TL;DR: Have a look at the error log and then to the violated rule.
Suddenly, I started to get 418 errors on one of my sites. I’d just get 418 from the source and as they say: that was that. Normally, I don’t even notice such errors, but this one broke a bunch of pages.
The 418 errors look in general like this:
[Thu Sep 06 04:07:00 2018] [error] [client xxx.xxx.xxx.xxx] ModSecurity: \ Access denied with code 418 (phase 1). \ Pattern match "^Mozilla/5.0 \\\\(Windows NT 6.1; WOW64; rv:40.0\\\\) \ Gecko/20100101 Firefox/40.1$" at REQUEST_HEADERS:User-Agent. \ [file "/dh/apache2/template/etc/mod_sec2/99_dreamhost_rules.conf"] \ [line "345"] [id "1990098"] [msg "Malicious Bot UA"] \ [hostname "my.site.com"] [uri "/wp-login.php"] [unique_id "..."]
Now, this translates to an rule for
mod_sec2. To fix, you need to go to the
file referred by the error, at the specific
line and see what is all about. Most errors are legitimate.
In my original case, I had a 418 translating to basically access denied because I tried to access
/wp-login uri more than the allowed frequency because I mistyped the password several times. All I had to do was to stop trying and wait until the mesaured time had elapsed (60 seconds).
In summary, the process is:
sshonto the account to look at the logs
- Go to ~/logs/site/http and look at error.log
- Identify the 418 errors
- Look at the violated rule identified by the
linecomponents of the log entry
Main credit goes to Duncan Lock although the only thing I had to do to fix it was to just wait a few minutes.