csf-lfd/mod_security blocked my gateway

santhosh_scs

Member
May 23, 2013
5
0
1
cPanel Access Level
Root Administrator
Hello
I have a WHM/Cpanel server with CSF/LFD installed and mod_security enabled.
I used to login to WHM/cpanel from one of my local windows box through a linux (Centos 5)NAT gateway(with a public IP address) . On one day CSF/LFD on the server blocked my gateway from accessing it. The csf.deny shows as

lfd: (mod_security) mod_security (id:1234123435) triggered by <gateway-public-ip> 5 in the last 300 secs - Fri May 16 17:44:09 2014.

This means some unwanted/incorrect access occurred from my PC to the server. How can I check what could have caused mod_security to block my PC . I know that I need to watch the outgoing traffic in my gateway - but the right log files/commands/any whm options etc is what I am looking for

Santhosh
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello :)

To confirm, are you sure the access attempts were not legitimate (e.g. some application on your computer that connects to your server)?

Thank you.
 

lorio

Well-Known Member
Feb 25, 2004
313
22
168
cPanel Access Level
Root Administrator
mod_security (id:1234123435) [/I]
This rule is often triggered with false positive e.g. when trying to access the hostserver with https where no cert is installed.

The docu about modsec under easyapache can be found here:
Apache Module: Security

mod_security stores the log file in: /usr/local/apache/logs/modsec_audit.log.

If you install mod_ruid2 and mod_security, the mod_security log location is: /usr/local/apache/logs/modsec_audit/[user]/YYYYMMDD/YYYYMMDD-HHmm/YYYYMMDD-HHmmSS-[unique_id].
In the logfile you can find the url which triggered the error.
 

santhosh_scs

Member
May 23, 2013
5
0
1
cPanel Access Level
Root Administrator
I checked the server logs for this IP and could see
Code:
[Fri May 16 17:44:03 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "41"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.host.name"] [uri "/images/header/email_header.jpg"] [unique_id "[email protected]"]
[Fri May 16 17:44:03 2014] [error] [client ip_changed] File does not exist: /home/home_changed/public_html/501.shtml
[Fri May 16 17:44:03 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "41"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.host.name"] [uri "/images/header/email_header.jpg"] [unique_id "[email protected]"]
[Fri May 16 17:44:03 2014] [error] [client ip_changed] File does not exist: /home/home_changed/public_html/501.shtml
[Fri May 16 17:44:04 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "41"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.host.name"] [uri "/images/header/email_header.jpg"] [unique_id "[email protected]"]
[Fri May 16 17:44:04 2014] [error] [client ip_changed] File does not exist: /home/home_changed/public_html/501.shtml
[Fri May 16 17:44:06 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "41"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.host.name"] [uri "/images/header/email_header.jpg"] [unique_id "[email protected]"]
[Fri May 16 17:44:06 2014] [error] [client ip_changed] File does not exist: /home/home_changed/public_html/501.shtml
[Fri May 16 17:44:07 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "41"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.host.name"] [uri "/images/header/email_header.jpg"] [unique_id "[email protected]"]
[Fri May 16 17:44:07 2014] [error] [client ip_changed] File does not exist: /home/home_changed/public_html/501.shtml
[Fri May 16 17:44:07 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "41"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.host.name"] [uri "/images/header/email_header.jpg"] [unique_id "[email protected]"]
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
So in short, your modsec2.user.conf denies any HTTP request method that is not one of:

POST
GET
OPTIONS
HEAD

You can check the access logs of www.host.name to see what method was being used which caused this. You could modify the rule to allow that HTTP request method, or optionally you could disable that particular rule if you wanted simply by commenting it out.