Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity Question...

Discussion in 'Security' started by wineo, Aug 6, 2009.

  1. wineo

    wineo Active Member

    Joined:
    Aug 30, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Perth, Australia
    I am monitoring the error logs on one of our servers and an entry that I keep seeing looks serious... and I just wanted to check with you guys if there is anything going on here and if there is anything that we should be doing to stop this. Here is the entry:

    [Thu Aug 06 18:30:54 2009] [error] [client 122.162.154.231] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "v___s.com.au"] [uri "/"] [unique_id "8CiXEXZ-DmgAACbYkXkAAAAR"]

    Thanks.
     
    #1 wineo, Aug 6, 2009
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    8
    Trophy Points:
    193
    You already have!

    Your ModSecurity is simply notifying you that it already stopped the connection listed. ;)

    If you want to take things a step further, you could block the IP at your firewall or drop the TCP packets with iptables but unless you are under some massive attack, it's really not necessary.
     
    #2 Spiral, Aug 6, 2009
    Last edited: Aug 6, 2009
  3. wineo

    wineo Active Member

    Joined:
    Aug 30, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Perth, Australia
    Ah great, nothing to fix!

    @Spiral - Thanks for that information.
     
    #3 wineo, Aug 6, 2009
  4. wineo

    wineo Active Member

    Joined:
    Aug 30, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Perth, Australia
    Back to this...

    This site has a rss feed (xml file) that keeps causing a 406 error. I added a catch page for this error and the details are forwarded to me. There is never a user-agent associated with the requests on this file (well once it was iTMS). So I can't really tell what the user is trying to view the feed with...

    I can't replicate the situation, actually seeing this error 406 page, so I can't see if these viewers are atcually seeing the feed or podcasts.

    I don't want to turn the filter off, but is there a way to set the filter to allow requests on .xml files (when "Request Missing an Accept Header") in the .htaccess file?

    Thanks!
     
    #4 wineo, Oct 11, 2009
  5. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    8
    Trophy Points:
    193
    The answer is yes to your rule modifying question.

    Also, you may find more what you are looking for in the raw log mod_security log file found in /usr/local/apache/logs
     
    #5 Spiral, Oct 12, 2009
  6. wineo

    wineo Active Member

    Joined:
    Aug 30, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Perth, Australia
    Thanks Spiral,

    I have tried using SecFilterEngine Off in the in the .htaccess file, but this seems to have no affect (doesn't seem to turn the filter off).

    Is there another way?
     
    #6 wineo, Oct 13, 2009
  7. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    9
    Trophy Points:
    168
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    To disable the filter you could either comment it in the configuration file mentioned in the log detail, or create a custom exclusion to prevent it from working for specific URIs or all sites.

    You might try an entry like the following, as per your provided log detail:
    Code:
    <LocationMatch .*>
  # Exclude rule ID "960015" that breaks an RSS feed.
  SecRuleRemoveById 960015
</LocationMatch>
    The above could be added to your mod_security user configuration file; this can be managed via the following menu path via your root WHM contorl panel:
    WHM: Main >> Plugins >> Mod Security >> Edit Config
     
    #7 cPanelDon, Oct 14, 2009
(You must log in or sign up to post here.)
Loading...
Similar Threads - ModSecurity Question
  1. kshivachev

    Editing ModSecurity vendor rules

    kshivachev, Sep 4, 2017, in forum: Security
    Replies:
    5
    Views:
    93
    cPanelMichael
    Sep 6, 2017
  2. filip212

    ModSecurity Inbound Anomaly Score Exceeded

    filip212, Aug 29, 2017, in forum: Security
    Replies:
    3
    Views:
    138
    fuzzylogic
    Aug 30, 2017
  3. rpvw

    OWASP ModSecurity Core Rule Set V3.0 whm-server-status

    rpvw, Aug 18, 2017, in forum: Workarounds and Optimization
    Replies:
    1
    Views:
    145
    cPanelMichael
    Aug 18, 2017
  4. schoeps

    SOLVED OWASP ModSecurity v3 and v1?

    schoeps, Jul 31, 2017, in forum: Security
    Replies:
    2
    Views:
    136
    schoeps
    Jul 31, 2017
  5. Federico Barcelo

    cxs ModSecurity Scanning (disabled)

    Federico Barcelo, Jul 27, 2017, in forum: Security
    Replies:
    2
    Views:
    99
    cPanelMichael
    Jul 28, 2017

Share This Page