morrow95

Well-Known Member
Oct 8, 2006
161
8
168
Getting TONS of these showing through whm in mod security - an example :

2013-01-21

15:53:02

66.249.75.201

Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "38"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"]

As you can see this is Google... I also have CSF installed, however, I changed to LF_MODSEC = 0 which will prevent the firewall from blocking the IP when mod-sec rules are triggered.

BUT... what can I do to stop mod_sec from blocking? I find it kind of ridiculous that these would block Google from crawling?
 

morrow95

Well-Known Member
Oct 8, 2006
161
8
168
More research and a 501 error is being returned and there is no 501 error page in htdocs. I went ahead and created one. Googlebot must be trying to crawl https pages when there are none then triggering this problem. Anyways, should be fixed now, but still doesn't explain why GBot is trying https pages.
 

STS Admin

Well-Known Member
Jul 8, 2012
46
0
56
India
cPanel Access Level
Root Administrator
It's mod_security block. Comment out the rule on line 38 in file /usr/local/apache/conf/modsec2.user.conf and restart apache

Note: You may have to comment previous line too if this rule is divided into multiple lines
 

morrow95

Well-Known Member
Oct 8, 2006
161
8
168
It's mod_security block. Comment out the rule on line 38 in file /usr/local/apache/conf/modsec2.user.conf and restart apache

Note: You may have to comment previous line too if this rule is divided into multiple lines
This one?

# allow request methods
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"

Do I really need to do anything at all now that I added an actual 501 error page? That should have solved it.

Also, I am really not up on mod_sec, but am I correct in that it does not block IP's perse just blocks attempts? Basically, eventhough this trigger is happening with Google it is not 'blocking' Google right just the action they are attempting, in this case the 501 error - correct?
 

morrow95

Well-Known Member
Oct 8, 2006
161
8
168
This one?

# allow request methods
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"

Do I really need to do anything at all now that I added an actual 501 error page? That should have solved it.

Also, I am really not up on mod_sec, but am I correct in that it does not block IP's perse just blocks attempts? Basically, eventhough this trigger is happening with Google it is not 'blocking' Google right just the action they are attempting, in this case the 501 error - correct?
Well the 501 missing error is gone now, but Google, if it really is Google is still trying to access https apparently. Is this error hurting my in any way and if I do remove this modsec line it is it safe to do so?