Question on "ModSecurity: Access denied with code 406 (phase 1)"

[Jeffro_Home]

I've just recently posted this in Chirpy's modsecurity forum, but I thought I would try here as well.

For the past 4 days, about every hour (or less), from a different offending domain, I am receiving this email from my server:

Code:

Time:     Wed May 19 12:15:58 2010 -0400
IP:       208.43.255.250 (208.43.255.250-static.reverse.softlayer.com)
Failures: 8 (mod_security)
Interval: 300 seconds
Blocked:  Yes

Log entries:

[Wed May 19 12:15:54 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOukMTZAoAAFQtS0kAAAAJ"] [Wed May 19 12:15:54 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOukMTZAoAAF8ZOfQAAAAN"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAF2vB8UAAAAF"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAG5usjAAAAAH"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAG5vs20AAAAK"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAG5wtKoAAAAO"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAG5ssCEAAAAD"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAG5tsNcAAAAG"]

I've searched on just about everything in the above log entry, and really haven't found anything.

Again, this has happened about 100 times in the past 3 days, each time it's a different domain/ip. My server seems ok, none of my customers have mentioned any issues, I just want to find out what this is, and if there's a way to stop it.

Thanks,

Jeff

[cPanelJamyn]

I've just recently posted this in Chirpy's modsecurity forum, but I thought I would try here as well.

For the past 4 days, about every hour (or less), from a different offending domain, I am receiving this email from my server:

Code:

Time:     Wed May 19 12:15:58 2010 -0400
IP:       208.43.255.250 (208.43.255.250-static.reverse.softlayer.com)
Failures: 8 (mod_security)
Interval: 300 seconds
Blocked:  Yes

Log entries:

[Wed May 19 12:15:54 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"]

The error indicates the request from that server was not a GET/POST/OPTIONS/HEAD request, which is unusual. It could be sending a TRACE, for example. If you enable more detailed logging (Ex setting SecAuditLogParts ABC for modsec2) you should get enough detail to see what's going on.