The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity - A Rule of is trying to block localhost

Discussion in 'Security' started by XxUnkn0wnxX, Jan 26, 2015.

  1. XxUnkn0wnxX

    XxUnkn0wnxX Member

    Joined:
    Feb 3, 2014
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hi, now i know this is a false positive.. and localhost cannot be blocked any way but a rule that i set in mod security keeps on getting picked up by the ip 127.0.0.1 - ModSecurity Tools, Hit List

    f4QVT.png

    now this is the current rule here:

    Code:
    #Block any HTTP GET request that has no referring URL
    SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:187945987,chain,msg:'GET request blocked, no referer'"
    SecRule &HTTP_User-Agent "@eq 0" "chain"
    SecRule REQUEST_METHOD "GET" "chain"
    SecRule REQUEST_URI "^\/$"
    
    this rule is required to block certain attacks but.. its getting annoying as my log file is getting full of these as show in the above image.

    is there a way to modify the rule so it excludes that ip? - i have white listed IP Globally but it still gets detected...

    and this gets logged every 5 min.
     
    #1 XxUnkn0wnxX, Jan 26, 2015
    Last edited: Jan 26, 2015
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    This is a custom rule that I wrote a while back to block POST requests that have no referrer or user agent. It's not supposed to be used for GET requests as it can block legitimate traffic if the traffic doesn't have a user agent.

    Can you share the full error log entry?

    Regardless, you should change all 3 instances of "GET" to "POST" for that rule to be effective and safe. If you do intend to block GET's with those attributes (No UA, No referer) then it's pretty easy to whitelist an IP. Looking at your other thread http://forums.cpanel.net/f185/modsecurity2-what-right-way-white-listing-ips-450562.html you should be OK once you change your whitelist file to be one IP per line instead of comma separated.

    Again, restart apache after changes.
     
    #2 quizknows, Jan 26, 2015
    Last edited: Jan 26, 2015
  3. XxUnkn0wnxX

    XxUnkn0wnxX Member

    Joined:
    Feb 3, 2014
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    i need to use GET as i have received many attacks via no refer & no user agent.

    but I'm unsure if this rule properly works though... i tried to block my own refer once and i still could access my site.. but when i placed a similar rule in "htaccess" it seemed to do the job but it was block legit users as well...

    well this what i get also from the audit log:

    Code:
    --046fbb68-A--
    [27/Jan/2015:14:35:03 +1100] VMcHZ8BjyUsAAFbgPWsAAACG 127.0.0.1 51607 127.0.0.1 80
    --046fbb68-B--
    GET / HTTP/1.0
    
    --046fbb68-F--
    HTTP/1.1 411 Length Required
    Content-Length: 357
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
    
    --046fbb68-H--
    Message: Access denied with code 411 (phase 2). Pattern match "^\\/$" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "2"] [id "187945987"] [msg "GET request blocked, no referer"]
    Apache-Error: [file "core.c"] [line 3732] [level 3] File does not exist: /usr/local/apache/htdocs/411.shtml
    Action: Intercepted (phase 2)
    Stopwatch: 1422329703345258 317 (- - -)
    Stopwatch2: 1422329703345258 317; combined=23, p1=2, p2=14, p3=0, p4=0, p5=7, sr=0, sw=0, l=0, gc=0
    Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/).
    Server: Apache
    Engine-Mode: "ENABLED"
    
    --046fbb68-Z--
    
    --2550ff5b-A--
    [27/Jan/2015:14:40:32 +1100] VMcIsMBjyUsAAFb9PbgAAAER 127.0.0.1 51616 127.0.0.1 80
    --2550ff5b-B--
    GET / HTTP/1.0
    
    --2550ff5b-F--
    HTTP/1.1 411 Length Required
    Content-Length: 357
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
    
    --2550ff5b-H--
    Message: Access denied with code 411 (phase 2). Pattern match "^\\/$" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "2"] [id "187945987"] [msg "GET request blocked, no referer"]
    Apache-Error: [file "core.c"] [line 3732] [level 3] File does not exist: /usr/local/apache/htdocs/411.shtml
    Action: Intercepted (phase 2)
    Stopwatch: 1422330032840651 312 (- - -)
    Stopwatch2: 1422330032840651 312; combined=26, p1=3, p2=15, p3=0, p4=0, p5=7, sr=0, sw=1, l=0, gc=0
    Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/).
    Server: Apache
    Engine-Mode: "ENABLED"
    
    --2550ff5b-Z--
    f5e7Z.png

    and it repeats and so on...
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    127.0.0.1 should be whitelisted by cPanel in the main modsec2.conf

    SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow,id:1234123455
     
  6. XxUnkn0wnxX

    XxUnkn0wnxX Member

    Joined:
    Feb 3, 2014
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    yes but like i said it still picks up the 127.0.0.1 ip within the hit list...

    no such rule exists within the main conf file

    this all there is:

    Code:
    LoadFile /opt/xml2/lib/libxml2.so
    # LoadFile /opt/lua/lib/liblua.so
    LoadModule security2_module  modules/mod_security2.so
    <IfModule mod_security2.c>
    # See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf 
    #  "Add the rules that will do exactly the same as the directives"
    # SecFilterCheckURLEncoding On 
    # SecFilterForceByteRange 0 255
    <IfModule mod_ruid2.c>
        SecAuditLogStorageDir /usr/local/apache/logs/modsec_audit
        SecAuditLogType Concurrent
    </IfModule>
    <IfModule itk.c>
        SecAuditLogStorageDir /usr/local/apache/logs/modsec_audit
        SecAuditLogType Concurrent
    </IfModule>
    SecAuditLog logs/modsec_audit.log
    SecDebugLog logs/modsec_debug_log
    SecDebugLogLevel 0
    SecDefaultAction "phase:2,deny,log,status:406"
    Include "/usr/local/apache/conf/modsec2.user.conf"
    Include "/usr/local/apache/conf/modsec2.cpanel.conf"
    </IfModule>
    
     
    #6 XxUnkn0wnxX, Jan 27, 2015
    Last edited: Jan 27, 2015
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    That's really odd, that rule is on all my updated cPanel boxes.

    Go ahead and add it to your modsec2.user.conf if you need to. I'd recommend randomizing the rule ID number.
     
  8. XxUnkn0wnxX

    XxUnkn0wnxX Member

    Joined:
    Feb 3, 2014
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow,id:10011234

    also placing it at the top of all my other rules seemed to fix the issue... as having the ID lower then all the others also helped...

    i am not getting any more hits in the log.
     
  9. Tool Outfitters

    Joined:
    Nov 13, 2007
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Yep...that is nuts. I have just installed modsecurity on my VPS and it is reporting hits on localhost/127.0.0.1. Certainly this should be whitelisted from the getgo.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Did you install a particular rule set?

    Thank you.
     
  11. Tool Outfitters

    Joined:
    Nov 13, 2007
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Just the OWASP Modsecurity Core Rule Set.
     
Loading...

Share This Page