mod_security rule [Id '-1'] triggered! ModSecurity: Access denied with code 403

While updating the contents in any of the CMS, I was getting 403 error on litespeed server.

Below are the Error log - (tail -f /usr/local/apache/logs/error_log | grep IP address )

2016-11-02 19:55:14.148 [NOTICE] [IP Address :HTTP2-1] mod_security rule [Id '-1'] triggered!
[Wed Nov 2 19:55:14 2016] [error] ModSecurity: Access denied with code 403,
[Rule: 'TX:0' '!@pmFromFile userdata_wl_content_type']
2016-11-02 19:55:14.148 [NOTICE] [IP Address:54100:HTTP2-1] Content len: 1276, Request line:
'PUT /ajax/api/static-pages/2 HTTP/1.1'
2016-11-02 19:55:14.148 [INFO] [IP Address49:54100:HTTP2-1] Cookie len: 36,
PHPSESSID=or0n7vj8be5vq5o61id69bgd45
2016-11-02 19:55:14.148 [NOTICE] [IP Address:54100:HTTP2-1] Redirect: #1,
URL: /index.php
2016-11-02 19:55:14.148 [INFO] [IP Address:54100:HTTP2-1] File not found
[/home/henrystb/public_html/403.shtml]

Solution :-

1. Find out the mod security rules which are triggered by checking apache error logs. You can also check the modsec audit logs.
Apache error logs - tail -f /usr/local/apache/logs/error_log | grep IP address
Mod security audit log location - /usr/local/apache/logs/modsec_audit.log

2. You can also check the rules which are being triggered from WHM >> Mod Security Tools.

3. Once you'll got the rule, white-list them from WHM >> ConfigServer ModSecurity Control. You can either globally white-list the rule or can white-list for particular user.

Globally white-listing the mod security rule - WHM >> ConfigServer ModSecurity Control >> ModSecurity rule ID list >> Enter the Rule ID >> Save Global whitelist.

White-listing the mod security rule for particular user - WHM >> ConfigServer ModSecurity Control >> Select the user from drop-down list >> Modify User whitelist >> ModSecurity rule ID list >> Save whitelist for all accessible domain.

4. If there is still error then please use debug tool in your web-browser, find out the HTTP header. HTTP Headers tell you the content type and white-list those contents type on server on below file -

You'll need to do below server wide changes -

cd /usr/local/apache
Put your Content-Type in whitelist here -
cat /etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/userdata_wl_content_type

Below are the some example header type for you reference -

application/x-www-form-urlencoded
multipart/form-data
text/xml
application/xml
application/x-amf
application/json
application/octet-stream
text/plain
json

5. Rebulit the 'httpdconf' file - /scripts/rebuildhttpdconf

6. Restart the 'litespeed' service - service lsws restart

Now, try to replicate the issue, it will be fixed. 

Note :- You can usually use Chome/Firefox developer tools to get the HTTP header ( right click on page >> Inspect Element).

Let me know if you've any thoughts

Was this answer helpful?

 Print this Article

Also Read

ERROR: Connection dropped by IMAP server. Query: SELECT "INBOX"

If you get the following error while trying to connect to your webmail client: ERROR: Connection...

Unable to perform operation. No free disk space.

I'm getting this error when I tried to send an email from webmail:Unable to perform operation....

How to setup SMTP port on Linux server using WHM?

By default SMTP outgoing server is configured for port 25. If you would like to allow exim to...

The mail server could not deliver mail to mailadress@gmail.com. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.

All of sudden emails are getting bounced with below bounce back messages on the cPanel server as...

The MySQL server is currently offline. Mysql::initcache() failed: The mysql server is offline.

I was getting below error while accessing MySQL Databases from cPanel though MySQL service was...

Powered by WHMCompleteSolution