Host header is a numeric IP address - why the fuss from mod_security?

jeffschips

Well-Known Member
Jun 5, 2016
212
22
68
new york
cPanel Access Level
Root Administrator
Hello.

I know this isn't specific to Cpanel but perhaps someone can unpack this constant mod_security warning I'm receiving.

Date: 2021-05-16 19:51:55
Host: my-cpane-server-ip:80
Source: offending party connecting IP
Severity: WARNING
Status: 403
Rule ID: 920350 Host header is a numeric IP address

Why is mod_security making a fuss over my host/server's IP address?
 
Last edited by a moderator:

ZenHostingTravis

Well-Known Member
PartnerNOC
May 22, 2020
275
95
28
Australia
cPanel Access Level
Root Administrator

andrew.n

Well-Known Member
Jun 9, 2020
633
183
43
EU
cPanel Access Level
Root Administrator
Yes it's certainly possible. I believe the easiest would be to use ModSecurity Control plugin from ConfigServer where you can disable specific rules per account/domain/subdomain level:

 

jeffschips

Well-Known Member
Jun 5, 2016
212
22
68
new york
cPanel Access Level
Root Administrator
Thank you. I tried the ConfigServer ModSecurity Control about a year ago and wasn't that impressed with the interface. It seemed clunky and some of the prompts were confusing. I'll give it another try though.

So to confirm turning off the rule "Rule ID: 920350 Host header is a numeric IP address" is possible but is it advisable?
 

andrew.n

Well-Known Member
Jun 9, 2020
633
183
43
EU
cPanel Access Level
Root Administrator
I believe turning that off for only that specific domain/subdomain would be safe enough.
 

jeffschips

Well-Known Member
Jun 5, 2016
212
22
68
new york
cPanel Access Level
Root Administrator
I think I may have not been very clear:
I understand that I can turn off the rule based on the host being a numberic IP address, however, it would seem that rule - 920350 - contains the following rules:

Code:
SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \
    "id:920350,\
    phase:2,\
    block,\
    t:none,\
    msg:'Host header is a numeric IP address',\
    logdata:'%{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/210/272',\
    tag:'PCI/6.5.10',\
    ver:'OWASP_CRS/3.3.0',\
    severity:'WARNING',\
    setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
and further down the rabbit hole modsec_audit.log associated with this rule there are conditions being met which also raise flags:

Code:
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client xx.xx.xx.xx] 
ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\\\\\\\d.:]+$" at 
REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] 
[line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "host.numer.ic.ip.address] [severity "WARNING"] [ver "OWASP_CRS/3.3.0"] 
[tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [
tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "host.numer.ic.ip.addr"] [uri "/"] 
[unique_id "YMZzTgKhdfzxdvW76O3erwAAAMU"]
So am I doing myself a disservice by elimintaing a rule whicdh indeed is not just raising flags about the "numeric ip address issue" but also providing needed protection against what comes later, i.e., the pattern match in the above code.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,494
1,009
313
cPanel Access Level
Root Administrator
That part is really up to you to decide. Additional details about how the pattern matching happens can be found here:


but I have always just disabled the offending rule (or sometimes multiple rules) when this happens.