Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

OWASP rule set blocking smtp

Discussion in 'Security' started by uk01, Jun 17, 2018.

  1. uk01

    uk01 Well-Known Member

    Joined:
    Dec 31, 2009
    Messages:
    112
    Likes Received:
    10
    Trophy Points:
    68
    Hi, we enabled OWASP ModSecurity Core Rule Set V3.0 yesterday and got people contacting support today saying they could not send email.

    To get email working again we had to disable rule 949 below:

    *******

    REQUEST-949-BLOCKING-EVALUATION
    The rules in this configuration file blocks traffic that various other configuration files request.

    ********

    However, on Cpanels knowledgebase it states:

    *********
    Warning:
    Other rules in the rule set depend on this configuration file to block incoming attacks. If you disable this configuration file, other rules will detect, but not block, incoming attacks.

    *********

    While testing in roundcube webmail we got the following when sending email:

    Request:
    POST /?_task=mail&_unlock=loading1529274082968&_lang=en&_framed=1
    Action Description:
    Access denied with code 403 (phase 2).
    Justification:
    Operator GE matched 5 at TX:anomaly_score.

    Disabling rule 949 solved smtp from desktop/mobile clients aswell as webmail. However, as the above warning states, other rules will no longer work. I tried disabling the other rules one by one but 949 is the only one which would resolve the issue.

    Anyone else has this? Any solution?
     
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    992
    Likes Received:
    41
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    It's not uncommon the have to disable a few rules to suit your environment.
    Also i find understanding exactly what they do, all but impossible.
     
  3. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,783
    Likes Received:
    132
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,


    That specific ruleset is described as:

    Code:
    SecMarker BEGIN_REQUEST_BLOCKING_EVAL
    
    # These rules use the anomaly score settings specified in the 10 config file.
    # You should also set the desired disruptive action (deny, redirect, etc...).
    #
    # -=[ IP Reputation Checks ]=-
    #
    # Block based on variable IP.REPUT_BLOCK_FLAG and TX.DO_REPUT_BLOCK
    #
    Basically this ruleset is taking the IP reputation score obtained in the 10 config file (REQUEST-910-IP-REPUTATION.conf) and blocking access based on this. In this instance it would seem that it's blocking outbound SMTP based on the IP address being used.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice