OWASP rule set blocking smtp

[uk01]

Hi, we enabled OWASP ModSecurity Core Rule Set V3.0 yesterday and got people contacting support today saying they could not send email.

To get email working again we had to disable rule 949 below:

*******

REQUEST-949-BLOCKING-EVALUATION
The rules in this configuration file blocks traffic that various other configuration files request.

********

However, on Cpanels knowledgebase it states:

*********
Warning:
Other rules in the rule set depend on this configuration file to block incoming attacks. If you disable this configuration file, other rules will detect, but not block, incoming attacks.

*********

While testing in roundcube webmail we got the following when sending email:

Request:
POST /?_task=mail&_unlock=loading1529274082968&_lang=en&_framed=1
Action Description:
Access denied with code 403 (phase 2).
Justification:
Operator GE matched 5 at TX:anomaly_score.

Disabling rule 949 solved smtp from desktop/mobile clients aswell as webmail. However, as the above warning states, other rules will no longer work. I tried disabling the other rules one by one but 949 is the only one which would resolve the issue.

Anyone else has this? Any solution?

 

[keat63]

It's not uncommon the have to disable a few rules to suit your environment.
Also i find understanding exactly what they do, all but impossible.

 

[cPanelLauren]

Hello,


That specific ruleset is described as:

SecMarker BEGIN_REQUEST_BLOCKING_EVAL

# These rules use the anomaly score settings specified in the 10 config file.
# You should also set the desired disruptive action (deny, redirect, etc...).
#
# -=[ IP Reputation Checks ]=-
#
# Block based on variable IP.REPUT_BLOCK_FLAG and TX.DO_REPUT_BLOCK
#

Basically this ruleset is taking the IP reputation score obtained in the 10 config file (REQUEST-910-IP-REPUTATION.conf) and blocking access based on this. In this instance it would seem that it's blocking outbound SMTP based on the IP address being used.

 

[uk01]

I think I missed this last reply from Lauren.
The ip reputation of our servers is 100% and senderscore 100. Not sure why it would block it, but saying that, do you think disabling rule 910 and enabling 949 would work.
I only realised tonight, none of the rules work with 949 off as it only generates a warning but does not block any attacks.

 

[cPanelLauren]

Hi @uk01

I would try with just REQUEST-910-IP-REPUTATION.conf (910) off. As far as 949 goes the behavior should be as quoted:

If you disable this configuration file, other rules will detect, but not block, incoming attacks.

 

[fuzzylogic]

I will assist in writing an exclusion rule if OP will provide relevant log excerpts.
The required logs are from /usr/local/apache/logs/modsec_audit.log
Each http request that hits a modsec rule is logged there.
You need to make a RoundCube http request (typical of this issue) that is blocked then find the log of that request in the modsec_audit.log.
It will be 30 to 50 lines long, beginning with something like --0e873e76-A-- and ending with something like --0e873e76-Z--

To make this thread less confusing some of the assumptions previously posted should be reassessed.
1) "OWASP rule set blocking smtp"
- It cant happen. Modsecurity blocks http requests only. If smtp blocks or all port blocks occurred in association with this issue they were caused by secondary processes such as iptables ,configserver firewall, lfd or a combination processes like these.
For instance configserver firewall uses lfd to parse /usr/local/apache/logs/error_log for modsec generated 40* http request status
configserver firewall default settings for doing this are...
LF_MODSEC = Default: 5 [0-100]
LF_MODSEC_PERM = Default: 1 [0-604800]

Alternatively if the cPanel user was blocked from webmail by this issue then attempted to use MS Outlook's auto setup wizard they can be locked out of all ports on the server after one failed auto setup attempt.

2) "To get email working again we had to disable rule 949 below:"
- What you disabled was a configuration file which contained two main SecRules
The rule in this file which allowed RoundCube to work again once disabled is rule id:949110.
It is the CRS main blocking rule. By disabling this configuration file you effectively disabled the whole ruleset.

3) "Basically this ruleset is taking the IP reputation score obtained in the 10 config file"
- cPanelLauren was looking at the comment for the 1st rule of the 2 rules in this configuration file, id:949100.
Out of the box, cPanel's CRS ruleset does not set the variable which would enable any reputation blocking (line 543 crs-setup.conf)...
#SecAction # "id:900960,# phase:1,# nolog,# pass,# t:none,# setvar:tx.do_reput_block=1"
So rule 949100 plays no part in OPs issue.
4) "I would try with (disabling) just REQUEST-910-IP-REPUTATION.conf"
- Again, no ip reputation rules are functional in the default install, so this won't help.

 

[uk01]

Apologies, for some reason this thread didn't tell me I had another reply after Lauren

 

[uk01]

@fuzzylogic thanks for your message, really appreciate you coming on here and helping.

Below is the info you wanted from the logs.

You are right, disabling 910 does not solve the issue. Some things to note: We have a branded version of roundcube installed on it's own account which all servers having access to the same webmail (outside of cpanel).

With all OWASP rules enabled accounts on the same server as the roundcube install can login and email, no issues. However, accounts from other servers can log in fine (using imap) but cannot send email. The rules below trigger.

--3d3f5278-H--
Message: Warning. Pattern match "(?i)<[^\\w<>]*(?:[^<>\"'\\s]*:)?[^\\w<>]*(?:\\W*?s\\W*?c\\W*?r\\W*?i\\W*?p\\W*?t|\\W*?f\\W*?o\\W*?r\\W*?m|\\W*?s\\W*?t\\W*?y\\W*?l\\W*?e|\\W*?s\\W*?v\\W*?g|\\W*?m\\W*?a\\W*?r\\W*?q\\W*?u\\W*?e\\W*?e|(?:\\W*?l\\W*?i\\W*?n\\W*?k|\\W*?o\\W*?b\\W*?j\\W*?e\ ..." at ARGS:_message. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "74"] [id "941160"] [rev "2"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <p>test</p>\x0d\x0a<div id=\x22_rc_sig\x22>-- <br />\x0d\x0a<p><strong>...........**removed email content / signature data**...............\x22>"] [severi

Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): NoScript XSS InjectionChecker: HTML Injection"] [tag "event-correlation"]

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client *********] ModSecurity: Warning. Pattern match "(?i)<[^\\\\\\\\w<>]*(?:[^<>\\\\"'\\\\\\\\s]*:)?[^\\\\\\\\w<>]*(?:\\\\\\\\W*?s\\\\\\\\W*?c\\\\\\\\W*?r\\\\\\\\W*?i\\\\\\\\W*?p\\\\\\\\W*?t|\\\\\\\\W*?f\\\\\\\\W*?o\\\\\\\\W*?r\\\\\\\\W*?m|\\\\\\\\W*?s\\\\\\\\W*?t\\\\\\\\W*?y\\\\\\\\W*?l\\\\\\\\W*?e|\\\\\\\\W*?s\\\\\\\\W*?v\\\\\\\\W*?g|\\\\\\\\W*?m\\\\\\\\W*?a\\\\\\\\W*?r\\\\\\\\W*?q\\\\\\\\W*?u\\\\\\\\W*?e\\\\\\\\W*?e|(?:\\\\\\\\W*?l\\\\\\\\W*?i\\\\\\\\W*?n\\\\\\\\W*?k|\\\\\\\\W*?o\\\\\\\\W*?b\\\\\\\\W*?j\\\\\\\\W*?e\\\\ ..." at ARGS:_message. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "74"] [id "941160"] [rev "2"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <p>test</p>\\\\x0d\\\\x0a<div id=\\\\x22_rc_sig\\\\x22>-- <br />\\\\x0d\\\\x0a<p>..............**removed email content / signature data**.................\\\\x0d\\\\x0a<div id=\\\\x22_rc_sig\\\\x22>-- <br />\\\\x0d\\\\x0a<p><strong>..............**removed email content / signature data**.................\\\x22>..."] [severi [hostname "********"] [uri "/"] [unique_id "W5B-mQVRPrzYOSWj4e0IvAAAAAE"]

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client **********] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "******"] [uri "/"] [unique_id "W5B-mQVRPrzYOSWj4e0IvAAAAAE"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client *********] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): NoScript XSS InjectionChecker: HTML Injection"] [tag "event-correlation"] [hostname "**********"] [uri "/"] [unique_id "W5B-mQVRPrzYOSWj4e0IvAAAAAE"]
Action: Intercepted (phase 2)
Stopwatch: 1536196505976125 18069 (- - -)
Stopwatch2: 1536196505976125 18069; combined=4945, p1=670, p2=4153, p3=0, p4=0, p5=122, sr=122, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (ModSecurity: Open Source Web Application Firewall OWASP_CRS/3.0.2.
Server: Apache
Engine-Mode: "ENABLED"

 

[uk01]

I have enabled al the rules on all servers apart from the one hosting the webmail account.
My testing shows that all accounts can send mail ok.

However if I enable the rule on the actual server webmail is hosted on, it blocks any remote users sending, so I guess this may just be a simple one to solve, it just looks like its triggering a rule.

I'm not sure why some users said SMTP was not working before, I'll see if I get any further reports relating to that.
The main task is to get OWASP fully active to help with wordpress attacks.

 

[uk01]

ok further info.... I'm wrong in saying that email works on the same server as webmail. I've narrowed it down, it's actullay because the test account I was using had no email signature with html.

It's the HTML email signature triggering the rule. (InjectionChecker: HTML Injection)

Is there any way of whitelisting webmail or bypassing this, I'll check if it happens with the cpanel built in webmail/roundcube

 

[uk01]

Yes, the built in roundcube seems to bypass the issue, hence because it's only for each individual account. For some reason as we host webmail independently on its own domain, the rule is trigger as if it was an online form I guess.

 

[fuzzylogic]

OK. Seems you have a non standard setup.
In my testing of cPanel RoundCube Modsecurity does not operate for users on the same server as the RoundCube.
What I mean by that is when I post strings in RoundCube emails I know will be blocked by modsecurity on any virtual host on the server, they are not blocked.
I think this is because RoundCube uses port 2096 for http for local users.
Your setup must use ports 80 or 443 for RoundCube remote users so it is operating through the EasyApache4 managed apache installation (with modsecurity) rather than cPanel/WHM apache installation.

So I cant test any of this for you. I cant get any modsecurity rule to trigger for roundcube.

That said, using your provided audit_log excerpt I can see that the rule that was triggered was [id "941160"] and that it triggered on the value of the _message ARG

An (loose) exclusion rule would be...

# Rule to log roundcube post
SecRule REQUEST_METHOD "@streq POST" \
    "msg:'RoundCube message post exclusion rule',\
    id:1941160,\
    phase:2,\
    t:none,\
    log,\
    pass,\
    chain"
        SecRule ARGS:_task "@streq mail" \
        "t:none,\
        ctl:ruleRemoveTargetById=941160;ARGS:_message"

You posted the last 10 lines of the 50 I requested (you posted --3d3f5278-H-- to --3d3f5278-Z--)
I wanted --3d3f5278-A-- to --3d3f5278-Z--
The request URI is the most important data I wanted from the other lines.
With that I would have added another clause to the exclusion rule limiting its action to that endpoint.

In my tests the following strings triggered rule 941160.
<script="">
<style
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style=

RoundCube html editor added lots of <xxx style="stuff"> Sumfink</xxx> all of which will trigger 941160.
These are probably in the signature you mentioned.

It you find and post the request URI for this request I will update the exclusion rule.

 

[uk01]

Wow, greatcreply, thanks for you time! I’ll check those logs again later for the bit you want and come back here with it, thanks again

 

[uk01]

apologies, first time I've really looked at those logs, so many lines and I missed A-E
Hopefully I removed all identifiable info.

We had to disable rule 949 again a short while ago due to complaints from Wordpress users. They were also being blocked by what appears to be the same rule, HTML/Injection. This was on a website which had html in the wordpress editor which could be any of them depending how the site is developed.

Is OWASPv3 widely used or does everyone have to customise it? Seems like it could be promising once set up, but I'm only leaving it activated on one server to avoid support emails for now. (Customers forget we are adding free extra security to their insecure websites!)

Appreciate your help.

--3d3f5278-A--
[06/Sep/2018:02:15:05 +0100] W5B-mQVRPrzYOSWj4e0IvAAAAAE xxxxxxxx 49654 xxxxxxxxx 443
--3d3f5278-B--
POST /?_task=mail&_unlock=loading1536196495058&_lang=en&_framed=1 HTTP/2.0
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Origin: https://xxxxxxxx
Content-Length: 729
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15
Referer: https://xxxxxxxxx/?_task=mail&_action=compose&_id=10187537285b907ec7dfe6e
Dnt: 1
Cookie: language=en; roundcube_sessauth=SduTgGMiVuuGBt5mqldB6MZ4qS-1536194700; roundcube_sessid=pqnhq1k5odhksf6lh4p104flq6
Host: xxxxxxxxxx

--3d3f5278-C--
_token=4GW3Hf1QdLBxNkV2VhUxQPohHdVPyfqx&_task=mail&_action=send&_id=10187537285b907ec7dfe6e&_attachments=&_from=495&_to=xxxxxx%40xxxxx.com&_cc=&_bcc=&_replyto=&_followupto=&_subject=test&editorSelector=html&_priority=0&_store_target=INBOX.Sent&_draft_saveid=&_draft=&_is_html=1&_framed=1&_message=%3Cp%3Etest%3C%2Fp%3E%0D%0A%3Cdiv+id%3D%22_rc_sig%22%3E--+%3Cbr+%2F%3E%0D%0A%3Cp%3E%3Cstrong%3Exxxxx+xxxxx%3Cbr+%2F%3E%3C%2Fstrong%3Exxxx+xxxxxx%3Cbr+%2F%3E%3Cspan%3E01530+242+706%3C%2Fspan%3E%3Cbr+%2F%3E07584+568+937%3Cbr+%2F%3E%3Ca+href%3D%22http%3A%2F%2Fwww.xxxxxx.co.uk%22%3Ewww.xxxxxxx.co.uk%3C%2Fa%3E%3C%2Fp%3E%0D%0A%3Cp%3E%3Cimg+src%3D%22http%3A%2F%2Fwww.xxxxxx.co.uk%2Fxx-xxxxxx.jpg%22+%2F%3E%3C%2Fp%3E%0D%0A%3C%2Fdiv%3E
--3d3f5278-F--
HTTP/1.1 403 Forbidden
Content-Length: 328
Content-Type: text/html; charset=iso-8859-1

--3d3f5278-E--

 

[fuzzylogic]

OK. With the logs you supplied I was able to almost duplicate the problem request to one of my virtual hosts.
The rules in question operate in the Request phase of the http request (phase 1 - request headers and phase 2 - request body) so RoundCube does not actually have to be installed on the virtual host to run these tests.

Attached is the audit_log for the request being blocked with no exclusion rule in place...

Also attached is the audit_log for the request being allowed with the exclusion rule in place...

Here is the exclusion rule now also restricting the POST uri to /

# Rule to log roundcube post
SecRule REQUEST_METHOD "@streq POST" \
    "msg:'RoundCube message post exclusion rule',\
    id:2941160,\
    phase:2,\
    t:none,\
    pass,\
    chain"
        SecRule REQUEST_FILENAME "@streq /" \
        "t:none,\
        chain"
            SecRule ARGS:_task "@streq mail" \
            "t:none,\
            ctl:ruleRemoveTargetById=941160;ARGS:_message"

 

[uk01]

Great stuff, many thanks for looking at this.

Will this rule also work with the Wordpress issues mentioned? These were due to the same 949 rule.
I had to disable on a magento server too due to the same.

Seems to be mostly editors with any html so hopefully so.
cheers

 

[uk01]

Great stuff, many thanks for looking at this.

Will this rule also work with the Wordpress issues mentioned? These were due to the same 949 rule.
I had to disable on a magento server too due to the same.

Seems to be mostly editors with any html so hopefully so.
cheers