The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod Security 960008, what does this mean please.

Discussion in 'Security' started by keat63, Feb 13, 2015.

  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I installed Mod Security last night and came in this morning to the error below, which is being populated every 5 minutes.
    I've disabled the rules until i can fathom out what it means.
    Any ideas ?
    Code:
    
    960008 and 960009  mostly from 127.0.0.1, but a few  960009's from IP's
    
    
    Missing/Empty Host Header
    #
    # -=[ Rule Logic ]=-
    # These rules will first check to see if a Host header is present.
    # The second check is to see if a Host header exists but is empty.
    #
    SecRule &;REQUEST_HEADERS:Host "@eq 0" "msg:'Request Missing a Host Header', severity:'WARNING', phase:request, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'9', accuracy:'9', t:none, block, id:'960008', tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST', tag:'WASCTC/WASC-21', tag:'OWASP_TOP_10/A7', tag:'PCI/6.5.10', setvar:'tx.msg=%{rule.msg}', setvar:tx.anomaly_score=+%{tx.warning_anomaly_score}, setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}, skipAfter:END_HOST_CHECK"
    
    
    
    
    host.myserver.co.uk 127.0.0.1 - - [13/Feb/2015:01:05:01 +0000] "GET /whm-server-status HTTP/1.0" 302 192 "-" "-" VN1NvdWr3R8AAFLRlzwAAAAI "-" /nobody/20150213/20150213-0105/20150213-010501-VN1NvdWr3R8AAFLRlzwAAAAI 0 1158 md5:cf0765030f91de3785587a5a74f05d76
     
    #1 keat63, Feb 13, 2015
    Last edited by a moderator: Feb 13, 2015
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,476
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You'll be here posting every single morning wondering about these.

    Here is the full modsecurity_crs_21_protocol_anomalies.conf:
    /https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_21_protocol_anomalies.conf

    Here is some additional Info for you on where to get answers about the rules, and how they work:
    Re: could anyone explain mod security please - cPanel Forums

    Leave all the rules enabled. Disable one at a time as needed, for your setup.

    If you open that first link above to the full modsecurity_crs_21_protocol_anomalies.conf and search that page for this:
    "id:'"

    Sans quotes, you'll note that it appears in that file, 9 times. There are comments in that file and the others that should be of some limited use.

    You'll need to understand all this and decide if you'd like to disable one or more for your setup. And, should you disable it for the entire server, or just one account.


    The new ruleset can and will break things. For example, if you have a wordpress, xenforo, or WHMCS installed, Go to settings in your wordpress, xenforo or WHMCS installation, and just click save settings. Does it save and update the page? Probably not, one of these rules blocked the action.

    In that case, you'll need to monitor (or search for the ID there) your Hits List, click the Rule ID being triggered, and then untick, Enable Rule, and then tick, Deploy and Restart Apache then Save.



    The details above should be able to get you going in the proper direction. It's a long road ahead. These rules are not fully compatible, yet, with, well, most everything legit, and will need to be tweaked at this time.

    When we can report a rule not working with a wordpress site for example, and the creators of the rulesets can modify them and push out an update with cPanel updates, we'll be in better shape here. For now though, you'll need to disable IDs, as needed for your setup to work as expected.

    I hope you find some use in this post and the links above.
     
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    When i say i disabled the rules, i only disabled 960008 and 960009.
    I don't have Wordpress, Joomla etc etc, just an olde version of Cubecart.

    The report comes from 127.0.0.1, and it's every 5 minutes, another thread points to something related to checksrvd checking apache is running, so i'm guessing 960008 doesn't like this check ?




    I followed the link and searched the ID, but what came back, may as well be written in Chinese.
    Code:
    "skipAfter:END_HOST_CHECK,phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
     
    #3 keat63, Feb 13, 2015
    Last edited: Feb 13, 2015
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
  5. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    Info, is there an easy way to turn off just one rule (for example ID:960015) or do I need to turn off the entire set for that section of rules (turning off all of rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf)? I see how to do the later in Home » Security Center » Select Vendor Rule Sets. i do not see how to do the former.
     
  6. cPJacob

    cPJacob cPanel Product Owner
    Staff Member

    Joined:
    May 2, 2014
    Messages:
    509
    Likes Received:
    65
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi PCZero,

    You can enable / disable specific rules in WHM -> ModSecurity Tools -> 'Rule List'. You can search for the rule and then uncheck 'enable', and then checking 'deploy and restart Apache'.

    I hope this helps!
     
  7. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    Thanks Jacob. Exactly what i was looking for. Appreciate the info much.
     
  8. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    PCZERO.
    Can i ask why you want to disable 960015 ?

    I've also considered disabling 960015, but only because i don't understand.
    And most of the logs i'vs seen for 960015 originate from the UK, which is 99% of my customer base.
     
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    REQUEST_HEADERS:Host "@eq 0" means the request came in to an IP on port 80 with no domain name specified for the request. In other words the "Host" header (used to handle vhosts for multiple domains on one IP) was not there.
     
  10. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Hi Quizknows.

    In laymans terms.

    does that mean a request to view a page or site was sent to an IP, rather than a url ?
     
    #10 keat63, Feb 13, 2015
    Last edited: Feb 13, 2015
  11. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Basically, yes. No domain name was specified in the request, so it's likely just a connection straight to the IP.
     
  12. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    from what i think i could gather, these were all coming from 127.0.0.1 every 5 minutes exactly.
    I think it was checksrvd looking to see if apache was running.

    Until I can fully get my head around it, i disabled that rule.
     
  13. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Generally it's a safe rule to disable if any sites are accessed directly by IP. I agree that it does look like a service check done by checksrvd, and if that's the case, that rule should probably be modified if it's going to be used at all on cPanel systems.
     
Loading...

Share This Page