mod_security 406 attacks and lfd

salvatore333

Well-Known Member
Mar 27, 2003
229
0
166
two of my servers are getting hit with mod_security 406 errors from different ip numbers every 30 minutes starting 2 days ago. csf firewall lfd is blocking the ip's but this never happened to me before. is there a way to stop these attacks or add an additional layer of security?

i have searched all over the internet and cannot find any answers.

one of the emails i got below:


Time: Tue May 18 21:11:48 2010 -0400
IP: 85.159.90.33 (GB/United Kingdom/vps156.dns6.com)
Failures: 5 (mod_security)
Interval: 300 seconds
Blocked: Yes

Log entries:

[Tue May 18 21:11:42 2010] [error] [client 85.159.90.33] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "36"] [id "9600"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [uri "/"] [unique_id "[email protected]"]
[Tue May 18 21:11:42 2010] [error] [client 85.159.90.33] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "36"] [id "9600"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [uri "/"] [unique_id "[email protected]"]
[Tue May 18 21:11:43 2010] [error] [client 85.159.90.33] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "36"] [id "9600"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [uri "/"] [unique_id "[email protected]"]
[Tue May 18 21:11:43 2010] [error] [client 85.159.90.33] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "36"] [id "9600"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [uri "/"] [unique_id "[email protected]"]
[Tue May 18 21:11:43 2010] [error] [client 85.159.90.33] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "36"] [id "9600"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [uri "/"] [unique_id "[email protected]"]

-------------------------------------------------------------------------