The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Stop ModSec redirecting on access denied

Discussion in 'Security' started by babbler, Feb 7, 2016.

  1. babbler

    babbler Member

    Joined:
    Mar 10, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    New Zealand
    cPanel Access Level:
    Root Administrator
    I am using ModSec 2 on Centos 6.7 WHM 54.0 with OWASP rules

    When Modsec blocks a request, it redirects to the sites homepage with the following log entry.

    "Message: Access denied with redirection to example.com using status 302 (phase 2)"

    In this case using Rule 981140

    The default action in modsec2.conf is set to:

    SecDefaultAction "phase:2,deny,log,status:406"

    I'd like to stop the redirection to the CMS as this loads up the server, and instead have it redirecting to a default, low bandwidth Apache error document but I can't find any information on this.

    Suggestions welcomed.

    Many thanks.
     
    #1 babbler, Feb 7, 2016
    Last edited by a moderator: Feb 7, 2016
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    What most of us do is just create a custom 406 page. By default, if one does not exist many CMS's will redirect to their 404, which is not ideal.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    This is completely correct. The "easiest" fix is just to add this to the sites .htaccess:

    Code:
    ErrorDocument 406 Default
    
     
  4. babbler

    babbler Member

    Joined:
    Mar 10, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    New Zealand
    cPanel Access Level:
    Root Administrator
    Many thanks for your replies and I agree that this is the way to go.
    My understanding of this is a bit patchy though so forgive me if I am asking the obvious.
    • The rule is redirecting with status 302
      "Message: Access denied with redirection to example.com using status 302 (phase 2)"
      This is the redirecting I am trying to stop so no error document is being invoked.
    • I don't want to add the ErrorDocument statement to individual site's .htaccess since I have in the region of 150 sites.
      Can I use this statement in an .htaccess file in the /home directory for instance to apply to all sites under that directory
    • I have seen the ErrorDocument statement used in the modsec2.user.conf file (unless i misunderstood the article ).
      Is this allowable.
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Technically you could add it to modsec2.user.conf (nothing in the apache manual disallows that) but it's not the right way.

    Yes, you could put the errordocument directive into /home/.htaccess (this is what I would recommend, but only for uncommon statuses like 406 or 411).

    It is also worth noting that some modsecurity rules may use the directive "redirect" for a matched request instead of "deny" "allow" or "pass". In this case, you may need to find the rule in question to see what it's really doing.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  7. babbler

    babbler Member

    Joined:
    Mar 10, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    New Zealand
    cPanel Access Level:
    Root Administrator
    Many thanks for your help so far.

    Here is an example of OWASP Rule 950104 that, when triggered causes a 302 redirect to the homepage:

    "
    #
    # [ Decoded /../ Payloads ]
    #
    SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm ..\ ../" "phase:request, msg:'Path Traversal Attack (/../)', id:'1', ver:'OWASP_CRS/3.0.0', rev:'1', maturity:'9', accuracy:'7', multiMatch, t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls, block, severity:CRITICAL, logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', capture, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-local file inclusion', tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL', setvar:'tx.msg=%{rule.msg}', setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.lfi_score=+%{tx.critical_anomaly_score}, setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"
    "
    I can't see where the redirect happening???

    @quizknows - can you explain further why I should only use errordocument directive in /home/.htaccess only for uncommon statuses like 406 or 411?
    What I'd like to achieve is that ModSec stops redirecting to the CMS and instead just drops the request with a simple error document.

    I hope I haven't missed the obvious.

    Thanks again for your time.
    Much appreciated.
     
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    The reason I say you should only redirect uncommon statuses in /home/.htaccess is because more common statuses like 301,302,404 etc. are very likely to be already handled in a users .htaccess so you could cause unpredictable or unwanted behaviours on those sites.

    The rule itself contains "block" in the action chain. This is similar to "deny" except that it inherits the info from the previous SecDefaultAction.

    What is probably happening here is this:

    Request is blocked, returns 406
    browser requests 406.shtml, but site has no 406.shtml; request turns into 404
    site 404 handling likely sends request back to homepage (I know wordpress does this, as it rewrites 404's through index.php).

    Creating the errordocuments for 406 and/or 500 should fix this. I've had to do this many times.

    If you still have issues, watch the sites apache access log while you do the request, or download the firefox plugin "tamper data" and open it / monitor it as you make the request. It will show you the URLs you are requesting and their associated HTTP response codes from the server.
     
  9. babbler

    babbler Member

    Joined:
    Mar 10, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    New Zealand
    cPanel Access Level:
    Root Administrator
    Wow... finally I understand!
    I knew that WordPress sends everything through the index page but it didn't compute in my head that this also applies when it is serving a 404!
    So a custom 406 in /home is the solution.
    @Vanesssa this is what you suggested early on but I didn't understand.

    So thank you both for your patience in helping get there.
     
  10. babbler

    babbler Member

    Joined:
    Mar 10, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    New Zealand
    cPanel Access Level:
    Root Administrator
    Ok so i gave it my best shot and it's still redirecting to the homepage.
    This is what I did:
    1) Created two error documents:
    /home/customerrors/406.html
    /home/customerrors/500.html

    2)Created an .htaccess file
    /home/.htaccess

    3)Added the following to the .htaccess
    ErrorDocument 406 /home/customerrors/406.html
    ErrorDocument 500 /home/customerrors/500.html

    I don't think these are working since I am still seeing 302 redirects to the domains homepage.

    Can you please confirm that I have the paths correctly set.
    I tried a couple of options but nothing works.
    I think I am confused when talking about the Document Root when serving a file from the /home directory as apposed to the domains own document roots eg: /home/useraccount/public_html.

    Many thanks for your patience.
     
  11. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
Loading...

Share This Page