Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

217220 COMODO WAF: Request Missing a Host Header

Discussion in 'Security' started by Mark Donne, Apr 7, 2017.

Tags:
  1. Mark Donne

    Mark Donne Registered

    Joined:
    Nov 12, 2015
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Fleet, Hants UK
    cPanel Access Level:
    DataCenter Provider
    Hi

    Our WHM servers have updated their Comodo WAF rules overnight and we are now seeing the same issue on all of our servers:

    2017-04-07 10:10:01 127.0.0.1 WARNING 200
    Request:GET /whm-server-status
    Action Description: Warning.
    Justification: Operator EQ matched 0 at REQUEST_HEADERS.

    This is being caused by this updated rule which is comes from the 12_HTTP_Protocol:

    id:217220,msg:'COMODO WAF: Request Missing a Host Header

    I know we can simply disable this rule but is anyone else seeing this issue today? Is this something that cPanel can fix long term so that we can leave the rule enabled?

    Thanks
    Mark Donne
     
    Metro2 likes this.
  2. BobHoliday

    BobHoliday Member

    Joined:
    Sep 6, 2013
    Messages:
    12
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hi Mark,

    Same here. I just whitelisted the rule using ConfigServer's ModSec Control.

    I think it's some automated system polling the server status - which presumably fires off alerts if anything's amiss.

    Watching this thread with interest to see if there's a better resolution that simple rule disable.

    Regards,

    BobH
     
    Metro2 likes this.
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,428
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    This will happen when someone manually browses to "WHM Home »Server Status »Apache Status" or if that page is accessed via a third-party application because the user-agent isn't supplied in the header.

    Note that the messages you see are warnings so the requests are not actually blocked. Internal case CPANEL-1070 is open to track occurrences of this happening, and I've added a link to this thread to the case. However, there's currently no decision on if/when any changes will occur in the product that will supply the user-agent to the header.

    As a workaround, you could disable the rule or add an exclusion to that specific location using a Apache configuration entry such as this:

    Code:
    <Location /whm-server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    SecRuleEngine Off
    Allow from 127.0.0.1 ::1
    </Location>
    Information on making custom changes to the Apache configuration is documented at:

    Advanced Apache Configuration - EasyApache 4 - cPanel Documentation

    You may also want to report this to the Comodo WAF vendor:

    False-Positive report thread - Free Modsecurity rules - Comodo Web Application Firewall | Page 11

    Thank you.
     
    linux4me2 likes this.
  4. BobHoliday

    BobHoliday Member

    Joined:
    Sep 6, 2013
    Messages:
    12
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    I was seeing the same WARNING precisely every 5 minutes at the same second each time. 17:00:02, 17:05:02, 17:10:02 etc etc.

    As soon as I added the whitelisting of the rule to CMC's global whitelist it stopped.

    To the person who posted in this thread but then thought better of it and deleted their post, posting about rule ID 217250 - I also had to whitelist that rule for one of my accounts.

    Also had issues with rule 217270 which I added along with 217220 in the global CMC whitelist but that worked for me - I didn't have to do it in every user's individual whitelists. Perhaps when you added it to the global whitelist you didn't restart apache subsequently... my setup does this automatically when I save any changes but perhaps yours doesn't?
     
    Metro2 likes this.
  5. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    394
    Likes Received:
    17
    Trophy Points:
    168
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Thanks @BobHoliday

    When upcp / updates ran at 3:30am, BOTH the 217250 issue (blocking users from logging into PHP scripts, 403) and the 217220 issue being discussed in this thread started happening on my servers at the same time.

    I put both rules in CMC's Global Whitelist, but it's not working. I'm having to put them in CMC's per account / per domain whitelists.

    While there's never a good time for something like this, this is extremely bad timing for me and I'm on overload :( At least some consolation knowing that I'm not the only one.
     
  6. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    394
    Likes Received:
    17
    Trophy Points:
    168
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    @BobHoliday - sorry, my posts are all over the map. Fatigue. You know how that goes. I thought the same thing as you RE: apache restart - my CMC setup, like yours, automatically restarts it, but when I saw that it didn't work I manually restarted Apache and still no joy.
     
  7. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    53
    Likes Received:
    23
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    May I suggest that you inadvertently pasted the IDs with a trailing space?
    Save will fail silently in this case and Apache will be restarted.
     
  8. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    394
    Likes Received:
    17
    Trophy Points:
    168
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Thank you, but no that's not the case. Been many years since I've run into that since I always paste into notepad first and check for spaces (if I'm copying and pasting). One of those things where, once you get bit you never do it again ;)

    In this case, like I said in my original post - if I add the riles to CMC in the Per Account or Per Domain sections it works, but just not in CMC's Global section.
     
Loading...

Share This Page