello @Nuxwin

Thanks for your answer.

No i don´t use the PanelRedirect Plugin.

Here is the conf file: (The white listed IP 89.26.xx.xxx is also blocked)

Brainfuck Source Code

<IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 DOSLogDir /var/log/apache2/mod_evasive DOSWhitelist 127.0.0.1 89.26.xx.xxx</IfModule>

and here the latest error log file:

Brainfuck Source Code

[Mon Mar 20 08:55:03.087025 2017] [evasive20:error] [pid 1396:tid 140587902695168] [client 89.26.xx.xxx:50927] client denied by server configuration: /var/www/virtual/rettenbacher.tld/xn--cup-rna.at/htdocs/administrator/index.php, referer: http://www.xn--cup-rna.at/administrator/index.php?option=com_ose_firewall
[Mon Mar 20 08:55:03.111678 2017] [evasive20:error] [pid 1396:tid 140587743233792] [client 89.26.xx.xxx:50928] client denied by server configuration: /var/www/virtual/rettenbacher.tld/xn--cup-rna.at/htdocs/administrator/index.php, referer: http://www.xn--cup-rna.at/administrator/index.php?option=com_ose_firewall
[Mon Mar 20 08:55:03.117530 2017] [evasive20:error] [pid 1396:tid 140587902695168] [client 89.26.xx.xxx:50927] client denied by server configuration: /var/www/virtual/rettenbacher.tld/xn--cup-rna.at/htdocs/administrator/index.php, referer: http://www.xn--cup-rna.at/administrator/index.php?option=com_ose_firewall
[Mon Mar 20 08:55:49.990452 2017] [evasive20:error] [pid 1397:tid 140587979421440] [client 89.26.xx.xxx:50954] client denied by server configuration: /var/www/virtual/rettenbacher.tld/xn--cup-rna.at/htdocs/administrator/index.php, referer: http://www.xn--cup-rna.at/administrator/index.php?option=com_ose_firewall
[Mon Mar 20 08:55:49.991259 2017] [evasive20:error] [pid 1397:tid 140587987814144] [client 89.26.xx.xxx:50951] client denied by server configuration: /var/www/virtual/rettenbacher.tld/xn--cup-rna.at/htdocs/administrator/index.php, referer: http://www.xn--cup-rna.at/administrator/index.php?option=com_ose_firewall
[Mon Mar 20 08:55:50.010836 2017] [evasive20:error] [pid 1397:tid 140587877517056] [client 89.26.xx.xxx:50960] client denied by server configuration: /var/www/virtual/rettenbacher.tld/xn--cup-rna.at/htdocs/administrator/index.php, referer: http://www.xn--cup-rna.at/administrator/index.php?option=com_ose_firewall
[Mon Mar 20 08:55:50.019845 2017] [evasive20:error] [pid 1397:tid 140587869124352] [client 89.26.xx.xxx:50961] client denied by server configuration: /var/www/virtual/rettenbacher.tld/xn--cup-rna.at/htdocs/administrator/index.php, referer: http://www.xn--cup-rna.at/administrator/index.php?option=com_ose_firewall
[Mon Mar 20 08:55:53.002892 2017] [evasive20:error] [pid 1397:tid 140587987814144] [client 89.26.xx.xxx:50951] client denied by server configuration: (null), referer: http://www.xn--cup-rna.at/administrator/index.php?option=com_ose_firewall
[Mon Mar 20 08:55:57.561076 2017] [evasive20:error] [pid 1397:tid 140587877517056] [client 89.26.xx.xxx:50960] client denied by server configuration: /var/www/virtual/rettenbacher.tld/xn--cup-rna.at/htdocs/administrator/
[Mon Mar 20 08:55:57.784238 2017] [evasive20:error] [pid 1397:tid 140587877517056] [client 89.26.xx.xxx:50960] client denied by server configuration: /var/www/virtual/rettenbacher.tld/errors/inc/errordocs.css, referer: http://www.xn--cup-rna.at/administrator/
[Mon Mar 20 08:55:57.784691 2017] [evasive20:error] [pid 1397:tid 140587869124352] [client 89.26.xx.xxx:50961] client denied by server configuration: /var/www/virtual/rettenbacher.tld/errors/inc/favicon.ico
[Mon Mar 20 08:56:00.899549 2017] [evasive20:error] [pid 1397:tid 140587869124352] [client 89.26.xx.xxx:50961] client denied by server configuration: /var/www/virtual/rettenbacher.tld/xn--cup-rna.at/htdocs/administrator/
[Mon Mar 20 08:56:01.011360 2017] [evasive20:error] [pid 1397:tid 140587885909760] [client 89.26.xx.xxx:50958] client denied by server configuration: /var/www/virtual/rettenbacher.tld/errors/inc/errordocs.css, referer: http://www.xn--cup-rna.at/administrator/

Display More

Best regads.

**Nuxwin** · Mar 20th 2017

@FloRet88

Ok, I think that your problem is that you reach the mod evasive limit somewhere and that the module cannot display custom error document, explaining the default 403 forbidden error.
I'll do some test soon.

**Nuxwin** · Mar 21st 2017

@FloRet88

I've tested the behavior. So my thinking is confirmed. When a client reach a limit fixed by the evasive module, you get a 403 error page. In my case, I get:

evasive_limit_reached.png

and that is the expected behavior. This occurs mostly when I reload the page too quickly, due to default evasive module rules. The problem in your case is that default evasive parameters are too sensitives. You should review them. Note that if you use a PHP application for which the entry point is always index.php, that could pose problem. Indeed, all pages are served through the same php script in that case, using rewrite rules. That the case for many PHP applications and framework such as Zend Framework. This can be also a problem on PHP applications for which many XHR requests are made behind the scene.

To resume here, you must review your evasive parameters.

Note: Tested on Debian Stretch with i-MSCP 1.4.x

**FloRet88** · Mar 21st 2017

Hello,

Thank you very much for your test.

I will try to set new evasive rules that are not so sensitive and will give you feedback afterwards.

Best regards.

mod_evasive + 403 Forbidden (i-MSCP)

Share

Daily visitors