The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

csf-lfd/mod_security blocked my gateway

Discussion in 'Security' started by santhosh_scs, May 19, 2014.

  1. santhosh_scs

    santhosh_scs Member

    Joined:
    May 23, 2013
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello
    I have a WHM/Cpanel server with CSF/LFD installed and mod_security enabled.
    I used to login to WHM/cpanel from one of my local windows box through a linux (Centos 5)NAT gateway(with a public IP address) . On one day CSF/LFD on the server blocked my gateway from accessing it. The csf.deny shows as

    lfd: (mod_security) mod_security (id:1234123435) triggered by <gateway-public-ip> 5 in the last 300 secs - Fri May 16 17:44:09 2014.

    This means some unwanted/incorrect access occurred from my PC to the server. How can I check what could have caused mod_security to block my PC . I know that I need to watch the outgoing traffic in my gateway - but the right log files/commands/any whm options etc is what I am looking for

    Santhosh
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    To confirm, are you sure the access attempts were not legitimate (e.g. some application on your computer that connects to your server)?

    Thank you.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Check the apache error log for that IP, it should tell you what rule ID(s) was/were violated.
     
  4. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    This rule is often triggered with false positive e.g. when trying to access the hostserver with https where no cert is installed.

    The docu about modsec under easyapache can be found here:
    Apache Module: Security

    In the logfile you can find the url which triggered the error.
     
  5. santhosh_scs

    santhosh_scs Member

    Joined:
    May 23, 2013
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I checked the server logs for this IP and could see
    Code:
    [Fri May 16 17:44:03 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "41"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.host.name"] [uri "/images/header/email_header.jpg"] [unique_id "U3aUszJh2@oAACHgHIgAAAAO"]
    [Fri May 16 17:44:03 2014] [error] [client ip_changed] File does not exist: /home/home_changed/public_html/501.shtml
    [Fri May 16 17:44:03 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "41"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.host.name"] [uri "/images/header/email_header.jpg"] [unique_id "U3aUszJh2@oAACJTJ84AAAAI"]
    [Fri May 16 17:44:03 2014] [error] [client ip_changed] File does not exist: /home/home_changed/public_html/501.shtml
    [Fri May 16 17:44:04 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "41"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.host.name"] [uri "/images/header/email_header.jpg"] [unique_id "U3aUtDJh2@oAACIDIIUAAAAa"]
    [Fri May 16 17:44:04 2014] [error] [client ip_changed] File does not exist: /home/home_changed/public_html/501.shtml
    [Fri May 16 17:44:06 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "41"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.host.name"] [uri "/images/header/email_header.jpg"] [unique_id "U3aUtjJh2@oAACIHIcUAAAAi"]
    [Fri May 16 17:44:06 2014] [error] [client ip_changed] File does not exist: /home/home_changed/public_html/501.shtml
    [Fri May 16 17:44:07 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "41"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.host.name"] [uri "/images/header/email_header.jpg"] [unique_id "U3aUtzJh2@oAACHfHCMAAAAM"]
    [Fri May 16 17:44:07 2014] [error] [client ip_changed] File does not exist: /home/home_changed/public_html/501.shtml
    [Fri May 16 17:44:07 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "41"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.host.name"] [uri "/images/header/email_header.jpg"] [unique_id "U3aUtzJh2@oAACIQJVAAAAAr"]
    
    
     
  6. Shavaun

    Shavaun Well-Known Member

    Joined:
    Aug 15, 2013
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    So in short, your modsec2.user.conf denies any HTTP request method that is not one of:

    POST
    GET
    OPTIONS
    HEAD

    You can check the access logs of www.host.name to see what method was being used which caused this. You could modify the rule to allow that HTTP request method, or optionally you could disable that particular rule if you wanted simply by commenting it out.
     
Loading...

Share This Page