Symptoms
- After activation of Atomic Professional ModSecurity at Tools & Settings > Web Application Firewall (ModSecurity), some clients cannot access websites:
Forbidden
You don't have permission to access /roundcube/index.php on this server.Failed to load resource: the server responded with a status of 403 (ModSecurity Action)
- Error in Chrome or Internet Explorer DeveloperTools:
PLESK_INFO: HTTP Error 403.0 – ModSecurity Action You do not have permission to view this directory or page
Failed to load resource: the server responded with a status of 403 (ModSecurity Action)
- Error in Event Viewer > Windows Logs > Application:
CONFIG_TEXT: Message: Access denied with code 403 (phase 1).
RBL lookup of 2.113.0.203.xbl.spamhaus.org succeeded at REMOTE_ADDR (Illegal 3rd party exploits). [line “51”] [id “350000”] [rev “2”] [severity “ERROR”] Action: Intercepted (phase 1) - Unable to issue SSL certificate with the following error in Plesk GUI:
PLESK_ERROR: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/12345. Details: Type: urn:ietf:params:acme:error:unauthorized Status: 403 Detail: During secondary validation: Invalid response from http://example.com/.well-known/acme-challenge/h9lLrpvgL9gsfgutUgerraF2aOas [203.0.113.2]: “[!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd”]rn[html xmlns=“http”
And the following entry in %plesk_dir%adminlogsphp_error.log:
Access denied with code 403 (phase 1). RBL lookup of 130.229.222.34.xbl.spamhaus.org succeeded at REMOTE_ADDR (Illegal 3rd party exploits). [file "C:/Program Files (x86)/Plesk/ModSecurity/rules/tortix/modsec/00_asl_rbl.conf"] [line "51"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist (Report False Positives to www.spamhaus.org)"] [severity "ERROR"]
Cause
ModSecurity blocks access to the website from blacklisted IP address.
Resolution
In case this behavior is unwanted, disable the rule:
- Log in to Plesk server via RDP
- Find ID of the rule that blocks the website in Event Viewer > Windows Logs > Application ().
- Login to Plesk as admin user
- Navigate to the tab Tools & Settings > Web Application Firewall (ModSecurity) > General.
- Add the rule ID mentioned in the error message to Security rule IDs field and press OK: