I have lot of same notifications ModSecurity™ Tools / 127.0.0.1 - WARNING - 200 920280: Request Missing a Host Header.
How fix this? This block ip 127.0.0.1 or what?
How fix this? This block ip 127.0.0.1 or what?
Hello,
You generally do not want to block requests from 127.0.0.1/localhost as this is the server itself processing requests locally. Blocking this IP may cause unexpected behavior with the cPanel & Software installation. In rare instances, it can be a result of a rouge API processing excessive requests but this is rather uncommon.
Here is the rule logic for "Request Missing a Host Header" as to why it would be triggered:
If any of these conditions are met, the ModSecurity rule regarding "Request Missing a Host Header" will be generated.
Are you able to provide us with the full output of the ModSecurity entry for that instance (omitting your IP Address and hostname)? Additionally, are you doing anything in particular to cause this entry? If so, are you able to replicate it, and disclose those steps?
You generally do not want to block requests from 127.0.0.1/localhost as this is the server itself processing requests locally. Blocking this IP may cause unexpected behavior with the cPanel & Software installation. In rare instances, it can be a result of a rouge API processing excessive requests but this is rather uncommon.
Here is the rule logic for "Request Missing a Host Header" as to why it would be triggered:
Code:
# -=[ Rule Logic ]=-
# These rules will first check to see if a Host header is present.
# The second check is to see if a Host header exists but is empty.Are you able to provide us with the full output of the ModSecurity entry for that instance (omitting your IP Address and hostname)? Additionally, are you doing anything in particular to cause this entry? If so, are you able to replicate it, and disclose those steps?
Hello guys, this issue is happenning since 2017 and is well known by cPanel. But yet, they didn't manage to fix it:
forums.cpanel.net
The workaround is to disable the rule #920280: "Request Missing a Host Header". It is not the best workaround, cause the correct method should be that cPanel enabled an owned filter to exclude petitions to whm-server-status and/or when coming from 127.0.0.1. You can grab a custom rule for doing that in this link: OWASP ModSecurity Core Rule Set V3.0 whm-server-status
Now, to all the cPanel staff, PLEASE bring this to the developer team's attention. THREE YEARS COUNTING and is still pending a fix.
On a personal note, disabling rule 920280 is now part of my setup routine when configuring every new cPanel server. Ridiculous, indeed. But it solves the issue.
Best regards
Apache Status page fails after 64 update
Hi, I just updated our server to cpanel 64.0.11 and noticed a few issues. In WHM accessing the Apache Status page returns "Failed to receive status information from Apache." Accessing PhpMyAdmin via a users cPanel account will either hang on "Loading..." or display a 403/404 Security Token...
The workaround is to disable the rule #920280: "Request Missing a Host Header". It is not the best workaround, cause the correct method should be that cPanel enabled an owned filter to exclude petitions to whm-server-status and/or when coming from 127.0.0.1. You can grab a custom rule for doing that in this link: OWASP ModSecurity Core Rule Set V3.0 whm-server-status
Now, to all the cPanel staff, PLEASE bring this to the developer team's attention. THREE YEARS COUNTING and is still pending a fix.
On a personal note, disabling rule 920280 is now part of my setup routine when configuring every new cPanel server. Ridiculous, indeed. But it solves the issue.
Best regards
The issue we are seeing across a couple of servers is very similar to this - rule 920280 being tripped every 5 minutes or so from 127.0.0.1 but the Request is Get /
We therefore modified the previously given custom rule as follows and this works perfectly
We therefore modified the previously given custom rule as follows and this works perfectly
Code:
# Rule to allow requests from 127.0.0.1 with missing mandatory headers.
#
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" \
"msg:'Matched 127.0.0.1. Disabling rules 920280 and 920350',\
phase:1,\
id:8888777,\
t:none,\
pass,\
nolog,\
ctl:ruleRemoveById=920280,\
ctl:ruleRemoveById=920350"