× Presentation and instructions about security tools used to prevent server hacking. Feel free to use them or ask us to protect your site hosting it to a safe, daily monitored vps senter. Freespirits will ensure great quality of services.

Fix ModSecurity 403 Forbidden False Positive Caused by Cookies on CWP / Apache /

Περισσότερα
2 Εβδομάδες 1 Ημέρα πριν #342 από infogate
Problem

After enabling ModSecurity for a domain, the website may suddenly show:

Forbidden
You don't have permission to access this resource.


This can happen even when the website itself is clean and working correctly.

In my case, the issue appeared on a WordPress / WooCommerce website after enabling ModSecurity with COMODO WAF rules on a CWP server.

The Apache error log showed something like this:

ModSecurity: Access denied with code 403 (phase 2).
Pattern match ... at REQUEST_COOKIES:sbjs_first.
[file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"]
[id "218500"]
[msg "COMODO WAF: SQLmap attack detected"]
[hostname "example.com"]
[uri "/"]


The important parts are:

id "218500"
REQUEST_COOKIES:sbjs_first
COMODO WAF: SQLmap attack detected


In this case, ModSecurity was not blocking a real attack. It was falsely detecting a normal tracking/marketing cookie as a SQL injection attack.

The cookie was:

sbjs_first


This cookie is commonly created by Sourcebuster or marketing/tracking plugins used by WordPress and WooCommerce websites.

Important

Do not disable ModSecurity completely.

Also, do not disable all SQL injection protection rules globally.

The correct solution is to exclude only the specific safe cookie from the specific ModSecurity rule that is causing the false positive.

Step 1: Find the exact ModSecurity rule ID

Run:

grep -Rhi "ModSecurity: Access denied"
/usr/local/apache/domlogs/example.com.error.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/modsec_audit.log
/var/log/httpd/* 2>/dev/null | tail -30


Replace:

example.com


with the real domain.

Look for:

[id "RULE_ID"]


and also check what variable was blocked, for example:

REQUEST_COOKIES:sbjs_first
REQUEST_URI
ARGS
REQUEST_HEADERS


Example

If the log says:

[id "218500"]
at REQUEST_COOKIES:sbjs_first


then the rule ID is:

218500


and the problematic cookie is:

sbjs_first


Step 2: Add a safe ModSecurity exclusion

On CWP with COMODO WAF, create a custom rule file:

nano /usr/local/apache/modsecurity-cwaf/rules/99_custom_cookie_exclusions.conf


Add:


# Fix false positive for Sourcebuster / WooCommerce sbjs_* cookies.

# Keeps the ModSecurity SQLi rule active, but excludes these safe cookies.

SecRuleUpdateTargetById 218500 "!REQUEST_COOKIES:sbjs_first"
SecRuleUpdateTargetById 218500 "!REQUEST_COOKIES:sbjs_current"
SecRuleUpdateTargetById 218500 "!REQUEST_COOKIES:sbjs_current_add"
SecRuleUpdateTargetById 218500 "!REQUEST_COOKIES:sbjs_first_add"
SecRuleUpdateTargetById 218500 "!REQUEST_COOKIES:sbjs_udata"
SecRuleUpdateTargetById 218500 "!REQUEST_COOKIES:sbjs_session"


This does not disable rule 218500.

It only tells ModSecurity not to inspect these specific harmless cookies with that rule.

Step 3: Test Apache configuration

On some CWP servers, apachectl may not exist in PATH.

Use:

/usr/local/apache/bin/httpd -t


If the syntax is OK, restart Apache:

systemctl restart httpd


Step 4: Test the website

Clear browser cookies for the domain or open the site in an incognito/private browser window.

Then watch the log live:

tail -n0 -f /usr/local/apache/domlogs/example.com.error.log /usr/local/apache/logs/error_log


Refresh the website.

If the fix worked, you should no longer see new errors like:

id "218500"
REQUEST_COOKIES:sbjs_first
Access denied with code 403


General rule for any domain

The same method can be used for any false positive.

You only need to replace:

218500


with the actual ModSecurity rule ID from your logs.

And replace:

REQUEST_COOKIES:sbjs_first


with the exact variable that was falsely blocked.

Example format:

SecRuleUpdateTargetById RULE_ID "!REQUEST_COOKIES:COOKIE_NAME"


or:

SecRuleUpdateTargetById RULE_ID "!ARGS:PARAMETER_NAME"


Do not whitelist blindly

Some ModSecurity blocks are real attacks.

For example, this is a real scan and should stay blocked:

Matched phrase "/.env" at REQUEST_URI
[id "210492"]
[uri "/.env"]


Requests for files like:

/.env
/.env.example
/wp-config.php.bak
/configuration.php.old
/database.sql


are hostile scans and should remain blocked.

Summary

If enabling ModSecurity causes a normal website to show 403 Forbidden:

1. Check the Apache or ModSecurity logs.
2. Find the exact rule ID.
3. Find the exact cookie, argument, or request variable being blocked.
4. Exclude only that specific variable from that specific rule.
5. Do not disable ModSecurity completely.
6. Do not disable important rules globally unless absolutely necessary.

This keeps the website usable while preserving ModSecurity protection.


The best possible way to start your online marketing : fspirits.com/go/leadsleap-home
Explode Your Web Site Traffice: fspirits.com/go/sparktraffic
Start your affiliate journey here: fspirits.com/go/olsp-academy
Best Solution To Create Videos: fspirits.com/go/create-studio-pro
Best Solution To Create Graphics: fspirits.com/go/clickdesigns
Smart Chat Automation: fspirits.com/go/chatterpal
Multi-Purpose Video Maker: fspirits.com/go/avatar-builder
Multi-Purpose Video Creator: fspirits.com/go/video-creator
AI Human Spokesperson Videos: fspirits.com/go/humanpal

Παρακαλούμε Σύνδεση ή Δημιουργία λογαριασμού για να συμμετάσχετε στη συζήτηση.

Χρόνος δημιουργίας σελίδας: 0.072 δευτερόλεπτα
Powered by Kunena Φόρουμ