The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Recurring issue with Mod Security

Discussion in 'Security' started by autumnwalker123, Jun 18, 2014.

  1. autumnwalker123

    autumnwalker123 Active Member

    Joined:
    Jan 19, 2014
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I'm not sure what is triggering this, but I get similar reports from the server every few days with the following information:

    Time: Wed Jun 18 14:58:26 2014 -0300
    IP: <IP> (CA/Canada/-)
    Failures: 5 (mod_security)
    Interval: 3600 seconds
    Blocked: Permanent Block

    Log entries:

    [Wed Jun 18 14:58:17 2014] [error] [client <IP>] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "38"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "<SERVER FQDN>"] [uri "/"] [unique_id "U6HTOWubWd8AADthEu8AAAAC"]
    [Wed Jun 18 14:58:17 2014] [error] [client <IP>] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "38"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "<SERVER FQDN>"] [uri "/"] [unique_id "U6HTOWubWd8AADtSBzkAAAAA"]
    [Wed Jun 18 14:58:20 2014] [error] [client <IP>] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "38"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "<SERVER FQDN>"] [uri "/"] [unique_id "U6HTPGubWd8AAFFDKvUAAAAH"]
    [Wed Jun 18 14:58:21 2014] [error] [client <IP>] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "38"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "<SERVER FQDN>"] [uri "/"] [unique_id "U6HTPWubWd8AAFFEK4YAAAAI"]
    [Wed Jun 18 14:58:22 2014] [error] [client <IP>] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "38"] [id "1234123435"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "<SERVER FQDN>"] [uri "/"] [unique_id "U6HTPmubWd8AAFFHLAkAAAAJ"]

    Thoughts on what is causing this and how to prevent? The IP listed is my local machine's IP address.
     
  2. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Logs indicates that you must be accessing the URL from your IP that is violating modsecurity rules.
    Either you need to exclude that pattern code from modsecurity or disable it for that domain.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    ModSecurity itself only stops requests, it doesn't block IP addresses. The actual IP block is placed by CSF/LFD blocking for the repeated modsecurity failures. You can stop CSF from blocking your IP for this by adding your ip to /etc/csf/csf.ignore

    This particular rule blocks any HTTP request method that is not GET, POST, OPTIONS, or HEAD. So any Track, Trace, PUT, DELETE or other request methods will trip it. Check for your IP in the access log for the appropriate domain, omitting POST/GET requests. Perhaps a file manager or something you're using is using other request methods.

    IMO that's a relatively safe rule to white-list but you may as well find out why you're tripping it first.
     
    #3 quizknows, Jun 18, 2014
    Last edited: Jun 18, 2014
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Yes, as mentioned in the previous post, you may want to review the access logs to see if you can determine what action is triggering that rule.

    Thank you.
     
Loading...

Share This Page