We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
php files forbidden
php files forbidden
Hello,
PHP files were working in my recent VestaCP server, but it was compromised and I reinstalled the OS.
I reinstalled everything, but trying to run php files results in the following error:
"Forbidden
You don't have permission to access <path> on this server.
Server unable to read htaccess file, denying access to be safe
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request"
HTML files in the same directory with the same permissions (755 or 644) work fine.
I can access the VestaCP
I can access phpmyadmin
The only thing I've done outside of the VestaCP defaults is to set up a server-prompted password for VestaCP, enabling dual-factor authentication, and I've blocked 8083 by default in the firewall settings, enabling a different port.
I've restarted nginx, vesta, and fail2ban.
I'm really stumped.
PHP files were working in my recent VestaCP server, but it was compromised and I reinstalled the OS.
I reinstalled everything, but trying to run php files results in the following error:
"Forbidden
You don't have permission to access <path> on this server.
Server unable to read htaccess file, denying access to be safe
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request"
HTML files in the same directory with the same permissions (755 or 644) work fine.
I can access the VestaCP
I can access phpmyadmin
The only thing I've done outside of the VestaCP defaults is to set up a server-prompted password for VestaCP, enabling dual-factor authentication, and I've blocked 8083 by default in the firewall settings, enabling a different port.
I've restarted nginx, vesta, and fail2ban.
I'm really stumped.
-
- Posts: 33
- Joined: Sat Jan 20, 2018 3:45 am
- Os: Debian 8x
- Web: apache + nginx
Re: php files forbidden
If your server have been compromised, you have to perform a cleaning before do a backup and restore to new server. You just cant rely on an infected server anymore.
Try to follow steps in this page
viewtopic.php?f=10&t=16556&start=460#p69440
Hope can help you.
Good luck!
Try to follow steps in this page
viewtopic.php?f=10&t=16556&start=460#p69440
Hope can help you.
Good luck!
Re: php files forbidden
I entirely reinstalled the OS, and reset all the configurations from scratch. I did not do a server backup image. The only thing I kept from the old server was SQL databases and a handful of PHP files (no config files).yoko eagle wrote: ↑Wed Apr 11, 2018 6:44 pmIf your server have been compromised, you have to perform a cleaning before do a backup and restore to new server. You just cant rely on an infected server anymore.
Try to follow steps in this page
viewtopic.php?f=10&t=16556&start=460#p69440
Hope can help you.
Good luck!
Are you saying that even after reinstalling the OS and not using the same passwords as the old infected OS, and not using the old server's backup files, that it can still be infected? How would that be?
Thanks for the help though. You had a useful guide to setting up a server-prompted password for dual-authentication.
-
- Posts: 33
- Joined: Sat Jan 20, 2018 3:45 am
- Os: Debian 8x
- Web: apache + nginx
Re: php files forbidden
If it is a new server with no content, it should be easier.oranjoose wrote: ↑Wed Apr 11, 2018 7:15 pmI entirely reinstalled the OS, and reset all the configurations from scratch. I did not do a server backup image. The only thing I kept from the old server was SQL databases and a handful of PHP files (no config files).
Are you saying that even after reinstalling the OS and not using the same passwords as the old infected OS, and not using the old server's backup files, that it can still be infected? How would that be?
Thanks for the help though. You had a useful guide to setting up a server-prompted password for dual-authentication.
You still have to tightening the server with new security patch, change vesta port, ssh port, dual login auth, etc to make sure not got reinfected.
I suggest you to try your php files in the public_htm directory for testing purpose. Just do all tasks with the correct user. You can make sure by chown and chmod the files directories.
Re: php files forbidden
Hi Yoko Eagle. I don't think I'm doing well to explain my problem. The issue I'm describing in this post has nothing to do with securing the server. I'm *only* trying to figure out why my php files in the public_html directory are getting a Forbidden error.yoko eagle wrote: ↑Wed Apr 11, 2018 9:11 pmIf it is a new server with no content, it should be easier.oranjoose wrote: ↑Wed Apr 11, 2018 7:15 pmI entirely reinstalled the OS, and reset all the configurations from scratch. I did not do a server backup image. The only thing I kept from the old server was SQL databases and a handful of PHP files (no config files).
Are you saying that even after reinstalling the OS and not using the same passwords as the old infected OS, and not using the old server's backup files, that it can still be infected? How would that be?
Thanks for the help though. You had a useful guide to setting up a server-prompted password for dual-authentication.
You still have to tightening the server with new security patch, change vesta port, ssh port, dual login auth, etc to make sure not got reinfected.
I suggest you to try your php files in the public_htm directory for testing purpose. Just do all tasks with the correct user. You can make sure by chown and chmod the files directories.
The php files are in public_html and everything has 755 or 644 permissions.
The html files in the same directory work fine from a web browser.
I can't find anything online about this problem. I'm only seeing solutions like "change permissions" (but they are correct permissions) or "your htaccess file is inaccessible or configured incorrectly" (but I'm using nginx, it is a bare install of vestacp, and I haven't done anything with htaccess). I'm totally confused by it.
Re: php files forbidden
@yoko eagle
I think I solved the problem. In your guide in a different thread (viewtopic.php?f=10&t=16556&start=460#p69463), you suggested putting the .htpasswd file in a subdirectory of .htaccess. I checked the error log for apache2, and it thinks that a folder named .htaccess is "not a regular file" and thus should be denied by the server.
By changing the name of the folder from ".htaccess" to something else fixed the php forbidden files problem, as well as maintaining the password dual-authentication from the .htpasswd file.
I'm not sure if your guide will break PHP public files for anyone else, but just a heads up.
I think I solved the problem. In your guide in a different thread (viewtopic.php?f=10&t=16556&start=460#p69463), you suggested putting the .htpasswd file in a subdirectory of .htaccess. I checked the error log for apache2, and it thinks that a folder named .htaccess is "not a regular file" and thus should be denied by the server.
By changing the name of the folder from ".htaccess" to something else fixed the php forbidden files problem, as well as maintaining the password dual-authentication from the .htpasswd file.
I'm not sure if your guide will break PHP public files for anyone else, but just a heads up.
-
- Posts: 33
- Joined: Sat Jan 20, 2018 3:45 am
- Os: Debian 8x
- Web: apache + nginx
Re: php files forbidden
oranjoose wrote: ↑Thu Apr 12, 2018 3:03 am@yoko eagle
I think I solved the problem. In your guide in a different thread (viewtopic.php?f=10&t=16556&start=460#p69463), you suggested putting the .htpasswd file in a subdirectory of .htaccess. I checked the error log for apache2, and it thinks that a folder named .htaccess is "not a regular file" and thus should be denied by the server.
By changing the name of the folder from ".htaccess" to something else fixed the php forbidden files problem, as well as maintaining the password dual-authentication from the .htpasswd file.
I'm not sure if your guide will break PHP public files for anyone else, but just a heads up.
So far it's works just fine on all my sites.
It's a good idea to always checked your log files to figure out what problem you're in.
For your problem, it seems like an "incorrect file ownership" to me.
Just try to re chown all of your working directories.
Assuming you use admin as user
run this command
Code: Select all
chown -R admin:admin /path/to/directory
Re: php files forbidden
Thank you so much. It worked :Dyoko eagle wrote: ↑Thu Apr 12, 2018 3:59 amoranjoose wrote: ↑Thu Apr 12, 2018 3:03 am@yoko eagle
I think I solved the problem. In your guide in a different thread (viewtopic.php?f=10&t=16556&start=460#p69463), you suggested putting the .htpasswd file in a subdirectory of .htaccess. I checked the error log for apache2, and it thinks that a folder named .htaccess is "not a regular file" and thus should be denied by the server.
By changing the name of the folder from ".htaccess" to something else fixed the php forbidden files problem, as well as maintaining the password dual-authentication from the .htpasswd file.
I'm not sure if your guide will break PHP public files for anyone else, but just a heads up.
So far it's works just fine on all my sites.
It's a good idea to always checked your log files to figure out what problem you're in.
For your problem, it seems like an "incorrect file ownership" to me.
Just try to re chown all of your working directories.
Assuming you use admin as user
run this commandCode: Select all
chown -R admin:admin /path/to/directory