The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod Security and Google

Discussion in 'Security' started by morrow95, Jan 21, 2013.

  1. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Getting TONS of these showing through whm in mod security - an example :

    2013-01-21

    15:53:02

    66.249.75.201

    Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "38"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"]

    As you can see this is Google... I also have CSF installed, however, I changed to LF_MODSEC = 0 which will prevent the firewall from blocking the IP when mod-sec rules are triggered.

    BUT... what can I do to stop mod_sec from blocking? I find it kind of ridiculous that these would block Google from crawling?
     
  2. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    More research and a 501 error is being returned and there is no 501 error page in htdocs. I went ahead and created one. Googlebot must be trying to crawl https pages when there are none then triggering this problem. Anyways, should be fixed now, but still doesn't explain why GBot is trying https pages.
     
  3. STS Admin

    STS Admin Well-Known Member

    Joined:
    Jul 8, 2012
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    cPanel Access Level:
    Root Administrator
    It's mod_security block. Comment out the rule on line 38 in file /usr/local/apache/conf/modsec2.user.conf and restart apache

    Note: You may have to comment previous line too if this rule is divided into multiple lines
     
  4. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    This one?

    # allow request methods
    SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
    "phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"

    Do I really need to do anything at all now that I added an actual 501 error page? That should have solved it.

    Also, I am really not up on mod_sec, but am I correct in that it does not block IP's perse just blocks attempts? Basically, eventhough this trigger is happening with Google it is not 'blocking' Google right just the action they are attempting, in this case the 501 error - correct?
     
  5. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Well the 501 missing error is gone now, but Google, if it really is Google is still trying to access https apparently. Is this error hurting my in any way and if I do remove this modsec line it is it safe to do so?
     
Loading...

Share This Page