217220 COMODO WAF: Request Missing a Host Header

[Mark Donne]

Hi

Our WHM servers have updated their Comodo WAF rules overnight and we are now seeing the same issue on all of our servers:

2017-04-07 10:10:01 127.0.0.1 WARNING 200
Request:GET /whm-server-status
Action Description: Warning.
Justification: Operator EQ matched 0 at REQUEST_HEADERS.

This is being caused by this updated rule which is comes from the 12_HTTP_Protocol:

id:217220,msg:'COMODO WAF: Request Missing a Host Header

I know we can simply disable this rule but is anyone else seeing this issue today? Is this something that cPanel can fix long term so that we can leave the rule enabled?

Thanks
Mark Donne

 

[BobHoliday]

Hi Mark,

Same here. I just whitelisted the rule using ConfigServer's ModSec Control.

I think it's some automated system polling the server status - which presumably fires off alerts if anything's amiss.

Watching this thread with interest to see if there's a better resolution that simple rule disable.

Regards,

BobH

 

[cPanelMichael]

Hello,

This will happen when someone manually browses to "WHM Home »Server Status »Apache Status" or if that page is accessed via a third-party application because the user-agent isn't supplied in the header.

Note that the messages you see are warnings so the requests are not actually blocked. Internal case CPANEL-1070 is open to track occurrences of this happening, and I've added a link to this thread to the case. However, there's currently no decision on if/when any changes will occur in the product that will supply the user-agent to the header.

You may also want to report this to the Comodo WAF vendor:

False-Positive report thread - Free Modsecurity rules - Comodo Web Application Firewall | Page 11

Thank you.

 

[BobHoliday]

I was seeing the same WARNING precisely every 5 minutes at the same second each time. 17:00:02, 17:05:02, 17:10:02 etc etc.

As soon as I added the whitelisting of the rule to CMC's global whitelist it stopped.

To the person who posted in this thread but then thought better of it and deleted their post, posting about rule ID 217250 - I also had to whitelist that rule for one of my accounts.

Also had issues with rule 217270 which I added along with 217220 in the global CMC whitelist but that worked for me - I didn't have to do it in every user's individual whitelists. Perhaps when you added it to the global whitelist you didn't restart apache subsequently... my setup does this automatically when I save any changes but perhaps yours doesn't?

 

[Metro2]

Thanks @BobHoliday

When upcp / updates ran at 3:30am, BOTH the 217250 issue (blocking users from logging into PHP scripts, 403) and the 217220 issue being discussed in this thread started happening on my servers at the same time.

I put both rules in CMC's Global Whitelist, but it's not working. I'm having to put them in CMC's per account / per domain whitelists.

While there's never a good time for something like this, this is extremely bad timing for me and I'm on overload At least some consolation knowing that I'm not the only one.

 

[Metro2]

@BobHoliday - sorry, my posts are all over the map. Fatigue. You know how that goes. I thought the same thing as you RE: apache restart - my CMC setup, like yours, automatically restarts it, but when I saw that it didn't work I manually restarted Apache and still no joy.

 

[fuzzylogic]

I put both rules in CMC's Global Whitelist, but it's not working. I'm having to put them in CMC's per account / per domain whitelists

May I suggest that you inadvertently pasted the IDs with a trailing space?
Save will fail silently in this case and Apache will be restarted.

 

[Metro2]

May I suggest that you inadvertently pasted the IDs with a trailing space?
Save will fail silently in this case and Apache will be restarted.

Thank you, but no that's not the case. Been many years since I've run into that since I always paste into notepad first and check for spaces (if I'm copying and pasting). One of those things where, once you get bit you never do it again

In this case, like I said in my original post - if I add the riles to CMC in the Per Account or Per Domain sections it works, but just not in CMC's Global section.