Skip to main content

Host header is a numeric IP address - why the fuss from mod_security?

jeffschips
Hello. I know this isn't specific to Cpanel but perhaps someone can unpack this constant mod_security warning I'm receiving. Date: 2021-05-16 19:51:55 Host: my-cpane-server-ip:80 Source: offending party connecting IP Severity: WARNING Status: 403 Rule ID: 920350 Host header is a numeric IP address Why is mod_security making a fuss over my host/server's IP address?

Comments

9 comments

Date Votes
  • ZenHostingTravis
    Hi @jeffschips, You can whitelist IP addresses. The following link may assist you further: Whitelisting IP addresses for "host header is a numeric ip address" error " Issue #127 " SpiderLabs/owasp-modsecurity-crs, assuming you're using the OWASP ruleset.
    0
  • jeffschips
    Hi @ZenHostingTravis and thank you. I've read posts like this but my confusion is that some posters say you need to whitelist the client while others who say you need to whitelist the host. So to confirm you are suggesting whitelisting the ip address of my cpanel server, is that correct?
    0
  • jeffschips
    Any issues if disabling the rule entirely?
    0
  • andrew.n
    Yes it's certainly possible. I believe the easiest would be to use ModSecurity Control plugin from ConfigServer where you can disable specific rules per account/domain/subdomain level:
    0
  • jeffschips
    Thank you. I tried the ConfigServer ModSecurity Control about a year ago and wasn't that impressed with the interface. It seemed clunky and some of the prompts were confusing. I'll give it another try though. So to confirm turning off the rule "Rule ID: 920350 Host header is a numeric IP address" is possible but is it advisable?
    0
  • andrew.n
    I believe turning that off for only that specific domain/subdomain would be safe enough.
    0
  • cPRex Jurassic Moderator
    It's common to disable specific rules either server-wide or per domain, so that would be the easiest way to take care of that issue on the system.
    0
  • jeffschips
    I think I may have not been very clear: I understand that I can turn off the rule based on the host being a numberic IP address, however, it would seem that rule - 920350 - contains the following rules: SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \ "id:920350,\ phase:2,\ block,\ t:none,\ msg:'Host header is a numeric IP address',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ ver:'OWASP_CRS/3.3.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
    and further down the rabbit hole modsec_audit.log associated with this rule there are conditions being met which also raise flags: Apache-Error: [file "apache2_util.c"> [line 271] [level 3] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\\\\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"> [line "735"> [id "920350"> [msg "Host header is a numeric IP address"> [data "host.numer.ic.ip.address] [severity "WARNING"> [ver "OWASP_CRS/3.3.0"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-protocol"> [tag "paranoia-level/1"> [ tag "OWASP_CRS"> [tag "capec/1000/210/272"> [tag "PCI/6.5.10"> [hostname "host.numer.ic.ip.addr"> [uri "/"> [unique_id "YMZzTgKhdfzxdvW76O3erwAAAMU">
    So am I doing myself a disservice by elimintaing a rule whicdh indeed is not just raising flags about the "numeric ip address issue" but also providing needed protection against what comes later, i.e., the pattern match in the above code.
    0
  • cPRex Jurassic Moderator
    That part is really up to you to decide. Additional details about how the pattern matching happens can be found here:
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post