24

On a server of mine, running Ubuntu 14.04.5 with Apache 2.4.23 and php-fpm 7.0.11, I'm getting random 403 errors.

I say "random" because the page I see in logs with 403 are running fine when I try them. Also, I experienced directly (I mean by visiting a site on the server with my browser) that I got a 403 error, then retried (just refreshing) and I got a 200.

The server is running some websites (about a dozen), with various kind of solutions (a couple of Wordpress, a few old spaghetti php apps, mostly modern apps based on Symfony framework).

I'd also be happy if someone can point me to some way to increase the verbosity of some logs, to try resolving this issue on myself. Currently I see the 403 errors in the apache logs of vhosts.

JazZ
  • 4,469
  • 2
  • 20
  • 40
Massimiliano Arione
  • 2,422
  • 19
  • 40
  • Hello, did you solved this ? I'm facing similar issues. Could you help please ? – JazZ Jul 29 '17 at 07:33
  • Is there anything common in the paths returning 403? A specific set of PHP scripts? Anything running on the server that modifies PHP file content or permissions? – Matt S Jul 30 '17 at 14:41
  • Can you share the apache and php-fpm logs? – Elvis Plesky Aug 01 '17 at 01:47
  • in **/etc/php(version)?/fpm/pool.d/www.conf** add/uncomment **catch_workers_output** , so allow PHPs stderr to go to php-fpm's error log instead of /dev/null . – jirarium Aug 01 '17 at 02:26
  • Are those coming from a specific framework/wordpress or randomly from all apps? – codelogn Aug 02 '17 at 20:05
  • @Code_O1logn, in my case, it happens on a Prestashop 1.6. No evasive mod activated. Other prestashop websites on the same server does not face this. Any idea ? – JazZ Aug 03 '17 at 20:32
  • This is something I'll have to fix as well which is happening on php 7.1 and I installed php as apache module. On few specific pages, randomly it threw php 7.1 exceptions but they disappeared on refresh. – codelogn Aug 03 '17 at 21:08
  • @Code_O1logn, The php version is set to 5.6.31 here. – JazZ Aug 07 '17 at 07:00
  • In my error_log, The error reported is `Directory Index Forbidden`. It seems that it randomly tries to display the directory index instead of the web page. – JazZ Aug 07 '17 at 07:55
  • Did you tried with curl, to request multiple time, and see what happened in logs? – M Rostami Aug 25 '17 at 11:10
  • In general *403* error comes if there is something wrong with your permissions, also can you paste your sites-enabled config file here, are you sure you have pointed out the *index.php* file in your config? – Harshit Chaudhary Jun 13 '18 at 06:50

1 Answers1

5

Is `mod_evasive' enabled ? To see please try

ls /etc/apache2/mods-enabled/ and if you see mod-evasive.load the apache module mod-evasive is enabled.

The goal of this module is to deny access with a 403 request when too many request come from the same pc(ip) or or when a lot of pages were viewed in a short amount of time. The ip is somewhat blocked for a certain period of time. Sometimes refreshing the page can fix the problem, but it is still annoying.

What you can do is

1)to disable it with a2dismod mod-evasive and service apache2 restart

or

2)Find the httpd.conf file and modify the different parameters. Increase the thresholds for mod_evasive to be less sensitive

modify the default value by something like:

<IfModule mod_dosevasive.c>

    DOSHashTableSize 3097

    DOSPageCount 5

    DOSSiteCount 100

    DOSPageInterval 1

    DOSSiteInterval 1

    DOSBlockingPeriod 2

</IfModule>

MODEV_DOSPageCount This is the threshhold for the number of requests for the same page (or URI) per page interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

MODEV_DOSPageInterval The interval for the page count threshhold; defaults to 1 second intervals.

etc... You can change them

All the parameters and best solutions are explained here

https://wiki.atomicorp.com/wiki/index.php/Mod_evasive

Michael GEDION
  • 879
  • 8
  • 16
  • Never used mod_evasive, this is the first time I heard of its existence – Massimiliano Arione Aug 03 '17 at 07:21
  • If anyone else finds this answer because of a recent Plesk issue, this does seem to be it. [Their solution](https://support.plesk.com/hc/en-us/articles/14861542533911-Plesk-websites-return-Apache-error-403-on-May-26-2023-client-denied-by-server-configuration): 1) SSH in. 2) `aum -uf ; yum -y remove mod_evasive ; aum -u`. 3) Tools & Settings > Web Application Firewall > Settings, switch to other ruleset, press Apply, switch back to initial ruleset and press Apply. – EpicVoyage Jun 25 '23 at 19:28