Host header is a numeric IP address - why the fuss from mod_security?

jeffschips · May 16, 2021

Hello.

I know this isn't specific to Cpanel but perhaps someone can unpack this constant mod_security warning I'm receiving.

Date: 2021-05-16 19:51:55
Host: my-cpane-server-ip:80
Source: offending party connecting IP
Severity: WARNING
Status: 403
Rule ID: 920350 Host header is a numeric IP address

Why is mod_security making a fuss over my host/server's IP address?

ZenHostingTravis · May 17, 2021

Hi @jeffschips,

You can whitelist IP addresses.

The following link may assist you further: Whitelisting IP addresses for "host header is a numeric ip address" error · Issue #127 · SpiderLabs/owasp-modsecurity-crs, assuming you're using the OWASP ruleset.

jeffschips · May 17, 2021

Hi @ZenHostingTravis and thank you.

I've read posts like this but my confusion is that some posters say you need to whitelist the client while others who say you need to whitelist the host. So to confirm you are suggesting whitelisting the ip address of my cpanel server, is that correct?

jeffschips · May 17, 2021

Any issues if disabling the rule entirely?

andrew.n · May 18, 2021

Yes it's certainly possible. I believe the easiest would be to use ModSecurity Control plugin from ConfigServer where you can disable specific rules per account/domain/subdomain level:

ConfigServer Modsecurity Control (cmc) – ConfigServer Services

www.configserver.com

jeffschips · May 18, 2021

Thank you. I tried the ConfigServer ModSecurity Control about a year ago and wasn't that impressed with the interface. It seemed clunky and some of the prompts were confusing. I'll give it another try though.

So to confirm turning off the rule "Rule ID: 920350 Host header is a numeric IP address" is possible but is it advisable?

andrew.n · May 18, 2021

I believe turning that off for only that specific domain/subdomain would be safe enough.

cPRex · May 18, 2021

It's common to disable specific rules either server-wide or per domain, so that would be the easiest way to take care of that issue on the system.

jeffschips · Jun 13, 2021

I think I may have not been very clear:
I understand that I can turn off the rule based on the host being a numberic IP address, however, it would seem that rule - 920350 - contains the following rules:

Code:

SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \
    "id:920350,\
    phase:2,\
    block,\
    t:none,\
    msg:'Host header is a numeric IP address',\
    logdata:'%{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/210/272',\
    tag:'PCI/6.5.10',\
    ver:'OWASP_CRS/3.3.0',\
    severity:'WARNING',\
    setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"

and further down the rabbit hole modsec_audit.log associated with this rule there are conditions being met which also raise flags:

Code:

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client xx.xx.xx.xx] 
ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\\\\\\\d.:]+$" at 
REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] 
[line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "host.numer.ic.ip.address] [severity "WARNING"] [ver "OWASP_CRS/3.3.0"] 
[tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [
tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "host.numer.ic.ip.addr"] [uri "/"] 
[unique_id "YMZzTgKhdfzxdvW76O3erwAAAMU"]

So am I doing myself a disservice by elimintaing a rule whicdh indeed is not just raising flags about the "numeric ip address issue" but also providing needed protection against what comes later, i.e., the pattern match in the above code.

cPRex · Jun 15, 2021

That part is really up to you to decide. Additional details about how the pattern matching happens can be found here:

ModSecurity Advanced Topic of the Week: (Updated) Exception Handling

UPDATE - since this original post, we added new exception handling capabilities to v2.6.0 which are a tremendous help for adding in custom exceptions. See the section below on Updating the Target Lists. This post is long overdue. I will...

www.trustwave.com

but I have always just disabled the offending rule (or sometimes multiple rules) when this happens.

Thread starter	Similar threads	Forum	Replies	Date
O	New Thread SSL - cPanel says Host SSL expires in 10 days, but Manage Certificates says all is well	Security	0	Saturday at 12:14 PM
T	SOLVED Host Access Control not working	Security	7	Jan 11, 2023
W	Apache vhosts are not segmented or chroot()ed	Security	1	Dec 15, 2022
J	Started Getting Apache vhosts are not segmented warning	Security	2	Dec 8, 2022
M	217220 COMODO WAF: Request Missing a Host Header	Security	7	Apr 7, 2017

Search

Search

Host header is a numeric IP address - why the fuss from mod_security?

jeffschips

Well-Known Member

ZenHostingTravis

Well-Known Member

jeffschips

Well-Known Member

jeffschips

Well-Known Member

andrew.n

Well-Known Member

ConfigServer Modsecurity Control (cmc) – ConfigServer Services

jeffschips

Well-Known Member

andrew.n

Well-Known Member

cPRex

Jurassic Moderator

jeffschips

Well-Known Member

cPRex

Jurassic Moderator

ModSecurity Advanced Topic of the Week: (Updated) Exception Handling