csf-lfd/mod_security blocked my gateway

santhosh_scs

• May 19, 2014 01:05

Hello I have a WHM/Cpanel server with CSF/LFD installed and mod_security enabled. I used to login to WHM/cpanel from one of my local windows box through a linux (Centos 5)NAT gateway(with a public IP address) . On one day CSF/LFD on the server blocked my gateway from accessing it. The csf.deny shows as lfd: (mod_security) mod_security (id:1234123435) triggered by 5 in the last 300 secs - Fri May 16 17:44:09 2014. This means some unwanted/incorrect access occurred from my PC to the server. How can I check what could have caused mod_security to block my PC . I know that I need to watch the outgoing traffic in my gateway - but the right log files/commands/any whm options etc is what I am looking for Santhosh

• 

  cPanelMichael

  • May 19, 2014 15:33

  Hello :) To confirm, are you sure the access attempts were not legitimate (e.g. some application on your computer that connects to your server)? Thank you.

  0
• 

  quizknows

  • May 19, 2014 15:47

  Check the apache error log for that IP, it should tell you what rule ID(s) was/were violated.

  0
• 

  lorio

  • May 19, 2014 18:23

  [quote="santhosh_scs, post: 1647272">mod_security (id:1234123435)
  This rule is often triggered with false positive e.g. when trying to access the hostserver with https where no cert is installed. The docu about modsec under easyapache can be found here: [url=http://docs.cpanel.net/twiki/bin/vief/EasyApache/Apache/ModSecurity]Apache Module: Security [QUOTE] mod_security stores the log file in: /usr/local/apache/logs/modsec_audit.log. If you install mod_ruid2 and mod_security, the mod_security log location is: /usr/local/apache/logs/modsec_audit/[user]/YYYYMMDD/YYYYMMDD-HHmm/YYYYMMDD-HHmmSS-[unique_id].
  In the logfile you can find the url which triggered the error.

  0
• 

  santhosh_scs

  • May 20, 2014 05:22

  I checked the server logs for this IP and could see [Fri May 16 17:44:03 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "41"> [id "1234123435"> [msg "Method is not allowed by policy"> [severity "CRITICAL"> [tag "POLICY/METHOD_NOT_ALLOWED"> [hostname "www.host.name"> [uri "/images/header/email_header.jpg"> [unique_id "U3aUszJh2@oAACHgHIgAAAAO"> [Fri May 16 17:44:03 2014] [error] [client ip_changed] File does not exist: /home/home_changed/public_html/501.shtml [Fri May 16 17:44:03 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "41"> [id "1234123435"> [msg "Method is not allowed by policy"> [severity "CRITICAL"> [tag "POLICY/METHOD_NOT_ALLOWED"> [hostname "www.host.name"> [uri "/images/header/email_header.jpg"> [unique_id "U3aUszJh2@oAACJTJ84AAAAI"> [Fri May 16 17:44:03 2014] [error] [client ip_changed] File does not exist: /home/home_changed/public_html/501.shtml [Fri May 16 17:44:04 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "41"> [id "1234123435"> [msg "Method is not allowed by policy"> [severity "CRITICAL"> [tag "POLICY/METHOD_NOT_ALLOWED"> [hostname "www.host.name"> [uri "/images/header/email_header.jpg"> [unique_id "U3aUtDJh2@oAACIDIIUAAAAa"> [Fri May 16 17:44:04 2014] [error] [client ip_changed] File does not exist: /home/home_changed/public_html/501.shtml [Fri May 16 17:44:06 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "41"> [id "1234123435"> [msg "Method is not allowed by policy"> [severity "CRITICAL"> [tag "POLICY/METHOD_NOT_ALLOWED"> [hostname "www.host.name"> [uri "/images/header/email_header.jpg"> [unique_id "U3aUtjJh2@oAACIHIcUAAAAi"> [Fri May 16 17:44:06 2014] [error] [client ip_changed] File does not exist: /home/home_changed/public_html/501.shtml [Fri May 16 17:44:07 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "41"> [id "1234123435"> [msg "Method is not allowed by policy"> [severity "CRITICAL"> [tag "POLICY/METHOD_NOT_ALLOWED"> [hostname "www.host.name"> [uri "/images/header/email_header.jpg"> [unique_id "U3aUtzJh2@oAACHfHCMAAAAM"> [Fri May 16 17:44:07 2014] [error] [client ip_changed] File does not exist: /home/home_changed/public_html/501.shtml [Fri May 16 17:44:07 2014] [error] [client ip_changed] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "41"> [id "1234123435"> [msg "Method is not allowed by policy"> [severity "CRITICAL"> [tag "POLICY/METHOD_NOT_ALLOWED"> [hostname "www.host.name"> [uri "/images/header/email_header.jpg"> [unique_id "U3aUtzJh2@oAACIQJVAAAAAr">
  

  0
• 

  Shavaun

  • May 20, 2014 12:29

  Just as a note, I recommend that you use this link: http://documentation.cpanel.net/display/EA/Apache+Module%3A+ModSecurity We are no longer updating the docs.cpanel.net site. The main page for our new documentation site is http://documentation.cpanel.net.

  0
• 

  quizknows

  • May 20, 2014 20:32

  So in short, your modsec2.user.conf denies any HTTP request method that is not one of: POST GET OPTIONS HEAD You can check the access logs of

  0

Please sign in to leave a comment.