Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity Inbound Anomaly Score Exceeded

Discussion in 'Security' started by filip212, Aug 29, 2017.

  1. filip212

    filip212 Member

    Joined:
    Aug 22, 2017
    Messages:
    19
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Slovakia
    cPanel Access Level:
    Root Administrator
    Hello,
    I have some questions about ModSecurity.
    I have this email:
    Time: Tue Aug 29 17:56:39 2017 +0200
    IP: [Removed]
    Failures: 10 (mod_security)
    Interval: 3600 seconds
    Blocked: Permanent Block

    Log entries:

    [Tue Aug 29 17:56:34.795036 2017] [:error] [pid 10514] [Removed] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "HOSTNAME.DOMAIN"] [uri "/"] [unique_id "WaWOsqtPbXT0HgjokYeQUAAAAAY"]

    What does it mean? My CSF firewall blocked this ip permanently. Is this real attack? Or i have missconfigured something? I have enabled all modsecurity rules i do shared hosting on this host we have clients with some CMS installed. Some static pages, etc...
    I searched IP [Removed] at clients but i found nothing like this IP.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,220
    Likes Received:
    1,376
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  3. filip212

    filip212 Member

    Joined:
    Aug 22, 2017
    Messages:
    19
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Slovakia
    cPanel Access Level:
    Root Administrator
    Thank you but what does it mean? I need disable some rules or is all settings good and this is real attack? I have fear if is it not blocking IP addresses of potencial customers or clients of some webpages...
     
  4. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    50
    Likes Received:
    23
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I see the the 10 log entries (has been edited now to only 1 log entry) from the csf email (csf copied them from your Apache error_log file) as indicating a number of things.
    Firstly about your server setup.
    1. Modsecurity is functioning
      (thats a good thing)
    2. Modsecurity has a functioning rule set. (OWASP3 cPanel's curated owasp crs version 3.0.0)
      (that's a good thing)
    3. Modsecurity is writing 403 hits to apache's error_log file
      (thats a good thing)
    4. csf is configured to parse apache's error_log for the phrase "Access denied with code 403" and count the hits for each ip.
      (thats a good thing)
    5. cfs is adding ips to its permanent block list when they exceed the rate configured (in your csf configuration file) for your server.
      10 x requests with 403 response in 1 hour per ip in your case
      (thats a good thing)
    Now to the requests themselves.
    1. Each of the errors logged has a different [unique_id "WaWOsqtPbXT0HgjokYeQUAAAAAY"]. This confirms that are if fact 10 separate requests.
    2. They all occur between the times 17:56:33.536893 and 17:56:34.795036, that is a space of 1.3 seconds.
      That looks like the fingerprint a vulnerability scanner, but you don't really know if you don't look at your logs to see what the requests actually were.
    3. Each request had [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"], which means each request hit 2 other high scoring rules before it got to rule 949110. These details are in your modsec_audit.log. Details about how to find them is in the post cPanel Micheal linked to.
    A quick way to see the requests for this incident is to use the Configserver Firewall interface go to...
    CSF >> Search System Logs >> /usr/local/apache/logs/access_log
    And search with the regex below. That is hour and minute of the event .*[space] followed by the banned ip.
    17:56.* IP
    This will show the uri, GET or POST and any GET parameters.
    If you want more detailed information about the event read the other post.

    Lastly vulnerability scanners are a common source traffic hitting web servers.
    Expect at least 1 of those emails each day, there are thousands of ips running vulnerability scanners.
     
    linux4me2, Infopro and cPanelMichael like this.
Loading...

Share This Page