ModSecurity Inbound Anomaly Score Exceeded

[filip212]

Hello,
I have some questions about ModSecurity.
I have this email:
Time: Tue Aug 29 17:56:39 2017 +0200
IP: [Removed]
Failures: 10 (mod_security)
Interval: 3600 seconds
Blocked: Permanent Block

Log entries:

[Tue Aug 29 17:56:34.795036 2017] [:error] [pid 10514] [Removed] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "HOSTNAME.DOMAIN"] [uri "/"] [unique_id "WaWOsqtPbXT0HgjokYeQUAAAAAY"]

What does it mean? My CSF firewall blocked this ip permanently. Is this real attack? Or i have missconfigured something? I have enabled all modsecurity rules i do shared hosting on this host we have clients with some CMS installed. Some static pages, etc...
I searched IP [Removed] at clients but i found nothing like this IP.

 

[cPanelMichael]

Hello,

The message suggests one of your OWASP Mod_Security rules blocked an access request. You can see more information about that rule ID 949110 at:

owasp-modsecurity-crs/REQUEST-949-BLOCKING-EVALUATION.conf at v3.0/master · SpiderLabs/owasp-modsecurity-crs · GitHub

Here's a recent thread with discussion of troubleshooting this type of issue that you may find helpful:

ModSec shows security scanner scanning 127.0.0.1

Thank you.

 

[filip212]

Thank you but what does it mean? I need disable some rules or is all settings good and this is real attack? I have fear if is it not blocking IP addresses of potencial customers or clients of some webpages...

 

[fuzzylogic]

I see the the 10 log entries (has been edited now to only 1 log entry) from the csf email (csf copied them from your Apache error_log file) as indicating a number of things.
Firstly about your server setup.

1. Modsecurity is functioning
   (thats a good thing)
2. Modsecurity has a functioning rule set. (OWASP3 cPanel's curated owasp crs version 3.0.0)
   (that's a good thing)
3. Modsecurity is writing 403 hits to apache's error_log file
   (thats a good thing)
   
4. csf is configured to parse apache's error_log for the phrase "Access denied with code 403" and count the hits for each ip.
   (thats a good thing)
5. cfs is adding ips to its permanent block list when they exceed the rate configured (in your csf configuration file) for your server.
   10 x requests with 403 response in 1 hour per ip in your case
   (thats a good thing)

Now to the requests themselves.

1. Each of the errors logged has a different [unique_id "WaWOsqtPbXT0HgjokYeQUAAAAAY"]. This confirms that are if fact 10 separate requests.
2. They all occur between the times 17:56:33.536893 and 17:56:34.795036, that is a space of 1.3 seconds.
   That looks like the fingerprint a vulnerability scanner, but you don't really know if you don't look at your logs to see what the requests actually were.
   
3. Each request had [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"], which means each request hit 2 other high scoring rules before it got to rule 949110. These details are in your modsec_audit.log. Details about how to find them is in the post cPanel Micheal linked to.

A quick way to see the requests for this incident is to use the Configserver Firewall interface go to...
CSF >> Search System Logs >> /usr/local/apache/logs/access_log
And search with the regex below. That is hour and minute of the event .*[space] followed by the banned ip.
17:56.* IP
This will show the uri, GET or POST and any GET parameters.
If you want more detailed information about the event read the other post.

Lastly vulnerability scanners are a common source traffic hitting web servers.
Expect at least 1 of those emails each day, there are thousands of ips running vulnerability scanners.