Skip to main content

ModSecurity - Domain listed not mine

Comments

5 comments

  • fuzzylogic
    The host column with the domain name in your example is client supplied in the Request Header... Host: domainname.com A good client sets it to the domain the client was accessing when the request was made. A bad client can set it to anything. The 400 Response Status was set by apache in response to a Bad Request (not complying with the http protocol) Once this Response Status is set Apache will respond with 400.shtml is it exists (it will not serve /autodiscover/autodiscover.xml) That happened before Modsecurity parsed the request. Modsecurity then parsed the request, hit rule 920310. The Justification log is a bit obscure, but if you read rule 920310 it has the chained logic of... If the http header named Accept: IS empty AND the http header named User-Agent: IS NOT (AppleWebKit OR Android OR Business OR Enterprise OR Entreprise) The severity of this hit is NOTICE which means this rule has no blocking effect to the request but does log it. Hits to other rules by the same request may still cause Modsecurity to deny it.
    0
  • cuzzmunger
    Thank you! The thing is it keeps happening?
    0
  • cPanelMichael
    Hello @cuzzmunger,
    I'm not hosting the domain so why am I seeing these hits along with my ones?

    Do any of it's DNS entries resolve to your server's IP address? Thank you.
    0
  • cuzzmunger
    No I don't think so. I wondered if there is a link to one of my sites or not but cant find any reason.
    0
  • cPanelMichael
    No I don't think so. I wondered if there is a link to one of my sites or not but cant find any reason.

    Feel free to open a
    0

Please sign in to leave a comment.