Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

mod_security 406 attacks and lfd

Discussion in 'Security' started by salvatore333, May 18, 2010.

  1. salvatore333

    salvatore333 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    166
    two of my servers are getting hit with mod_security 406 errors from different ip numbers every 30 minutes starting 2 days ago. csf firewall lfd is blocking the ip's but this never happened to me before. is there a way to stop these attacks or add an additional layer of security?

    i have searched all over the internet and cannot find any answers.

    one of the emails i got below:


    Time: Tue May 18 21:11:48 2010 -0400
    IP: 85.159.90.33 (GB/United Kingdom/vps156.dns6.com)
    Failures: 5 (mod_security)
    Interval: 300 seconds
    Blocked: Yes

    Log entries:

    [Tue May 18 21:11:42 2010] [error] [client 85.159.90.33] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "36"] [id "9600"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [uri "/"] [unique_id "S-M6zkt@8qMAABH2"]
    [Tue May 18 21:11:42 2010] [error] [client 85.159.90.33] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "36"] [id "9600"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [uri "/"] [unique_id "S-M6zkt@8qMAABH5"]
    [Tue May 18 21:11:43 2010] [error] [client 85.159.90.33] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "36"] [id "9600"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [uri "/"] [unique_id "S-M6z0t@8qMAABH3"]
    [Tue May 18 21:11:43 2010] [error] [client 85.159.90.33] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "36"] [id "9600"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [uri "/"] [unique_id "S-M6z0t@8qMAABH4"]
    [Tue May 18 21:11:43 2010] [error] [client 85.159.90.33] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "36"] [id "9600"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [uri "/"] [unique_id "S-M6z0t@8qMAABG"]

    -------------------------------------------------------------------------
     
  2. d_t

    d_t Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    242
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    Bucharest
    Search in rules list for id "9600" and apache logs for strange queries. But I think it's a dc++ attack, see
    P2P Networks Hijacked for DDoS Attacks - Netcraft

    It's ok if lfd can block all attackers IPs. Otherwise, you need an external firewall.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice