1

I am hosting with Apache 2.2.25 and my Error Log in cpanel.

I get this error about 20/30 times an hour, the site seems to load fine without problems (as far as I can tell) but surely there is a problem as per the errors. What would your hunch be with this error?

Here are the errors:

[Mon Sep 09 12:56:20 2013] [error] [client 123.45.6.78] client denied by server configuration: /home/public_html/404.php [Mon Sep 09 12:56:20 2013] [error] [client 123.45.6.78] client denied by server configuration: /home/public_html/blog/article

The bold line shows that the person with the IP addressed accessed a file (a blog article) but thereafter they seem to be shown a 404 page. The odd thing is that if I personally access that page they they looked at, it loads fine....

I guess my question is - if you have had this error, how did you fix it?

The suggested answers that were referred to suggest to change the syntax to this:

<Location />
Allow from all
Order Deny,Allow
</Location>

Would the above apply TO EVERY directory or location, i.e. I would remove 'files .htaccess' as in directly below?

<files .htaccess>
Order allow,deny
Deny from all
</files>


# Prevent hotlinking
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?my-site.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

# 5G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (\"|%22).*(<|>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:).*(\;) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (\\|\.\./|`|=\'$|=%27$) [NC,OR]
RewriteCond %{QUERY_STRING} (\;|\'|\"|%22).*     (union|select|insert|drop|update|md5|benchmark|or|and|if) [NC,OR]
RewriteCond %{QUERY_STRING} (base64_encode|localhost|mosconfig) [NC,OR]
RewriteCond %{QUERY_STRING} (boot\.ini|echo.*kae|etc/passwd) [NC,OR]
RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC]
RewriteRule .* - [F]
</IfModule>

# 5G:[USER AGENTS]
<IfModule mod_setenvif.c>
# SetEnvIfNoCase User-Agent ^$ keep_out
SetEnvIfNoCase User-Agent     (binlar|casper|cmsworldmap|comodo|diavol|dotbot|feedfinder|flicky|ia_archiver|jakarta|kmccrew|nutch|planetwork|purebot|pycurl|skygrid|sucker|turnit|vikspider|zmeu) keep_out
<limit GET POST PUT>
Order Allow,Deny
Allow from all
Deny from env=keep_out
</limit>
</IfModule>

# 5G:[REQUEST STRINGS]
<IfModule mod_alias.c>
RedirectMatch 403 (https?|ftp|php)\://
RedirectMatch 403 /(https?|ima|ucp)/
RedirectMatch 403 /(Permanent|Better)$
RedirectMatch 403 (\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$
RedirectMatch 403 (\,|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\||\\\"\\\")
RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php$
RedirectMatch 403 (base64|crossdomain|localhost|wwwroot|e107\_)
RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae|config\.xml)
RedirectMatch 403 \.well\-known/host\-meta
RedirectMatch 403 /function\.array\-rand
RedirectMatch 403 \)\;\$\(this\)\.html\(
RedirectMatch 403 proc/self/environ
RedirectMatch 403 msnbot\.htm\)\.\_
RedirectMatch 403 /ref\.outcontrol
RedirectMatch 403 com\_cropimage
RedirectMatch 403 indonesia\.htm
RedirectMatch 403 \{\$itemURL\}
RedirectMatch 403 function\(\)
RedirectMatch 403 labels\.rdf
RedirectMatch 403 /playing.php
RedirectMatch 403 muieblackcat
</IfModule>

# 5G:[REQUEST METHOD]
<ifModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</IfModule>

# 5G:[BAD IPS]
# <limit GET POST PUT>
# Order Allow,Deny
# Allow from all
# uncomment/edit/repeat next line to block IPs
# Deny from 123.456.789
# </limit>

ErrorDocument 400 http://www.my-site.com/404.php
ErrorDocument 401 http://www.my-site.com/404.php
ErrorDocument 403 http://www.my-site.com/404.php
ErrorDocument 404 http://www.my-site.com/404.php
ErrorDocument 500 http://www.my-site.com/404.php

</code>
Henry
  • 5,195
  • 7
  • 21
  • 34

1 Answers1

0

First check your apache version, Order allow,deny and Allow from all are not valid anymore with apache 2.4.

To see which directives is applied in which order check this documentation page, you will find that Location directives are applied after Files directives, so the Location / should not override the 403 of .htaccess access (but test it).

Then, you have a lot of security check rules, and even the 403 pages are redirected on 404.php. So chances are that the log lines with "configuration: /home/public_html/404.php [Mon Sep 09 12:56:20 2013] [error] [client 123.45.6.78] client denied by server configuration: /home/public_html/blog/article" are for requests containing any of your 5G rules (bots, forbiddens url parameters, forbidden request methods). You could add some more informations on your logs to check that, but be careful of the tools used to read the logs after that (so that log injections are not activated).

Here is a list of thing that can be added to the logs. You can add %m for the method, %H for the protocol, %q for the query arguments, as explained under the table you can also add %!200,304,302{Referer}i for the referer but only for responses which are invalid, etc.

regilero
  • 29,806
  • 6
  • 60
  • 99