[INSTALLATION] (13: Permission denied - globalblacklist.conf issue)

[superunknowndude]

Did you look through existing ISSUES ?

Yes

Describe the problem you are experiencing

Nginx error logs are flooded with the same permission denied error from the BadBotBlocker install.

Error Messages

Post any error messages (if applicable):

2022/06/21 08:00:05 [emerg] 639302#639302: open() "/etc/nginx/conf.d/globalblacklist.conf" failed (13: Permission denied) in /etc/nginx/nginx.conf:91

Copy of nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;
load_module /etc/nginx/modules/ngx_http_immutable_module.so;
load_module /etc/nginx/modules/ngx_http_length_hiding_filter_module.so;
load_module /etc/nginx/modules/ngx_http_security_headers_module.so;
load_module /etc/nginx/modules/ngx_http_brotli_static_module.so;
load_module /etc/nginx/modules/ngx_http_brotli_filter_module.so;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        modsecurity on;
        modsecurity_rules_file /etc/nginx/modsec/main.conf;
        security_headers on;

       ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        log_format  main_ext  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" '
                      '"$host" sn="$server_name" '
                      'rt=$request_time '
                      'ua="$upstream_addr" us="$upstream_status" '
                      'ut="$upstream_response_time" ul="$upstream_response_length" '
                      'cs=$upstream_cache_status' ;

        access_log /var/log/nginx/access.log main_ext;
        error_log /var/log/nginx/error.log warn;

        ##
        # Brotli Settings
        ##

        brotli on;
        brotli_comp_level 6;
        brotli_static on;
        brotli_types application/atom+xml application/javascript application/json application/rss+xml
             application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
             application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
             font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
             image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;

        ##
        # Gzip Settings
        ##

        # gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;

        ##
        # Nginx Bad Bot Blocker Includes
        # REPO: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
        ##

        #include /etc/nginx/bots.d/ddos.conf; 
        #include /etc/nginx/bots.d/blockbots.conf;
}

Copy of vhost / website / host .conf file

If applicable please paste your site/vhost configuration file in between the code ticks (paste in between the markers)

Paste site config here

Screenshots

If applicable, add screenshots to help explain your problem.

Server (please complete the following information):

• Operating System:

• [ ] Ubuntu

• [ ] Alpine

• [ ] Arch Linux

• [ ] Debian

• [ ] CentOS

• [ ] Fedora

• [ ] Deepin

• [ ] Windows

• [X ] Other

• Specify Exact Version of OS:

Linux raspberrypi 5.15.48-v8+ #1563 SMP PREEMPT Fri Jun 17 19:14:40 BST 2022 aarch64 GNU/Linux

• Nginx Version [post output of sudo nginx -v]

nginx version: nginx/1.20.2
built with OpenSSL 3.0.3 3 May 2022
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-3h9FET/nginx-1.20.2=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_geoip_module=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --add-dynamic-module=/build/nginx-3h9FET/nginx-1.20.2/debian/modules/http-headers-more-filter --add-dynamic-module=/build/nginx-3h9FET/nginx-1.20.2/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-3h9FET/nginx-1.20.2/debian/modules/http-cache-purge --add-dynamic-module=/build/nginx-3h9FET/nginx-1.20.2/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-3h9FET/nginx-1.20.2/debian/modules/http-ndk --add-dynamic-module=/build/nginx-3h9FET/nginx-1.20.2/debian/modules/http-echo --add-dynamic-module=/build/nginx-3h9FET/nginx-1.20.2/debian/modules/http-fancyindex --add-dynamic-module=/build/nginx-3h9FET/nginx-1.20.2/debian/modules/http-geoip2 --add-dynamic-module=/build/nginx-3h9FET/nginx-1.20.2/debian/modules/nchan --add-dynamic-module=/build/nginx-3h9FET/nginx-1.20.2/debian/modules/http-lua --add-dynamic-module=/build/nginx-3h9FET/nginx-1.20.2/debian/modules/rtmp --add-dynamic-module=/build/nginx-3h9FET/nginx-1.20.2/debian/modules/http-uploadprogress --add-dynamic-module=/build/nginx-3h9FET/nginx-1.20.2/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-3h9FET/nginx-1.20.2/debian/modules/http-subs-filter

• Other Environments [include Version information]

• [ ] Plesk

• [ ] CPanel

• [ ] Synology NAS

• [ ] Other

• Specify Other / Specific Version Information Here:

• Any other applicable log / error messages that may help us to help you.

Paste any log / error messages here (paste in between the ```     ``` markers)

Additional information

I have the:

    # Nginx Bad Bot Blocker Includes
    # REPO: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
    ##

    #include /etc/nginx/bots.d/ddos.conf; 
    #include /etc/nginx/bots.d/blockbots.conf;

included in the sites-available configs that require it. There doesn't seem to be any problem there. It's the conf.d folder that doesn't want to play nice. If I change the permissions of the folder, nginx doesn't have a problem with it. But as soon as the cronjob runs, it resets the globalblacklist config to read only for root and then the permission denied error comes back.

How do I fix this?

[mitchellkrogza]

Move the files from the blocker to a new folder of your choice example /etc/nginx/botblocker.d/ set permissions on that folder as you require, then include that location in your nginx.conf

[superunknowndude]

This seems to have survived the restart/reload of nginx. The cronjob is about to run in an hour. That'll be the real test. I'll update later today. Thanks.

[superunknowndude]

2022/06/28 06:14:03 [warn] 1225970#1225970: duplicate network "138.199.57.151", value: "0", old value: "1" in /etc/nginx/conf.d/globalblacklist.conf:18699
2022/06/28 06:14:03 [warn] 1225970#1225970: duplicate network "143.244.38.129", value: "0", old value: "1" in /etc/nginx/conf.d/globalblacklist.conf:18715
2022/06/28 06:14:03 [warn] 1225970#1225970: duplicate network "195.181.163.194", value: "0", old value: "1" in /etc/nginx/conf.d/globalblacklist.conf:18810
2022/06/28 06:14:03 [warn] 1225970#1225970: duplicate network "5.188.120.15", value: "0", old value: "1" in /etc/nginx/conf.d/globalblacklist.conf:18937
2022/06/28 06:14:03 [warn] 1225970#1225970: duplicate network "89.187.173.66", value: "0", old value: "1" in /etc/nginx/conf.d/globalblacklist.conf:18984
2022/06/28 06:14:03 [emerg] 1225970#1225970: "server_names_hash_bucket_size" directive is duplicate in /etc/nginx/botblocker.d/botblocker-nginx-settings.conf:16
2022/06/28 06:15:47 [warn] 688#688: duplicate network "138.199.57.151", value: "0", old value: "1" in /etc/nginx/conf.d/globalblacklist.conf:18699
2022/06/28 06:15:47 [warn] 688#688: duplicate network "143.244.38.129", value: "0", old value: "1" in /etc/nginx/conf.d/globalblacklist.conf:18715
2022/06/28 06:15:47 [warn] 688#688: duplicate network "195.181.163.194", value: "0", old value: "1" in /etc/nginx/conf.d/globalblacklist.conf:18810
2022/06/28 06:15:47 [warn] 688#688: duplicate network "5.188.120.15", value: "0", old value: "1" in /etc/nginx/conf.d/globalblacklist.conf:18937
2022/06/28 06:15:47 [warn] 688#688: duplicate network "89.187.173.66", value: "0", old value: "1" in /etc/nginx/conf.d/globalblacklist.conf:18984
2022/06/28 06:15:47 [emerg] 688#688: "server_names_hash_bucket_size" directive is duplicate in /etc/nginx/botblocker.d/botblocker-nginx-settings.conf:16

It didn't work. I got a whole slew of new errors. I don't know what to do about this one.

Edit: Found the issue... the cron (or something) is reinstalling a copy of globalblacklist and botblocker-nginx conf files back into the /conf.d/ folder automatically. How do I make this stop?

[Danrancan]

I'm having a similar issue on Ubuntu 20.04 for Raspberry Pi 4.

open() "/etc/nginx/conf.d/botblocker-nginx-settings.conf" failed (13: Permission denied) in /etc/nginx/nginx.conf:191

Did you figure this out? If not, can someone help?

[itoffshore]

@Danrancan - permission denied errors - are because you are not:

• running commands as root [ or with sudo]
• running the scripts as a cron job from a root crontab

[Danrancan]

@Danrancan - permission denied errors - are because you are not:

• running commands as root [ or with sudo]

• running the scripts as a cron job from a root crontab

But I am running it in the sudo crontab. Note, this started happening after I did a distribution ubgrade from Ubuntu 20.04 to Ubuntu 22.04. Since the I have reverted to Ubuntu 20.04 again because ubuntu 22.04 broke things on my server. So i cant go back and test what was causing this on my server after upgrading.