ModSecurity 3 prevents ACP

Get help with installation and running phpBB 3.3.x here. Please do not post bug reports, feature requests, or extension related questions here.
Vauxi
Registered User
Posts: 20
Joined: Sat Apr 16, 2022 11:19 am

ModSecurity 3 prevents ACP

Post by Vauxi »

Hello. Yesterday I was using ACP and today I can not. Since 1 hour I've learned that I have ModSecurity on as default and it is blocking my acces to ACP. I've learned that I mght have ModSecurity 3 too on Apache.
Disabling Mod Security from Cpanel, ACP works as it should. I've seen posts here how to make changes. But It seems that those insctructions are for the version 2 and earlier. On top of that, those instructions to me are not far from klingon. I understand this stuff to some a degree.
In ModSecurity window at Cpanel. I can only turn whole thing off/on.

So. Where I can config Mod Security and how?
phpBB 3.3.8
Cpanel 110.024
Last edited by Mick on Sun Mar 03, 2024 11:25 am, edited 1 time in total.
Reason: Solved - server issue.
User avatar
Brf
Support Team Member
Support Team Member
Posts: 53607
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}

Re: ModSecurity 3 prevents ACP

Post by Brf »

It isn't mod_security itself. It is the rule it is following.
I would think your server errorlog would tell you which rule is tripping, so you can turn it off.
Vauxi
Registered User
Posts: 20
Joined: Sat Apr 16, 2022 11:19 am

Re: ModSecurity 3 prevents ACP

Post by Vauxi »

Errorlog in cpanel has latest errors on wordpress only. With that mod security looks like is affecting something too. I'll tackle on that later.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 6587
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.

Re: ModSecurity 3 prevents ACP

Post by thecoalman »

For shared hosting you can usually turn mod_security off in the hosting control panel but that fully turns it off. It should be temp solution until the host can disable the problematic rule. It's possible to disable specific rules using .htaccess but it has to be configured like that and I don't think many hosts have it configured that way.

If you are on VPS or dedicated server you should have full access to disable any rule you want.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
Vauxi
Registered User
Posts: 20
Joined: Sat Apr 16, 2022 11:19 am

Re: ModSecurity 3 prevents ACP

Post by Vauxi »

Contacted the host. He said that I have almost all acces that he has. He can't see anything else that I can see according to modsecurity. I have to turn it off for now.
User avatar
Lumpy Burgertushie
Registered User
Posts: 69228
Joined: Mon May 02, 2005 3:11 am

Re: ModSecurity 3 prevents ACP

Post by Lumpy Burgertushie »

your host certainly should have access to turn off/change the rule set that mod security is using.
I suggest that you contact support again and ask for level two support. most of the time the support person that answers the phone
only know how to go to the user guide and if they can't find what you need there they usually just tell you it must be on your end.

luck,
robert
Premium phpBB 3.3 Styles by PlanetStyles.net

I am pleased to announce that I have completed the first item on my bucket list. I have the bucket.
Vauxi
Registered User
Posts: 20
Joined: Sat Apr 16, 2022 11:19 am

Re: ModSecurity 3 prevents ACP

Post by Vauxi »

This time the host is just one guy who runs a very small hosting service.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 6587
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.

Re: ModSecurity 3 prevents ACP

Post by thecoalman »

If the "Host" does not have access to mod_security configuration then they aren't really a host. If I'm paying someone for shared hosting the expectation is they can deal with things out of my control like mod_security rule.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
Vauxi
Registered User
Posts: 20
Joined: Sat Apr 16, 2022 11:19 am

Re: ModSecurity 3 prevents ACP

Post by Vauxi »

Weirdest thing is that should I see mod security files some where ? etc folder has folder in my account name and that is empty. I can not find apache folder anywhere?
User avatar
karado58
Registered User
Posts: 82
Joined: Wed Aug 17, 2005 4:06 pm

Re: ModSecurity 3 prevents ACP

Post by karado58 »

Same exact issue here!
Hosting support tried to push it on phpBB developers. After i mentioned the mod_security file entry being the possible cause, tone changed.
He's hesitantly submitting the issue to the shared hosting team, with the warning how all the users on the node would be effected by any changes to the file.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 6587
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.

Re: ModSecurity 3 prevents ACP

Post by thecoalman »

Vauxi wrote: Sun Mar 03, 2024 5:54 am Weirdest thing is that should I see mod security files some where ? etc folder has folder in my account name and that is empty. I can not find apache folder anywhere?
Apache is the web server software and mod_security is a module for Apache. Generally speaking unless you have root access to the server you won't have access to these files or configurations. Most hosting control panels only have the option to turn it on or off.

If anyone can provide the error which is usually in the php error log that would be helpful.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
ssl
Registered User
Posts: 2079
Joined: Sat Feb 08, 2020 2:15 pm
Location: Le Lude, Pays de la Loire - France
Name: Fred Rimbert

Re: ModSecurity 3 prevents ACP

Post by ssl »

Seen on the technical support of the PlanetHoster host, with cPanel they could not act on mod_security so they offered users to switch from cPanel to NOC.
PlanetHoster wrote:There is a blockage at the Modsec level and unfortunately we cannot deactivate individual rules for a specific hosting.

This functionality is reserved for N0C servers.
Sorry for my English ... I do my best! :anger_right:

:point_right_tone3: phpBB: 3.3.14 | PHP: 8.3.15
:point_right_tone4: [Kill spam on phpBB] - [Some French translation of extensions]
"Mistress, Mistress someone is bothering me in pm"
Vauxi
Registered User
Posts: 20
Joined: Sat Apr 16, 2022 11:19 am

Re: ModSecurity 3 prevents ACP

Post by Vauxi »

Nice.. So it goes off and stays off.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 6587
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.

Re: ModSecurity 3 prevents ACP

Post by thecoalman »

ssl wrote: Sun Mar 03, 2024 8:15 am Seen on the technical support of the PlanetHoster host, with cPanel they could not act on mod_security so they offered users to switch from cPanel to NOC.
Above Cpanel is the WHM panel and it takes about 10 seconds to remove the rule. In addition to that rules are scored so it could be multiple rules or if the scoring threshold was lowered it could trigger on minor issues. It's not that they can't change it, they probably don't want to.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
5hocK
Registered User
Posts: 3149
Joined: Wed Nov 23, 2011 7:00 pm
Location: UK

Re: ModSecurity 3 prevents ACP

Post by 5hocK »

thecoalman wrote: Sun Mar 03, 2024 2:18 pm and it takes about 10 seconds to remove the rule
Is there more than one rule? What rule has to be removed so I can tell my host.

Return to “[3.3.x] Support Forum”