Akeeba Backup for Joomla!

Tuesday, 22 April 2014 12:45 CDT

easytherm

EXTREMELY IMPORTANT: Please attach a ZIP file containing your Akeeba Backup log file in order for us to help you with any backup or restoration issue. If the file is over 2Mb, please upload it on your server and post a link to it.

Description of my issue:

Hello, I just upgraded to akeeba backup pro, in order to automate the transfer my site's backup to my home's ftp NAS. The whole process seems to run fine.

I need same advise from you. I first describe my steps and my question are at the end.

configuration steps
At first I tested in akeeba's configuration the ftp setting and got the following error:
***********
AJAX Error
An error has occurred while waiting for an AJAX response:
AJAX Loading Error
HTTP Status: 406 (Not Acceptable)
Internal status: error
XHR ReadyState: 4
Raw server response:
***********

I found some help in your forum:
*****
Please contact your host and ask them to install the SSH2 PHP module. Please note that this module is different than the SSH server used to connect to your library. Your host should have no problem installing and activating this PHP module (it literally takes less than 5 minutes).
*****

I transfered this info to my host and I got the following info:

(I translate freely from french..) write "SecFilterEngine Off" in your .htaccess file

So I have written this command in the field "Custom .htaccess rules at the bottom of the file" of my admintools .htaccess Maker

Backup and upload to my ftp NAS works as expected. I'm very happy.

Now my questions:
1) I don't ses the connection between the SSH2 PHP module and the SecFilterEngine Off command
2) Is it safe to enable this command, and have I set it at the correct place (or should I set it at "Custom .htaccess rules at the top of the file"

regards

Jacques

Wednesday, 23 April 2014 02:54 CDT

nicholas

You are confusing two unrelated things.

The SSH2 PHP module has absolutely nothing to do with your problem or its solution. It something only required for connecting to SFTP servers (Secure File Transfer Protocol – it is an SSH extension and has absolutely nothing to do with FTP).

Back to your problem.

The 406 you were getting was because of your FTP server's password. It contained special characters. Your host has the Apache firewall module called ModSecurity2 installed on their server. One of the rules they had added was being triggered by your FTP password and made your web server think that it's under attack by hackers (you!). This makes it reply with HTTP 406 Not Acceptable. 99 out of 100 times we have a client with a 406 the problem is mod_security2 and a complex password.

The "SecFilterEngine Off" line in .htaccess turns mod_security2 off. By doing that you are able to save the configuration which includes the complex password which was triggering the server protection. However this is a Really Bad Idea™ to live in your .htaccess. Once you have configured Akeeba Backup get rid of that line to restore the added protection to your site. When you want to make changes again to your site, add that line back to .htaccess.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 23 April 2014 16:15 CDT

easytherm

Hi Nicholas,

I'm not sure to fully understand the problem.

The first password I had in the example above was quite complex with special characters and so on.

So if follow you, this may tend trigger a server protection reaction (I imagine you mean of my web server, not my ftp server). With this "complex" password, backup works fine if "SecFilterEngine Off" is included in .htacces, and produces an error in this command is not included in .htaccess.

So I tried to simplify the ftp password of my ftp server (a nas on my home router). I put something as simple as a 3 digit number, for example "945"

when I test the ftp connection from within akeeba backup's Data processing engine configuration (set as upload to Remote FTP server, I get the following reactions, depending on .htacces and ftp password

case 1) "SecFilterEngine Off" set in .htacces and correct ftp password:
FTP Connection Test
Connection to remote FTP server was established successfully!

case 2) "SecFilterEngine Off" set in .htacces and wrong ftp password:
FTP Connection Test
Could not connect to the remote FTP server.
Invalid username/password for the remote FTP server

case 3) "SecFilterEngine Off" is not set in .htacces and correct ftp password or
case 4) "SecFilterEngine Off" is not set in .htacces and wrong ftp password or
AJAX Error
An error has occurred while waiting for an AJAX response:
AJAX Loading Error
HTTP Status: 406 (Not Acceptable)
Internal status: error
XHR ReadyState: 4
Raw server response:
Not Acceptable
An appropriate representation of the requested resource /administrator/index.php could not be found on this server.
Apache Server at gvmp.aero Port 80

again, I'm not sure about what you mean by telling: The "SecFilterEngine Off" line in .htaccess turns mod_security2 off. By doing that you are able to save the configuration which includes the complex password which was triggering the server protection. In fact I'm able to save .htaccess as well as akeeba backup's configuration with or without "SecFilterEngine Off" beeing present in htaccess maker....

I'm well aware that disable the security in .htacces is not a very good idea,

Where can I start from?

Jacques

Thursday, 24 April 2014 01:39 CDT

nicholas

Apparently your server's mod_security2 configuration is completely FUBAR. When you click on the "Test FTP connection" the following information is sent to the server (and can potentially trigger mod_security2 protection):

FTP hostname
FTP username
FTP password
FTP initial directory

The only two things that can possibly trigger a mod_security2 rule are password and initial directory. Apparently your host's mod_security2 configuration forbids anything which looks like a path as a query string parameter.

backup works fine if "SecFilterEngine Off" is included in .htacces, and produces an error in this command is not included in .htaccess.

Now, this makes absolutely no sense. During the backup (NOT the configuration on the backup!!!!!!!) we DO NOT send any information from the browser to the server except the backup start. At this time we send the following information:

Backup profile number
Backup description
Backup comment
ANGIE password
JPS password (if you're using JPS archives)

If backing up (not just configuring Akeeba Backup) fails without the "SecFilterEngine Off" line in your .htaccess then something you've put in one of the fields in the Backup Now page is triggering mod_security2.

Where can I start from?

That's the million dollar question :) You can't start from anything, as you do not have control over your mod_security2 configuration (bummer). The only thing you could do, you've already done: ask your host for help. And they gave you the suicidal answer, asking you to disable mod_security2. And let me explain why your host's support is being a bunch of douches.

Your host installed mod_security2 and applied a VERY restrictive configuration (which I'd call "overkill") for security reasons. They are not willing to relax some of its restrictions to let your site run a backup. But they ask you to completely disable the security measures as an alternative, which completely counters the premise of having mod_security2 installed for security reasons! It's absurd. Imagine sitting in someone's car and be obliged to wear a seatbelt for security reasons. The seatbelt is a little high, choking you, so you ask them to please lower it a bit to protect you without choking you. They refuse to do that and ask you to take off the seatbelt. In which possible universe is this responsible security policy?!

Please go back to your host and explain them that they really need to take a look at their mod_security2 rules. If they look at their log they'll find out which rule is preventing your Akeeba Backup configuration from being saved and they can modify it a bit – or remove it. Asking hosting clients to turn off security is not a solution and completely opposes the premise of trying to run a moderately secure server environment.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 20 May 2014 16:59 CDT

easytherm

Hi Nicholas

I've reread your suggestion and rechecked my settings.

In fact, I need to put SecFilterEngine Off in .htaccess only for configuring ftp access with akeeba backup. When I remove this line, testing ftp setting will output some error, but the backup itself just work fine.

I've asked my host to check what's wrong during ftp configuration (sending them you info of your last post ( Thursday, 24 April 2014 06:39 UTC). They will have a look.

In the mean time, If I understand you, with SecFilterEngine Off removed from .htaccess, and ftp backup working, I should be safe. Is that correct?

regards. Jacques

Wednesday, 21 May 2014 01:38 CDT

nicholas

If I understand you, with SecFilterEngine Off removed from .htaccess, and ftp backup working, I should be safe. Is that correct?

Yes, exactly. You would only need to put this line back if you edit the Configuration of Akeeba Backup or if you try using the Site Transfer Wizard.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 20 June 2014 18:00 CDT

System Task

system

This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Edited by on 2014-06-20 18:00 CDT

Support