Host header is a numeric IP address - why the fuss from mod_security?

[jeffschips]

Hello.

I know this isn't specific to Cpanel but perhaps someone can unpack this constant mod_security warning I'm receiving.

Date: 2021-05-16 19:51:55
Host: my-cpane-server-ip:80
Source: offending party connecting IP
Severity: WARNING
Status: 403
Rule ID: 920350 Host header is a numeric IP address

Why is mod_security making a fuss over my host/server's IP address?

 

[ZenHostingTravis]

Hi @jeffschips,

You can whitelist IP addresses.

The following link may assist you further: Whitelisting IP addresses for "host header is a numeric ip address" error · Issue #127 · SpiderLabs/owasp-modsecurity-crs, assuming you're using the OWASP ruleset.

 

[jeffschips]

Hi @ZenHostingTravis and thank you.

I've read posts like this but my confusion is that some posters say you need to whitelist the client while others who say you need to whitelist the host. So to confirm you are suggesting whitelisting the ip address of my cpanel server, is that correct?

 

[jeffschips]

Any issues if disabling the rule entirely?

 

[andrew.n]

Yes it's certainly possible. I believe the easiest would be to use ModSecurity Control plugin from ConfigServer where you can disable specific rules per account/domain/subdomain level:

ConfigServer ModSecurity Control (cmc)

www.configserver.com

 

[jeffschips]

Thank you. I tried the ConfigServer ModSecurity Control about a year ago and wasn't that impressed with the interface. It seemed clunky and some of the prompts were confusing. I'll give it another try though.

So to confirm turning off the rule "Rule ID: 920350 Host header is a numeric IP address" is possible but is it advisable?

 

[andrew.n]

I believe turning that off for only that specific domain/subdomain would be safe enough.

 

[cPRex]

It's common to disable specific rules either server-wide or per domain, so that would be the easiest way to take care of that issue on the system.

 

[jeffschips]

I think I may have not been very clear:
I understand that I can turn off the rule based on the host being a numberic IP address, however, it would seem that rule - 920350 - contains the following rules:

SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \
    "id:920350,\
    phase:2,\
    block,\
    t:none,\
    msg:'Host header is a numeric IP address',\
    logdata:'%{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/210/272',\
    tag:'PCI/6.5.10',\
    ver:'OWASP_CRS/3.3.0',\
    severity:'WARNING',\
    setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"

and further down the rabbit hole modsec_audit.log associated with this rule there are conditions being met which also raise flags:

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client xx.xx.xx.xx] 
ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\\\\\\\d.:]+$" at 
REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] 
[line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "host.numer.ic.ip.address] [severity "WARNING"] [ver "OWASP_CRS/3.3.0"] 
[tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [
tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "host.numer.ic.ip.addr"] [uri "/"] 
[unique_id "YMZzTgKhdfzxdvW76O3erwAAAMU"]

So am I doing myself a disservice by elimintaing a rule whicdh indeed is not just raising flags about the "numeric ip address issue" but also providing needed protection against what comes later, i.e., the pattern match in the above code.

 

[cPRex]

That part is really up to you to decide. Additional details about how the pattern matching happens can be found here:

ModSecurity Advanced Topic of the Week: (Updated) Exception Handling

UPDATE - since this original post, we added new exception handling capabilities to v2.6.0 which are a tremendous help for adding in custom exceptions. See the section below on Updating the Target Lists. This post is long overdue. I will...

www.trustwave.com

but I have always just disabled the offending rule (or sometimes multiple rules) when this happens.