ModSecurity - A Rule of is trying to block localhost

XxUnkn0wnxX

Member
Feb 3, 2014
22
0
1
cPanel Access Level
Website Owner
Hi, now i know this is a false positive.. and localhost cannot be blocked any way but a rule that i set in mod security keeps on getting picked up by the ip 127.0.0.1 - ModSecurity Tools, Hit List

f4QVT.png

now this is the current rule here:

Code:
#Block any HTTP GET request that has no referring URL
SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:187945987,chain,msg:'GET request blocked, no referer'"
SecRule &HTTP_User-Agent "@eq 0" "chain"
SecRule REQUEST_METHOD "GET" "chain"
SecRule REQUEST_URI "^\/$"
this rule is required to block certain attacks but.. its getting annoying as my log file is getting full of these as show in the above image.

is there a way to modify the rule so it excludes that ip? - i have white listed IP Globally but it still gets detected...

and this gets logged every 5 min.
 
Last edited:

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
This is a custom rule that I wrote a while back to block POST requests that have no referrer or user agent. It's not supposed to be used for GET requests as it can block legitimate traffic if the traffic doesn't have a user agent.

Can you share the full error log entry?

Regardless, you should change all 3 instances of "GET" to "POST" for that rule to be effective and safe. If you do intend to block GET's with those attributes (No UA, No referer) then it's pretty easy to whitelist an IP. Looking at your other thread http://forums.cpanel.net/f185/modsecurity2-what-right-way-white-listing-ips-450562.html you should be OK once you change your whitelist file to be one IP per line instead of comma separated.

Again, restart apache after changes.
 
Last edited:

XxUnkn0wnxX

Member
Feb 3, 2014
22
0
1
cPanel Access Level
Website Owner
This is a custom rule that I wrote a while back to block POST requests that have no referrer or user agent. It's not supposed to be used for GET requests as it can block legitimate traffic if the traffic doesn't have a user agent.

Can you share the full error log entry?

Regardless, you should change all 3 instances of "GET" to "POST" for that rule to be effective and safe. If you do intend to block GET's with those attributes (No UA, No referer) then it's pretty easy to whitelist an IP. Looking at your other thread http://forums.cpanel.net/f185/modsecurity2-what-right-way-white-listing-ips-450562.html you should be OK once you change your whitelist file to be one IP per line instead of comma separated.

Again, restart apache after changes.
i need to use GET as i have received many attacks via no refer & no user agent.

but I'm unsure if this rule properly works though... i tried to block my own refer once and i still could access my site.. but when i placed a similar rule in "htaccess" it seemed to do the job but it was block legit users as well...

well this what i get also from the audit log:

Code:
--046fbb68-A--
[27/Jan/2015:14:35:03 +1100] VMcHZ8BjyUsAAFbgPWsAAACG 127.0.0.1 51607 127.0.0.1 80
--046fbb68-B--
GET / HTTP/1.0

--046fbb68-F--
HTTP/1.1 411 Length Required
Content-Length: 357
Connection: close
Content-Type: text/html; charset=iso-8859-1

--046fbb68-H--
Message: Access denied with code 411 (phase 2). Pattern match "^\\/$" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "2"] [id "187945987"] [msg "GET request blocked, no referer"]
Apache-Error: [file "core.c"] [line 3732] [level 3] File does not exist: /usr/local/apache/htdocs/411.shtml
Action: Intercepted (phase 2)
Stopwatch: 1422329703345258 317 (- - -)
Stopwatch2: 1422329703345258 317; combined=23, p1=2, p2=14, p3=0, p4=0, p5=7, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"

--046fbb68-Z--

--2550ff5b-A--
[27/Jan/2015:14:40:32 +1100] VMcIsMBjyUsAAFb9PbgAAAER 127.0.0.1 51616 127.0.0.1 80
--2550ff5b-B--
GET / HTTP/1.0

--2550ff5b-F--
HTTP/1.1 411 Length Required
Content-Length: 357
Connection: close
Content-Type: text/html; charset=iso-8859-1

--2550ff5b-H--
Message: Access denied with code 411 (phase 2). Pattern match "^\\/$" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "2"] [id "187945987"] [msg "GET request blocked, no referer"]
Apache-Error: [file "core.c"] [line 3732] [level 3] File does not exist: /usr/local/apache/htdocs/411.shtml
Action: Intercepted (phase 2)
Stopwatch: 1422330032840651 312 (- - -)
Stopwatch2: 1422330032840651 312; combined=26, p1=3, p2=15, p3=0, p4=0, p5=7, sr=0, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"

--2550ff5b-Z--
f5e7Z.png

and it repeats and so on...
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello :)

Did you switch to one IP address per line in your whitelist as referenced in the previous post?

Thank you.
 

XxUnkn0wnxX

Member
Feb 3, 2014
22
0
1
cPanel Access Level
Website Owner
Hello :)

Did you switch to one IP address per line in your whitelist as referenced in the previous post?

Thank you.
yes but like i said it still picks up the 127.0.0.1 ip within the hit list...

127.0.0.1 should be whitelisted by cPanel in the main modsec2.conf

SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow,id:1234123455
no such rule exists within the main conf file

this all there is:

Code:
LoadFile /opt/xml2/lib/libxml2.so
# LoadFile /opt/lua/lib/liblua.so
LoadModule security2_module  modules/mod_security2.so
<IfModule mod_security2.c>
# See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf 
#  "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On 
# SecFilterForceByteRange 0 255
<IfModule mod_ruid2.c>
    SecAuditLogStorageDir /usr/local/apache/logs/modsec_audit
    SecAuditLogType Concurrent
</IfModule>
<IfModule itk.c>
    SecAuditLogStorageDir /usr/local/apache/logs/modsec_audit
    SecAuditLogType Concurrent
</IfModule>
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
Include "/usr/local/apache/conf/modsec2.user.conf"
Include "/usr/local/apache/conf/modsec2.cpanel.conf"
</IfModule>
 
Last edited:

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
That's really odd, that rule is on all my updated cPanel boxes.

Go ahead and add it to your modsec2.user.conf if you need to. I'd recommend randomizing the rule ID number.
 

XxUnkn0wnxX

Member
Feb 3, 2014
22
0
1
cPanel Access Level
Website Owner
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow,id:10011234

also placing it at the top of all my other rules seemed to fix the issue... as having the ID lower then all the others also helped...

i am not getting any more hits in the log.
 
Nov 13, 2007
11
1
53
Yep...that is nuts. I have just installed modsecurity on my VPS and it is reporting hits on localhost/127.0.0.1. Certainly this should be whitelisted from the getgo.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Yep...that is nuts. I have just installed modsecurity on my VPS and it is reporting hits on localhost/127.0.0.1. Certainly this should be whitelisted from the getgo.
Hello,

Did you install a particular rule set?

Thank you.