ModSecurity - A Rule of is trying to block localhost

[XxUnkn0wnxX]

Hi, now i know this is a false positive.. and localhost cannot be blocked any way but a rule that i set in mod security keeps on getting picked up by the ip 127.0.0.1 - ModSecurity Tools, Hit List



now this is the current rule here:

#Block any HTTP GET request that has no referring URL
SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:187945987,chain,msg:'GET request blocked, no referer'"
SecRule &HTTP_User-Agent "@eq 0" "chain"
SecRule REQUEST_METHOD "GET" "chain"
SecRule REQUEST_URI "^\/$"

this rule is required to block certain attacks but.. its getting annoying as my log file is getting full of these as show in the above image.

is there a way to modify the rule so it excludes that ip? - i have white listed IP Globally but it still gets detected...

and this gets logged every 5 min.

 

[quizknows]

This is a custom rule that I wrote a while back to block POST requests that have no referrer or user agent. It's not supposed to be used for GET requests as it can block legitimate traffic if the traffic doesn't have a user agent.

Can you share the full error log entry?

Regardless, you should change all 3 instances of "GET" to "POST" for that rule to be effective and safe. If you do intend to block GET's with those attributes (No UA, No referer) then it's pretty easy to whitelist an IP. Looking at your other thread http://forums.cpanel.net/f185/modsecurity2-what-right-way-white-listing-ips-450562.html you should be OK once you change your whitelist file to be one IP per line instead of comma separated.

Again, restart apache after changes.

 

[XxUnkn0wnxX]

This is a custom rule that I wrote a while back to block POST requests that have no referrer or user agent. It's not supposed to be used for GET requests as it can block legitimate traffic if the traffic doesn't have a user agent.

Can you share the full error log entry?

Regardless, you should change all 3 instances of "GET" to "POST" for that rule to be effective and safe. If you do intend to block GET's with those attributes (No UA, No referer) then it's pretty easy to whitelist an IP. Looking at your other thread http://forums.cpanel.net/f185/modsecurity2-what-right-way-white-listing-ips-450562.html you should be OK once you change your whitelist file to be one IP per line instead of comma separated.

Again, restart apache after changes.

i need to use GET as i have received many attacks via no refer & no user agent.

but I'm unsure if this rule properly works though... i tried to block my own refer once and i still could access my site.. but when i placed a similar rule in "htaccess" it seemed to do the job but it was block legit users as well...

well this what i get also from the audit log:

--046fbb68-A--
[27/Jan/2015:14:35:03 +1100] VMcHZ8BjyUsAAFbgPWsAAACG 127.0.0.1 51607 127.0.0.1 80
--046fbb68-B--
GET / HTTP/1.0

--046fbb68-F--
HTTP/1.1 411 Length Required
Content-Length: 357
Connection: close
Content-Type: text/html; charset=iso-8859-1

--046fbb68-H--
Message: Access denied with code 411 (phase 2). Pattern match "^\\/$" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "2"] [id "187945987"] [msg "GET request blocked, no referer"]
Apache-Error: [file "core.c"] [line 3732] [level 3] File does not exist: /usr/local/apache/htdocs/411.shtml
Action: Intercepted (phase 2)
Stopwatch: 1422329703345258 317 (- - -)
Stopwatch2: 1422329703345258 317; combined=23, p1=2, p2=14, p3=0, p4=0, p5=7, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"

--046fbb68-Z--

--2550ff5b-A--
[27/Jan/2015:14:40:32 +1100] VMcIsMBjyUsAAFb9PbgAAAER 127.0.0.1 51616 127.0.0.1 80
--2550ff5b-B--
GET / HTTP/1.0

--2550ff5b-F--
HTTP/1.1 411 Length Required
Content-Length: 357
Connection: close
Content-Type: text/html; charset=iso-8859-1

--2550ff5b-H--
Message: Access denied with code 411 (phase 2). Pattern match "^\\/$" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "2"] [id "187945987"] [msg "GET request blocked, no referer"]
Apache-Error: [file "core.c"] [line 3732] [level 3] File does not exist: /usr/local/apache/htdocs/411.shtml
Action: Intercepted (phase 2)
Stopwatch: 1422330032840651 312 (- - -)
Stopwatch2: 1422330032840651 312; combined=26, p1=3, p2=15, p3=0, p4=0, p5=7, sr=0, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"

--2550ff5b-Z--

and it repeats and so on...

 

[cPanelMichael]

Hello

Did you switch to one IP address per line in your whitelist as referenced in the previous post?

Thank you.

 

[quizknows]

127.0.0.1 should be whitelisted by cPanel in the main modsec2.conf

SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow,id:1234123455

 

[XxUnkn0wnxX]

Hello

Did you switch to one IP address per line in your whitelist as referenced in the previous post?

Thank you.

yes but like i said it still picks up the 127.0.0.1 ip within the hit list...

127.0.0.1 should be whitelisted by cPanel in the main modsec2.conf

SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow,id:1234123455

no such rule exists within the main conf file

this all there is:

LoadFile /opt/xml2/lib/libxml2.so
# LoadFile /opt/lua/lib/liblua.so
LoadModule security2_module  modules/mod_security2.so
<IfModule mod_security2.c>
# See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf 
#  "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On 
# SecFilterForceByteRange 0 255
<IfModule mod_ruid2.c>
    SecAuditLogStorageDir /usr/local/apache/logs/modsec_audit
    SecAuditLogType Concurrent
</IfModule>
<IfModule itk.c>
    SecAuditLogStorageDir /usr/local/apache/logs/modsec_audit
    SecAuditLogType Concurrent
</IfModule>
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
Include "/usr/local/apache/conf/modsec2.user.conf"
Include "/usr/local/apache/conf/modsec2.cpanel.conf"
</IfModule>

 

[quizknows]

That's really odd, that rule is on all my updated cPanel boxes.

Go ahead and add it to your modsec2.user.conf if you need to. I'd recommend randomizing the rule ID number.

 

[XxUnkn0wnxX]

SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow,id:10011234

also placing it at the top of all my other rules seemed to fix the issue... as having the ID lower then all the others also helped...

i am not getting any more hits in the log.

 

[Tool Outfitters]

Yep...that is nuts. I have just installed modsecurity on my VPS and it is reporting hits on localhost/127.0.0.1. Certainly this should be whitelisted from the getgo.

 

[cPanelMichael]

Yep...that is nuts. I have just installed modsecurity on my VPS and it is reporting hits on localhost/127.0.0.1. Certainly this should be whitelisted from the getgo.

Hello,

Did you install a particular rule set?

Thank you.

 

[Tool Outfitters]

Just the OWASP Modsecurity Core Rule Set.http://go.cpanel.net/modsecurityowasp