Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Question on "ModSecurity: Access denied with code 406 (phase 1)"

Discussion in 'Security' started by Jeffro_Home, May 19, 2010.

  1. Jeffro_Home

    Jeffro_Home Member

    Joined:
    Sep 3, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    51
    I've just recently posted this in Chirpy's modsecurity forum, but I thought I would try here as well.

    For the past 4 days, about every hour (or less), from a different offending domain, I am receiving this email from my server:

    Code:
    Time:     Wed May 19 12:15:58 2010 -0400
    IP:       208.43.255.250 (208.43.255.250-static.reverse.softlayer.com)
    Failures: 8 (mod_security)
    Interval: 300 seconds
    Blocked:  Yes
    
    Log entries:
    
    [Wed May 19 12:15:54 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOukMTZAoAAFQtS0kAAAAJ"] [Wed May 19 12:15:54 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOukMTZAoAAF8ZOfQAAAAN"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAF2vB8UAAAAF"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAG5usjAAAAAH"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAG5vs20AAAAK"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAG5wtKoAAAAO"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAG5ssCEAAAAD"] [Wed May 19 12:15:55 2010] [error] [client 208.43.255.250] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "master.myserver.com"] [uri "/"] [unique_id "S-QOu0MTZAoAAG5tsNcAAAAG"]
    
    I've searched on just about everything in the above log entry, and really haven't found anything.

    Again, this has happened about 100 times in the past 3 days, each time it's a different domain/ip. My server seems ok, none of my customers have mentioned any issues, I just want to find out what this is, and if there's a way to stop it.

    Thanks,

    Jeff
     
  2. cPanelJamyn

    cPanelJamyn Social Engineer
    Staff Member

    Joined:
    Jan 29, 2009
    Messages:
    105
    Likes Received:
    2
    Trophy Points:
    143
    The error indicates the request from that server was not a GET/POST/OPTIONS/HEAD request, which is unusual. It could be sending a TRACE, for example. If you enable more detailed logging (Ex setting SecAuditLogParts ABC for modsec2) you should get enough detail to see what's going on.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice