csf-lfd/mod_security blocked my gateway

[santhosh_scs]

Hello
I have a WHM/Cpanel server with CSF/LFD installed and mod_security enabled.
I used to login to WHM/cpanel from one of my local windows box through a linux (Centos 5)NAT gateway(with a public IP address) . On one day CSF/LFD on the server blocked my gateway from accessing it. The csf.deny shows as

lfd: (mod_security) mod_security (id:1234123435) triggered by <gateway-public-ip> 5 in the last 300 secs - Fri May 16 17:44:09 2014.

This means some unwanted/incorrect access occurred from my PC to the server. How can I check what could have caused mod_security to block my PC . I know that I need to watch the outgoing traffic in my gateway - but the right log files/commands/any whm options etc is what I am looking for

Santhosh

 

[cPanelMichael]

Hello

To confirm, are you sure the access attempts were not legitimate (e.g. some application on your computer that connects to your server)?

Thank you.

 

[quizknows]

Check the apache error log for that IP, it should tell you what rule ID(s) was/were violated.

 

[lorio]

mod_security (id:1234123435) [/I]

This rule is often triggered with false positive e.g. when trying to access the hostserver with https where no cert is installed.

The docu about modsec under easyapache can be found here:
Apache Module: Security

mod_security stores the log file in: /usr/local/apache/logs/modsec_audit.log.

If you install mod_ruid2 and mod_security, the mod_security log location is: /usr/local/apache/logs/modsec_audit/[user]/YYYYMMDD/YYYYMMDD-HHmm/YYYYMMDD-HHmmSS-[unique_id].

In the logfile you can find the url which triggered the error.

 

[santhosh_scs]

I checked the server logs for this IP and could see

[Fri May 16 17:44:03 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "41"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.host.name"] [uri "/images/header/email_header.jpg"] [unique_id "[email protected]"]
[Fri May 16 17:44:03 2014] [error] [client ip_changed] File does not exist: /home/home_changed/public_html/501.shtml
[Fri May 16 17:44:03 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "41"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.host.name"] [uri "/images/header/email_header.jpg"] [unique_id "[email protected]"]
[Fri May 16 17:44:03 2014] [error] [client ip_changed] File does not exist: /home/home_changed/public_html/501.shtml
[Fri May 16 17:44:04 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "41"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.host.name"] [uri "/images/header/email_header.jpg"] [unique_id "[email protected]"]
[Fri May 16 17:44:04 2014] [error] [client ip_changed] File does not exist: /home/home_changed/public_html/501.shtml
[Fri May 16 17:44:06 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "41"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.host.name"] [uri "/images/header/email_header.jpg"] [unique_id "[email protected]"]
[Fri May 16 17:44:06 2014] [error] [client ip_changed] File does not exist: /home/home_changed/public_html/501.shtml
[Fri May 16 17:44:07 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "41"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.host.name"] [uri "/images/header/email_header.jpg"] [unique_id "[email protected]"]
[Fri May 16 17:44:07 2014] [error] [client ip_changed] File does not exist: /home/home_changed/public_html/501.shtml
[Fri May 16 17:44:07 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "41"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.host.name"] [uri "/images/header/email_header.jpg"] [unique_id "[email protected]"]

 

[Shavaun]

Just as a note, I recommend that you use this link: http://documentation.cpanel.net/display/EA/Apache+Module%3A+ModSecurity

We are no longer updating the docs.cpanel.net site. The main page for our new documentation site is http://documentation.cpanel.net.

 

[quizknows]

So in short, your modsec2.user.conf denies any HTTP request method that is not one of:

POST
GET
OPTIONS
HEAD

You can check the access logs of www.host.name to see what method was being used which caused this. You could modify the rule to allow that HTTP request method, or optionally you could disable that particular rule if you wanted simply by commenting it out.