ModSecurity Inbound Anomaly Score Exceeded

filip212

Member
Aug 22, 2017
19
1
3
Slovakia
cPanel Access Level
Root Administrator
Hello,
I have some questions about ModSecurity.
I have this email:
Time: Tue Aug 29 17:56:39 2017 +0200
IP: [Removed]
Failures: 10 (mod_security)
Interval: 3600 seconds
Blocked: Permanent Block

Log entries:

[Tue Aug 29 17:56:34.795036 2017] [:error] [pid 10514] [Removed] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "HOSTNAME.DOMAIN"] [uri "/"] [unique_id "WaWOsqtPbXT0HgjokYeQUAAAAAY"]

What does it mean? My CSF firewall blocked this ip permanently. Is this real attack? Or i have missconfigured something? I have enabled all modsecurity rules i do shared hosting on this host we have clients with some CMS installed. Some static pages, etc...
I searched IP [Removed] at clients but i found nothing like this IP.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463

filip212

Member
Aug 22, 2017
19
1
3
Slovakia
cPanel Access Level
Root Administrator
Thank you but what does it mean? I need disable some rules or is all settings good and this is real attack? I have fear if is it not blocking IP addresses of potencial customers or clients of some webpages...
 

fuzzylogic

Well-Known Member
Nov 8, 2014
154
93
78
cPanel Access Level
Root Administrator
I see the the 10 log entries (has been edited now to only 1 log entry) from the csf email (csf copied them from your Apache error_log file) as indicating a number of things.
Firstly about your server setup.
  1. Modsecurity is functioning
    (thats a good thing)
  2. Modsecurity has a functioning rule set. (OWASP3 cPanel's curated owasp crs version 3.0.0)
    (that's a good thing)
  3. Modsecurity is writing 403 hits to apache's error_log file
    (thats a good thing)
  4. csf is configured to parse apache's error_log for the phrase "Access denied with code 403" and count the hits for each ip.
    (thats a good thing)
  5. cfs is adding ips to its permanent block list when they exceed the rate configured (in your csf configuration file) for your server.
    10 x requests with 403 response in 1 hour per ip in your case
    (thats a good thing)
Now to the requests themselves.
  1. Each of the errors logged has a different [unique_id "WaWOsqtPbXT0HgjokYeQUAAAAAY"]. This confirms that are if fact 10 separate requests.
  2. They all occur between the times 17:56:33.536893 and 17:56:34.795036, that is a space of 1.3 seconds.
    That looks like the fingerprint a vulnerability scanner, but you don't really know if you don't look at your logs to see what the requests actually were.
  3. Each request had [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"], which means each request hit 2 other high scoring rules before it got to rule 949110. These details are in your modsec_audit.log. Details about how to find them is in the post cPanel Micheal linked to.
A quick way to see the requests for this incident is to use the Configserver Firewall interface go to...
CSF >> Search System Logs >> /usr/local/apache/logs/access_log
And search with the regex below. That is hour and minute of the event .*[space] followed by the banned ip.
17:56.* IP
This will show the uri, GET or POST and any GET parameters.
If you want more detailed information about the event read the other post.

Lastly vulnerability scanners are a common source traffic hitting web servers.
Expect at least 1 of those emails each day, there are thousands of ips running vulnerability scanners.