ModSec: X-Forwarded-For: Rule processing failed

servtastic

• September 03, 2020 15:42

Hi All, I have a modsecurity rule that continues to throw a processing error against REQUEST_HEADERS:X-Forwarded-For - no matter how I tweak it. What's weird is this exact same rule works correctly against REMOTE_ADDR My guess is something about the X-Forwarded is not loading / showing correctly for ModSec (maybe apache config? Apache/2.4.46 (cPanel) ) Rule is: SecRule REQUEST_HEADERS:X-Forwarded-For "@ipMatchFromFile blacklist-ips.txt" "id:4100003, phase:1, log, drop, status:411, msg:' *** blacklist Custom IPs X-Forwarded-For'" Error is: Apache-Error: [file "apache2_util.c"> [line 271] [level 3] [client 85.115.60.201] ModSecurity: Rule processing failed (id=4100003, msg= *** blacklist Custom IPs X-Forwarded-For). [hostname "[redacted].com"> [uri "/"> [unique_id "X1EKKw8RDek5sznInPGFjAAAABU"> After the first error there is a cascade of rule processing errors for all the other rules after the failure (if that matters). The forwarded line from the mod_sec audit log is: X-Forwarded-For: 94.23.238.218, 85.115.60.201 Any suggestions for what I might be missing here? Thanks! Steve

• 

  cPanelLauren

  • September 04, 2020 21:59

  If this is a custom rule you might also look here for assistance: ModSecurity: Download Code

  0
• 

  fuzzylogic

  • September 04, 2020 22:34

  I'm guessing, but your rule in Phase 1 (Request headers) on match it issues the Drop command... [QUOTE] drop Description: Initiates an immediate close of the TCP connection by sending a FIN packet.
  Your rule then attempts to write a response header "status:411" which cannot occur until Phase 3 (Response headers) If you want your rule to execute in Phase 1 (Request headers) remove "status:411". If you want it to work as is change its operating Phase to Phase 3 (Response headers). (kind of defeats the purpose of resource protection) If you want it to operate in Phase 1 (Request headers) and log the 411 status change the disruption to deny These are untested by me so may be incorrect.

  0
• 

  servtastic

  • September 08, 2020 22:33

  All good suggestions but still no luck. Further information: If the X-Forwarded-For only contains a single Ip address, the rule does not error If the X-Forwarded-For contains 2 ip addresses, separated by a comma - that's when the rule failure occurs. Example: ukraine via soflayer in NL: X-Forwarded-For: 193.106.30.99, 169.46.84.217 Result: ModSecurity: Rule processing failed Same IP via mojobroadband.co X-Forwarded-For: 193.106.30.99, 208.86.120.136 Result: ModSecurity: Rule processing failed Different error - same issue :( Same IP set and rule do not fail on REMOTE_ADDR, only X-Forwarded-For with more than one IP Steve

  0

Please sign in to leave a comment.