The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_sec triggered by Get requests for IPs outside my domain

Discussion in 'Security' started by jimlongo, Jul 7, 2013.

  1. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    145
    Likes Received:
    2
    Trophy Points:
    18
    What does it mean when mod_sec gets triggered by a GET request for a foreign domain.
    The line in mod_sec looks like

    Code:
    2013-07-07 09:17:40 208.xxx.xxx.xx http://121.199.48.71/engine.php HTTP/1.0 121.199.48.71 Access denied with code 400 (phase 2). Pattern match "^\\w+:/" at REQUEST_URI_RAW. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "27"] [id "1234123438"] [msg "Proxy access attempt"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/PROXY_ACCESS"] 400
    It looks like a request from 208.xxx.xxx.xx is for some domain based in China.

    Why does that request trigger mod_sec on my domain which is not related in any way to either of those.

    Thanks.
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I'm not too familiar with that particular rule, but like the error says, it's stopping a proxy access attempt. It looks like this rule from the core rule set:

    SecRule REQUEST_URI_RAW "^\w+:/" "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.7',maturity:'6',accuracy:'8',t:none,block,msg:'Proxy access attempt',severity:'3',id:'960014',tag:'OWASP_CRS/PROTOCOL_VIOLATION/PROXY_ACCESS'"
    SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/PROXY_ACCESS-%{matched_var_name}=%{matched_var}"


    Looking at the regex, \w+:/ means the request uri matched a word followed by ":/"

    i.e. http://yoursite.com/somepage?somevar://proxyattempt

    I would not worry about it if your normal users are not having problems with your site(s). I personally have this particular protocol violation rule commented out in my own rule set.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    This indicates that Mod_Security detects a proxy access attempt. Is this blocking a legitimate access attempt to a website? If so, you may want to disable the rule globally, or for a specific account.

    Thank you.
     
  4. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    145
    Likes Received:
    2
    Trophy Points:
    18
    Okay, thank you.
    There are many of them in the last 24 hours all with the originating IP in Texas and all the Request Uris have this Asian IP.
    Where is the request coming from in this case, and which is the proxy?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Edit; never mind this post, read what Michael said.
     
Loading...

Share This Page