The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Question on "ModSecurity: Access denied with code 406 (phase 1)"

Discussion in 'Security' started by Jeffro_Home, May 19, 2010.

  1. Jeffro_Home

    Jeffro_Home Registered

    Joined:
    Sep 3, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I've just recently posted this in Chirpy's modsecurity forum, but I thought I would try here as well.

    For the past 4 days, about every hour (or less), from a different offending domain, I am receiving this email from my server:

    Code:
    Time:     Wed May 19 12:15:58 2010 -0400
    IP:       208.43.255.250 (208.43.255.250-static.reverse.softlayer.com)
    Failures: 8 (mod_security)
    Interval: 300 seconds
    Blocked:  Yes
    
    Log entries:
    
    [Wed May 19 12:15:54 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOukMTZAoAAFQtS0kAAAAJ"] [Wed May 19 12:15:54 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOukMTZAoAAF8ZOfQAAAAN"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAF2vB8UAAAAF"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAG5usjAAAAAH"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAG5vs20AAAAK"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAG5wtKoAAAAO"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAG5ssCEAAAAD"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAG5tsNcAAAAG"]
    
    I've searched on just about everything in the above log entry, and really haven't found anything.

    Again, this has happened about 100 times in the past 3 days, each time it's a different domain/ip. My server seems ok, none of my customers have mentioned any issues, I just want to find out what this is, and if there's a way to stop it.

    Thanks,

    Jeff
     
  2. cPanelJamyn

    cPanelJamyn Social Engineer
    Staff Member

    Joined:
    Jan 29, 2009
    Messages:
    105
    Likes Received:
    2
    Trophy Points:
    0
    The error indicates the request from that server was not a GET/POST/OPTIONS/HEAD request, which is unusual. It could be sending a TRACE, for example. If you enable more detailed logging (Ex setting SecAuditLogParts ABC for modsec2) you should get enough detail to see what's going on.
     
Loading...

Share This Page