The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSec Rules Problem

Discussion in 'Security' started by Bulent Tekcan, Apr 13, 2016.

  1. Bulent Tekcan

    Bulent Tekcan Well-Known Member

    Joined:
    May 11, 2004
    Messages:
    179
    Likes Received:
    0
    Trophy Points:
    16
    Hello,

    I have a aggresive protection on my server because I have a big forum on it. And also I have a lot of rules in ModSec but I got a lot of false block from one rule. Any idea why this rule blocked many IP

    Regards

    This is my ModSec rule

    Code:
    SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|d(?:eek:wnload demon|isco)|w(?:3mirror|get)|l(?:ibwww|wp)|p(?:avuk|erl)|cu(?:sto|rl)|big brother|autohttp|netants|eCatch)" \
    "chain,log,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',severity:'5'"
    SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl"


    This is my sample log

    Log entries:

    Code:
    [Wed Apr 13 07:27:02 2016] [error] [client 212.154.13.254] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "59"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "www.example.com"] [uri "/satforum/archive/index.php/t-227474.html"] [unique_id "Vw3Klsc7pNIAAG0ODaoAAAAG"] [Wed Apr 13 07:27:02 2016] [error] [client 212.154.13.254] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "59"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "www.example.com"] [uri "/satforum/archive/index.php/t-227474.html"] [unique_id "Vw3Klsc7pNIAAGvFgrwAAAAE"] [Wed Apr 13 07:27:03 2016] [error] [client 212.154.13.254] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "59"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "www.example.com"] [uri "/satforum/archive/index.php/t-486162.html"] [unique_id "Vw3Klsc7pNIAAHmWJ34AAAAB"] [Wed Apr 13 07:27:03 2016] [error] [client 212.154.13.254] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "59"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "www.example.com"] [uri "/satforum/archive/index.php/t-486162.html"] [unique_id "Vw3Kl8c7pNIAAGid95AAAAAF"] [Wed Apr 13 07:27:03 2016] [error] [client 212.154.13.254] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "59"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "www.example.com"] [uri "/satforum/showthread.php"] [unique_id "Vw3Kl8c7pNIAAGpIJP4AAAAH"]
    
     
    #1 Bulent Tekcan, Apr 13, 2016
    Last edited by a moderator: Apr 13, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The rule description suggests it's blocking requests when the "User-Agent" matches a value associated with an automated script, as opposed to an individual using a web browser. Have you reviewed the instances where the block is a false positive to see how they were accessing the URL?

    Thank you.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    The log is saying your User Agent (browser identification) had one of the strings in that first line in it. If you go to a site like What's My User Agent? it will show you how your browser is identifying itself and perhaps help you troubleshoot this.

    If you were using a script or program to interact with the site, this is a likely situation and you may need to whitelist your IP address.
     
Loading...

Share This Page