The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity throwing 404s on legitimate connection

Discussion in 'Security' started by Jack Latrobe, Sep 22, 2015.

  1. Jack Latrobe

    Jack Latrobe Member

    Joined:
    Sep 18, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Melbourne, Australia
    cPanel Access Level:
    DataCenter Provider
    Hello all,

    I'm a newer poster here, so I'm sorry if this is in the wrong spot. I've done some searching on 'the google' as well as using the handy little spyglass above, to little results.

    I'm having an issue with some mod_security rulesets that I am slightly out of my depth in resolving. I've implementing the following rules on a number of non-cPanel VPSs:
    Code:
    ## Skip rules if this is from REDACTED RANGE
    SecRule REMOTE_ADDR "REDACTED RANGE" "phase:1,allow,id:115"
    
    ## Skip rules if this is from REDACTED RANGE
    SecRule REMOTE_ADDR "REDACTED RANGE" "phase:1,allow,id:432"
    
    ## Skip rules if this is from REDACTED RANGE
    SecRule REMOTE_ADDR "REDACTED RANGE" "phase:1,allow,id:1031"
    
    ## Skip rules if this is from REDACTED RANGE
    SecRule REMOTE_ADDR "REDACTED RANGE" "phase:1,allow,id:1032"
    
    ## Skip rules if this is localhost
    SecRule REMOTE_ADDR "^127\.0\.0\.1$" "phase:1,allow,id:127"
    
    ## Track that IP :
    SecAction "initcol:ip=%{REMOTE_ADDR},nolog,expirevar:ip.maxlimit=600,id:10"
    
    ## Every 1 seconds, the collection is allowed to make another 50 connections
    SecAction "deprecatevar:ip.maxlimit=50/1,nolog,id:11"
    
    ## Add 1 to the IP's counter on every request:
    SecAction "nolog,setvar:ip.maxlimit=+1,id:12"
    
    ## Instantly allow all connections with less than the threshold:
    SecRule IP:MAXLIMIT "@le 5000" "allow, nolog, id:15"
    
    ## If, after being sent the 509 page, you keep trying, we don't even bother and drop you:
    SecRule IP:MAXLIMIT "@gt 10000" "drop, log, msg:'dropping %{REMOTE_ADDR} (%{ip.maxlimit} connection attempts)',id:14"
    
    ## If, after enough sustained requests, we send a clear rate limit document:
    ErrorDocument 509 "<h1>509 Error - Rate Limit Exceeded</h1><p>This means that you, or someone else on your network, is sending more requests than allowed to this server. You will need to wait for this block to clear (~ 2 minutes) before attempting to connect again. </br><b>Continuing to retry this connection at the current rate will result in your address being blocked.</b></p>"
    SecRule IP:MAXLIMIT "@gt 5000" "deny, status:509, log, msg:'509 deny %{REMOTE_ADDR} (%{ip.maxlimit} connection attempts)',id:13"
    On non-cPanel servers (CentOS 5 and CentOS 6) this ruleset works exactly as expected - addresses from within our ranges and from localhost are allowed unconditionally. Everyone else has their rates counted and then are denied with a friendly message after a certain point. If they keep spewing at the server for too long, they get dropped entirely.

    On every cPanel server I have tested, the local range rules work as expected. However, everyone OUTSIDE of my range who requests the server is sent HTTP 404 results for all resources on the page. Eg:
    Code:
     - / 200
    - /css/style.css 404
    - /images/example.jpg 404
    There is absolutely nothing (other than the allows) being spat out to the modsec_audit.log. The 404s show in the /usr/local/apache/domlogs/ logs. The requests all look like they are going to the right files.

    There are no other rules other than the ones above, that I can see.

    I have reached the limits of my troubleshooting ability and mod_security knowledge here. Any advice, things to check, gotchas or links to helpful documentation would be excellent.

    Thanks in advance,

    Jack
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,832
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Have you watched the apache error_log in a terminal? sometimes if a modsec rule provides a 500 and 500.shtml does not exist, the final status logged is 404. Really the audit log ought to cover it though, so that is odd.
     
  4. Jack Latrobe

    Jack Latrobe Member

    Joined:
    Sep 18, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Melbourne, Australia
    cPanel Access Level:
    DataCenter Provider
    Hi Michael,

    Thanks for the response. I am logging into cPanel(WHM V11.50.01), Searching for "ModSecurity" and selecting "ModSecurity Tools".
    Then I click the "Rules List" button, and I copy and paste in the rules above. I save them, go back to the rules list, enable them, then click "Deploy and Restart Apache".

    Is this the information you were after? Is this incorrect?

    I have "tail -f"ed the the /usr/local/apache/domlogs/site.com.au logs and see only 404 errors (Plus the occasional 500 errors, as Magento is prone to give...)
    Is there another log I could check? Is there a directory I can look in to confirm the presence of "500.shtml"?
     
  5. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    On WHM 11.50.0 (maybe 11.48 also), there is available a predifined ruleset (OWASP), which almost works straight out of the box.
    From my experinece implimenting it, it only took a tiny amount of tweaking, and i don't even know what i'm doing.
    Rather than defining your own, maybe implimenting OWASP would be easier ?
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Yeah, tail -f /usr/local/apache/logs/error_log and see if that sheds any light. You can also look into debug logging for both apache and modsecurity.
     
  7. Jack Latrobe

    Jack Latrobe Member

    Joined:
    Sep 18, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Melbourne, Australia
    cPanel Access Level:
    DataCenter Provider
    Hi Keat,

    Thanks for the suggestion.

    I did take a look through the OWASP ruleset, but they break the main application we support out of the box. We could tweak it, but they provide much more than we need right now. Our goal with mod_security here wasn't to secure the server or application as such, but rather to apply a very light touch to rate limiting and ultimately reduce our support burden from customers who complain that their "site is slow".

    However, I think this might be a moot point - this exact ruleset, placed on a CentOS box WITHOUT cPanel works instantly and as required. I struggle to understand why it would not work on cPanel.

    I'll look into this later today and report back. Thank you for the advice.
     
  8. Jack Latrobe

    Jack Latrobe Member

    Joined:
    Sep 18, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Melbourne, Australia
    cPanel Access Level:
    DataCenter Provider
    Hi All, quizknows,

    I've tailed the error_log and there is absolutely no information there about any mod_security denies, or missing 500.shtml files.

    I can see only the mod_security explicit allows.

    Does anyone else have any other suggestions?
     
  9. Jack Latrobe

    Jack Latrobe Member

    Joined:
    Sep 18, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Melbourne, Australia
    cPanel Access Level:
    DataCenter Provider
    Hi All,

    Just a follow up on this, as I've successfully got this working.

    The problem was in /etc/httpd/conf/modsec2.conf with the following rule:

    Code:
    #SecDefaultAction "phase:2,deny,log,status:406"
    This line was throwing 406 errors if no other rule was explicitly met, causing a 404 error as 406.shtml was not present. Commenting out this line makes everything work fine and dandy.

    To confirm, the above ruleset and this small change give you working rate limiting using mod security.
     
  10. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I have to wonder if there is perhaps an erroneous rule elsewhere. Having a SecDefaultAction set only sets the deny as a default action for a rule with no action set.

    I.e. if you have

    SecRule REQUEST_URI "something_to_block" "id:49485"

    instead of

    SecRule REQUEST_URI "something_to_block" "id:49485,deny"

    The former just inherits the SecDefaultAction of "deny,log,status:406"

    So that default action of 406/deny should only be applying to requests that somehow match a rule. Anyway, glad you got it working, but just a heads up that there could still be something else going on.
     
Loading...

Share This Page