ACP and mod_security

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
User avatar
Jester-fr
Registered User
Posts: 160
Joined: Sun May 27, 2007 9:52 am
Location: South of France
Contact:

ACP and mod_security

Post by Jester-fr » Thu Nov 07, 2019 9:56 am

Hello,

got a problem with a 3.2.7 phpBB forum and the server who works with mod_security. phpBB sent many false positives to it, and mod_security blocks the access to the ACP with a 403.

Is there any solution to this ?

Regards,
phpBB-fr.com, the phpBB French Support Community since 2000 !
Passez votre forum phpBB 3.0.x, 3.1.x et 3.2.x en langue française !
Try the best French phpBB packs !
Testez phpBB 3.2.x

User avatar
david63
Registered User
Posts: 16718
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: ACP and mod_security

Post by david63 » Thu Nov 07, 2019 10:01 am

Jester-fr wrote:
Thu Nov 07, 2019 9:56 am
Is there any solution to this ?
Yes - speak with your hosts, they should be able to set rules that will allow phpBB to work in the same way that all other hosts allow it.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
Jester-fr
Registered User
Posts: 160
Joined: Sun May 27, 2007 9:52 am
Location: South of France
Contact:

Re: ACP and mod_security

Post by Jester-fr » Thu Nov 07, 2019 10:33 am

The host wants to have the maximum security and don"t understand they can allow phpBB to sent so many false positives... (it's an academic school host). That's why I ask how can we do to resolve it.
phpBB-fr.com, the phpBB French Support Community since 2000 !
Passez votre forum phpBB 3.0.x, 3.1.x et 3.2.x en langue française !
Try the best French phpBB packs !
Testez phpBB 3.2.x

sakm
Registered User
Posts: 545
Joined: Sun Jan 21, 2007 8:14 pm
Location: Hull, uk
Name: Stu
Contact:

Re: ACP and mod_security

Post by sakm » Thu Nov 07, 2019 10:52 am

Get a new host is probably the solution if they aren't willing to help

User avatar
Jester-fr
Registered User
Posts: 160
Joined: Sun May 27, 2007 9:52 am
Location: South of France
Contact:

Re: ACP and mod_security

Post by Jester-fr » Thu Nov 07, 2019 11:03 am

We cannot change it.

But it's no the host which cause problems, it's mod_security. If the host make a exception for the false positives, what if of the host security ?
phpBB-fr.com, the phpBB French Support Community since 2000 !
Passez votre forum phpBB 3.0.x, 3.1.x et 3.2.x en langue française !
Try the best French phpBB packs !
Testez phpBB 3.2.x

User avatar
Mick
Support Team Member
Support Team Member
Posts: 21681
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: ACP and mod_security

Post by Mick » Thu Nov 07, 2019 11:23 am

Hundreds of web hosts use mod_security successfully, if you search here there are many topics on the subject. Your sysop or host needs to do a little research and find you a solution. You, as admin, have the phpBB credentials to enter the ACP, which is phpBB security, all others are excluded so mod-security should look at that for starters.
"The more connected we get the more alone we become" - Kyle Broflovski

User avatar
EA117
Registered User
Posts: 1081
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: ACP and mod_security

Post by EA117 » Thu Nov 07, 2019 12:15 pm

Jester-fr wrote:
Thu Nov 07, 2019 9:56 am
... mod_security blocks the access to the ACP with a 403. Is there any solution to this ?
You may already realize this, but "mod_security" is not some kind of static "just need to write your application to be compatible with it" concept. It's more similar to a virus scanner, where every day (or at least periodically) there are updated definitions or "rules for what seems like it might be malicious" being obtained and applied to the web server configuration by your hosting provider, in order to be "up to date with latest threats."

Exceptions -- or writing these rules to be aware of applications which do intentionally perform a particular behavior even when something that isn't malicious is happening -- is part of what goes into creating these rules, and part of what gets adjusted about the rules when additional false-positive application scenarios are identified. And if someone doesn't have the technical know-how to fix the rule "on the spot" when a false positive occurs, disabling the rule to work around the false positive is the alternative.

e.g. We've seen a rule before where a rule became published which declared "having the http:// prefix anywhere in submitted form data" was considered a possible exploit. Which indeed, as part of an intentionally malicious scenario, can be true. But the rule already contained a number of known exceptions, where the rule acknowledged well-known applications that were doing this for reasons which weren't actually malicious. By selectively skipping the rule when a particular known applications were receiving the post with specific known field names.

And the rule even already had phpBB in that list of exceptions and known situations --- but the fact that phpBB also contained custom profile fields with names that couldn't be predicted in advance was still an issue, because the current rule definition hadn't yet taken this "ucp.php might also have this in other fields" condition into account when defining "what phpBB is doing isn't malicious."

I'm not saying that's the specific rule you're hitting; it's just an example of a past scenario where "either the rule needs to be updated with an additional known application exception where the action isn't malicious" to account for additional scenarios the rule hadn't covered; or to work around the issue "this specific mod_security rule needs to be disabled" on your site until the rule can be fixed.

Only your web server log can confirm which specific mod_security rule is currently causing the 403 in your specific case right now, and could confirm what exactly that rule is specifically reacting to. "What can be done about it" depends on your hosting service, and whether they've given you the power to disable certain mod_security rules when necessary from your hosting control panel, versus whether they have the technical ability themselves to understand how to fix the rules, versus whether they're willing to report and work on the issue with whomever is the source of their periodically updated mod_security rules.

User avatar
KevC
Support Team Member
Support Team Member
Posts: 69430
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: ACP and mod_security

Post by KevC » Thu Nov 07, 2019 12:58 pm

phpBB is not generating 'false positives'.
Your host just need to whitelist the things that the forum wants and needs to have access to. They need to set up mod_security correctly.
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"

User avatar
WelshPaul
Registered User
Posts: 353
Joined: Tue Aug 19, 2014 2:09 pm

Re: ACP and mod_security

Post by WelshPaul » Thu Nov 07, 2019 1:21 pm

KevC wrote:
Thu Nov 07, 2019 12:58 pm
phpBB is not generating 'false positives'.
Your host just need to whitelist the things that the forum wants and needs to have access to. They need to set up mod_security correctly.
^^^^THIS

I use mod_security on my Centos 7 server that runs phpBB. You need to find what rule is being triggered and whitelist it server side. However there will be many, many, many other rules trigged over time and you will need to whitelist (some or all) these as they become known. knowing which are safe to whitelist and which rules were trigged correctly in order to prevent an attack is absolutely paramount!

User avatar
Jester-fr
Registered User
Posts: 160
Joined: Sun May 27, 2007 9:52 am
Location: South of France
Contact:

Re: ACP and mod_security

Post by Jester-fr » Thu Nov 07, 2019 2:33 pm

Thanks !
phpBB-fr.com, the phpBB French Support Community since 2000 !
Passez votre forum phpBB 3.0.x, 3.1.x et 3.2.x en langue française !
Try the best French phpBB packs !
Testez phpBB 3.2.x

sakm
Registered User
Posts: 545
Joined: Sun Jan 21, 2007 8:14 pm
Location: Hull, uk
Name: Stu
Contact:

Re: ACP and mod_security

Post by sakm » Thu Nov 07, 2019 4:08 pm

If you have a cPanel account you should have mod security showing in there

User avatar
Jester-fr
Registered User
Posts: 160
Joined: Sun May 27, 2007 9:52 am
Location: South of France
Contact:

Re: ACP and mod_security

Post by Jester-fr » Thu Nov 07, 2019 5:53 pm

Yep. But I'm not the guy having access to cpanel :D
phpBB-fr.com, the phpBB French Support Community since 2000 !
Passez votre forum phpBB 3.0.x, 3.1.x et 3.2.x en langue française !
Try the best French phpBB packs !
Testez phpBB 3.2.x

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3356
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: ACP and mod_security

Post by thecoalman » Fri Nov 08, 2019 12:30 pm

Jester-fr wrote:
Thu Nov 07, 2019 11:03 am
We cannot change it.

But it's no the host which cause problems, it's mod_security. If the host make a exception for the false positives, what if of the host security ?
mod_security is just a frontend for rule sets, the rule set can come from many sources. I'm using the OWASP ruleset provided through WHM/Cpanel without any issues. Note that you can choose different rules sets, if it's WHM/Cpanel that doesn't necessarily mean it's the same rule set I'm using.

A rule set may contain thousands of rules... False positives will happen, they can disable the single rule causing the problem. -OR- ask them what rule is being triggered so you can pursue it from there.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison

User avatar
Mick
Support Team Member
Support Team Member
Posts: 21681
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: ACP and mod_security

Post by Mick » Fri Nov 08, 2019 2:39 pm

Jester-fr wrote:
Thu Nov 07, 2019 11:03 am
But it's no the host which cause problems, it's mod_security
Which is down to the host especially if you can’t get at the settings.
"The more connected we get the more alone we become" - Kyle Broflovski

User avatar
Jester-fr
Registered User
Posts: 160
Joined: Sun May 27, 2007 9:52 am
Location: South of France
Contact:

Re: ACP and mod_security

Post by Jester-fr » Fri Nov 08, 2019 7:56 pm

Thanks for your answers. ;)
phpBB-fr.com, the phpBB French Support Community since 2000 !
Passez votre forum phpBB 3.0.x, 3.1.x et 3.2.x en langue française !
Try the best French phpBB packs !
Testez phpBB 3.2.x

Post Reply

Return to “[3.2.x] Support Forum”