The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_security 406 attacks and lfd

Discussion in 'Security' started by salvatore333, May 18, 2010.

  1. salvatore333

    salvatore333 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    two of my servers are getting hit with mod_security 406 errors from different ip numbers every 30 minutes starting 2 days ago. csf firewall lfd is blocking the ip's but this never happened to me before. is there a way to stop these attacks or add an additional layer of security?

    i have searched all over the internet and cannot find any answers.

    one of the emails i got below:


    Time: Tue May 18 21:11:48 2010 -0400
    IP: 85.159.90.33 (GB/United Kingdom/vps156.dns6.com)
    Failures: 5 (mod_security)
    Interval: 300 seconds
    Blocked: Yes

    Log entries:

    [Tue May 18 21:11:42 2010] [error] [client 85.159.90.33] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "36"] [id "9600"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [uri "/"] [unique_id "S-M6zkt@8qMAABH2"]
    [Tue May 18 21:11:42 2010] [error] [client 85.159.90.33] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "36"] [id "9600"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [uri "/"] [unique_id "S-M6zkt@8qMAABH5"]
    [Tue May 18 21:11:43 2010] [error] [client 85.159.90.33] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "36"] [id "9600"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [uri "/"] [unique_id "S-M6z0t@8qMAABH3"]
    [Tue May 18 21:11:43 2010] [error] [client 85.159.90.33] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "36"] [id "9600"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [uri "/"] [unique_id "S-M6z0t@8qMAABH4"]
    [Tue May 18 21:11:43 2010] [error] [client 85.159.90.33] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "36"] [id "9600"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [uri "/"] [unique_id "S-M6z0t@8qMAABG"]

    -------------------------------------------------------------------------
     
  2. d_t

    d_t Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    243
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Bucharest
    Search in rules list for id "9600" and apache logs for strange queries. But I think it's a dc++ attack, see
    P2P Networks Hijacked for DDoS Attacks - Netcraft

    It's ok if lfd can block all attackers IPs. Otherwise, you need an external firewall.
     
Loading...

Share This Page