Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

OWASP rule set blocking smtp

Discussion in 'Security' started by uk01, Jun 17, 2018.

  1. uk01

    uk01 Well-Known Member

    Joined:
    Dec 31, 2009
    Messages:
    112
    Likes Received:
    10
    Trophy Points:
    68
    Hi, we enabled OWASP ModSecurity Core Rule Set V3.0 yesterday and got people contacting support today saying they could not send email.

    To get email working again we had to disable rule 949 below:

    *******

    REQUEST-949-BLOCKING-EVALUATION
    The rules in this configuration file blocks traffic that various other configuration files request.

    ********

    However, on Cpanels knowledgebase it states:

    *********
    Warning:
    Other rules in the rule set depend on this configuration file to block incoming attacks. If you disable this configuration file, other rules will detect, but not block, incoming attacks.

    *********

    While testing in roundcube webmail we got the following when sending email:

    Request:
    POST /?_task=mail&_unlock=loading1529274082968&_lang=en&_framed=1
    Action Description:
    Access denied with code 403 (phase 2).
    Justification:
    Operator GE matched 5 at TX:anomaly_score.

    Disabling rule 949 solved smtp from desktop/mobile clients aswell as webmail. However, as the above warning states, other rules will no longer work. I tried disabling the other rules one by one but 949 is the only one which would resolve the issue.

    Anyone else has this? Any solution?
     
    #1 uk01, Jun 17, 2018
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    992
    Likes Received:
    41
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    It's not uncommon the have to disable a few rules to suit your environment.
    Also i find understanding exactly what they do, all but impossible.
     
    #2 keat63, Jun 18, 2018
  3. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,783
    Likes Received:
    132
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,


    That specific ruleset is described as:

    Code:
    SecMarker BEGIN_REQUEST_BLOCKING_EVAL

# These rules use the anomaly score settings specified in the 10 config file.
# You should also set the desired disruptive action (deny, redirect, etc...).
#
# -=[ IP Reputation Checks ]=-
#
# Block based on variable IP.REPUT_BLOCK_FLAG and TX.DO_REPUT_BLOCK
#
    Basically this ruleset is taking the IP reputation score obtained in the 10 config file (REQUEST-910-IP-REPUTATION.conf) and blocking access based on this. In this instance it would seem that it's blocking outbound SMTP based on the IP address being used.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 cPanelLauren, Jun 18, 2018
(You must log in or sign up to post here.)
Loading...
Similar Threads - OWASP rule blocking
  1. darwin7

    Last OWASP rules are reliable?

    darwin7, Nov 24, 2017, in forum: Security
    Replies:
    10
    Views:
    405
    darwin7
    Dec 1, 2017
  2. rpvw

    OWASP ModSecurity Core Rule Set V3.0 whm-server-status

    rpvw, Aug 18, 2017, in forum: Workarounds and Optimization
    Replies:
    1
    Views:
    787
    cPanelMichael
    Aug 18, 2017
  3. keat63

    SOLVED Multiple OWASP Core Rule Sets Installed

    keat63, Jun 9, 2017, in forum: Security
    Replies:
    2
    Views:
    356
    keat63
    Jun 9, 2017
  4. Sarath Kumar R

    Installing MPM-Event and OWASP ModSecurity Core Rule Set V3.0 through command line

    Sarath Kumar R, Apr 29, 2017, in forum: Security
    Replies:
    10
    Views:
    897
    Sarath Kumar R
    May 16, 2017
  5. joako

    Problem with new OWASP3 rules

    joako, Apr 18, 2017, in forum: Security
    Replies:
    3
    Views:
    888
    cPanelMichael
    Apr 19, 2017

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice