Mod Security 960008, what does this mean please.

[keat63]

I installed Mod Security last night and came in this morning to the error below, which is being populated every 5 minutes.
I've disabled the rules until i can fathom out what it means.
Any ideas ?

960008 and 960009  mostly from 127.0.0.1, but a few  960009's from IP's


Missing/Empty Host Header
#
# -=[ Rule Logic ]=-
# These rules will first check to see if a Host header is present.
# The second check is to see if a Host header exists but is empty.
#
SecRule &;REQUEST_HEADERS:Host "@eq 0" "msg:'Request Missing a Host Header', severity:'WARNING', phase:request, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'9', accuracy:'9', t:none, block, id:'960008', tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST', tag:'WASCTC/WASC-21', tag:'OWASP_TOP_10/A7', tag:'PCI/6.5.10', setvar:'tx.msg=%{rule.msg}', setvar:tx.anomaly_score=+%{tx.warning_anomaly_score}, setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}, skipAfter:END_HOST_CHECK"




host.myserver.co.uk 127.0.0.1 - - [13/Feb/2015:01:05:01 +0000] "GET /whm-server-status HTTP/1.0" 302 192 "-" "-" VN1NvdWr3R8AAFLRlzwAAAAI "-" /nobody/20150213/20150213-0105/20150213-010501-VN1NvdWr3R8AAFLRlzwAAAAI 0 1158 md5:cf0765030f91de3785587a5a74f05d76

 

[Infopro]

You'll be here posting every single morning wondering about these.

Here is the full modsecurity_crs_21_protocol_anomalies.conf:
/https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_21_protocol_anomalies.conf

Here is some additional Info for you on where to get answers about the rules, and how they work:
Re: could anyone explain mod security please - cPanel Forums

I've disabled the rules until i can fathom out what it means.

Leave all the rules enabled. Disable one at a time as needed, for your setup.

If you open that first link above to the full modsecurity_crs_21_protocol_anomalies.conf and search that page for this:
"id:'"

Sans quotes, you'll note that it appears in that file, 9 times. There are comments in that file and the others that should be of some limited use.

You'll need to understand all this and decide if you'd like to disable one or more for your setup. And, should you disable it for the entire server, or just one account.


The new ruleset can and will break things. For example, if you have a wordpress, xenforo, or WHMCS installed, Go to settings in your wordpress, xenforo or WHMCS installation, and just click save settings. Does it save and update the page? Probably not, one of these rules blocked the action.

In that case, you'll need to monitor (or search for the ID there) your Hits List, click the Rule ID being triggered, and then untick, Enable Rule, and then tick, Deploy and Restart Apache then Save.



The details above should be able to get you going in the proper direction. It's a long road ahead. These rules are not fully compatible, yet, with, well, most everything legit, and will need to be tweaked at this time.

When we can report a rule not working with a wordpress site for example, and the creators of the rulesets can modify them and push out an update with cPanel updates, we'll be in better shape here. For now though, you'll need to disable IDs, as needed for your setup to work as expected.

I hope you find some use in this post and the links above.

 

[keat63]

When i say i disabled the rules, i only disabled 960008 and 960009.
I don't have Wordpress, Joomla etc etc, just an olde version of Cubecart.

The report comes from 127.0.0.1, and it's every 5 minutes, another thread points to something related to checksrvd checking apache is running, so i'm guessing 960008 doesn't like this check ?




I followed the link and searched the ID, but what came back, may as well be written in Chinese.

"skipAfter:END_HOST_CHECK,phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"

 

[keat63]

Having read this thread http://forums.cpanel.net/f185/owasp...t-triggering-csf-ip-block-anymore-453262.html
i think i'll keep my mouth shut.
If the experts are having issues understanding what's going on, then at my age, i've absolutely no chance.

 

[PCZero]

Info, is there an easy way to turn off just one rule (for example ID:960015) or do I need to turn off the entire set for that section of rules (turning off all of rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf)? I see how to do the later in Home » Security Center » Select Vendor Rule Sets. i do not see how to do the former.

 

[JacobPerkins]

Hi PCZero,

You can enable / disable specific rules in WHM -> ModSecurity Tools -> 'Rule List'. You can search for the rule and then uncheck 'enable', and then checking 'deploy and restart Apache'.

I hope this helps!

 

[PCZero]

Thanks Jacob. Exactly what i was looking for. Appreciate the info much.

 

[keat63]

PCZERO.
Can i ask why you want to disable 960015 ?

I've also considered disabling 960015, but only because i don't understand.
And most of the logs i'vs seen for 960015 originate from the UK, which is 99% of my customer base.

 

[quizknows]

REQUEST_HEADERS:Host "@eq 0" means the request came in to an IP on port 80 with no domain name specified for the request. In other words the "Host" header (used to handle vhosts for multiple domains on one IP) was not there.

 

[keat63]

Hi Quizknows.

In laymans terms.

does that mean a request to view a page or site was sent to an IP, rather than a url ?

 

[quizknows]

Basically, yes. No domain name was specified in the request, so it's likely just a connection straight to the IP.

 

[keat63]

from what i think i could gather, these were all coming from 127.0.0.1 every 5 minutes exactly.
I think it was checksrvd looking to see if apache was running.

Until I can fully get my head around it, i disabled that rule.

 

[quizknows]

Generally it's a safe rule to disable if any sites are accessed directly by IP. I agree that it does look like a service check done by checksrvd, and if that's the case, that rule should probably be modified if it's going to be used at all on cPanel systems.