ModSecurity - A Rule of is trying to block localhost
Hi, now i know this is a false positive.. and localhost cannot be blocked any way but a rule that i set in mod security keeps on getting picked up by the ip 127.0.0.1 - ModSecurity Tools, Hit List
.vB
now this is the current rule here:
this rule is required to block certain attacks but.. its getting annoying as my log file is getting full of these as show in the above image. is there a way to modify the rule so it excludes that ip? - i have white listed IP Globally but it still gets detected... and this gets logged every 5 min.
#Block any HTTP GET request that has no referring URL
SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:187945987,chain,msg:'GET request blocked, no referer'"
SecRule &HTTP_User-Agent "@eq 0" "chain"
SecRule REQUEST_METHOD "GET" "chain"
SecRule REQUEST_URI "^\/$"
this rule is required to block certain attacks but.. its getting annoying as my log file is getting full of these as show in the above image. is there a way to modify the rule so it excludes that ip? - i have white listed IP Globally but it still gets detected... and this gets logged every 5 min.
-
This is a custom rule that I wrote a while back to block POST requests that have no referrer or user agent. It's not supposed to be used for GET requests as it can block legitimate traffic if the traffic doesn't have a user agent. Can you share the full error log entry? Regardless, you should change all 3 instances of "GET" to "POST" for that rule to be effective and safe. If you do intend to block GET's with those attributes (No UA, No referer) then it's pretty easy to whitelist an IP. Looking at your other thread 0 -
]This is a custom rule that I wrote a while back to block POST requests that have no referrer or user agent. It's not supposed to be used for GET requests as it can block legitimate traffic if the traffic doesn't have a user agent. Can you share the full error log entry? Regardless, you should change all 3 instances of "GET" to "POST" for that rule to be effective and safe. If you do intend to block GET's with those attributes (No UA, No referer) then it's pretty easy to whitelist an IP. Looking at your other thread
--046fbb68-A-- [27/Jan/2015:14:35:03 +1100] VMcHZ8BjyUsAAFbgPWsAAACG 127.0.0.1 51607 127.0.0.1 80 --046fbb68-B-- GET / HTTP/1.0 --046fbb68-F-- HTTP/1.1 411 Length Required Content-Length: 357 Connection: close Content-Type: text/html; charset=iso-8859-1 --046fbb68-H-- Message: Access denied with code 411 (phase 2). Pattern match "^\\/$" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "2"> [id "187945987"> [msg "GET request blocked, no referer"> Apache-Error: [file "core.c"> [line 3732] [level 3] File does not exist: /usr/local/apache/htdocs/411.shtml Action: Intercepted (phase 2) Stopwatch: 1422329703345258 317 (- - -) Stopwatch2: 1422329703345258 317; combined=23, p1=2, p2=14, p3=0, p4=0, p5=7, sr=0, sw=0, l=0, gc=0 Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/). Server: Apache Engine-Mode: "ENABLED" --046fbb68-Z-- --2550ff5b-A-- [27/Jan/2015:14:40:32 +1100] VMcIsMBjyUsAAFb9PbgAAAER 127.0.0.1 51616 127.0.0.1 80 --2550ff5b-B-- GET / HTTP/1.0 --2550ff5b-F-- HTTP/1.1 411 Length Required Content-Length: 357 Connection: close Content-Type: text/html; charset=iso-8859-1 --2550ff5b-H-- Message: Access denied with code 411 (phase 2). Pattern match "^\\/$" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "2"> [id "187945987"> [msg "GET request blocked, no referer"> Apache-Error: [file "core.c"> [line 3732] [level 3] File does not exist: /usr/local/apache/htdocs/411.shtml Action: Intercepted (phase 2) Stopwatch: 1422330032840651 312 (- - -) Stopwatch2: 1422330032840651 312; combined=26, p1=3, p2=15, p3=0, p4=0, p5=7, sr=0, sw=1, l=0, gc=0 Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/). Server: Apache Engine-Mode: "ENABLED" --2550ff5b-Z--
.vB and it repeats and so on...0 -
Hello :) Did you switch to one IP address per line in your whitelist as referenced in the previous post? Thank you. 0 -
127.0.0.1 should be whitelisted by cPanel in the main modsec2.conf SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow,id:1234123455 0 -
]Hello :) Did you switch to one IP address per line in your whitelist as referenced in the previous post? Thank you.
yes but like i said it still picks up the 127.0.0.1 ip within the hit list...]127.0.0.1 should be whitelisted by cPanel in the main modsec2.conf SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow,id:1234123455
no such rule exists within the main conf file this all there is:LoadFile /opt/xml2/lib/libxml2.so # LoadFile /opt/lua/lib/liblua.so LoadModule security2_module modules/mod_security2.so # See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf # "Add the rules that will do exactly the same as the directives" # SecFilterCheckURLEncoding On # SecFilterForceByteRange 0 255 SecAuditLogStorageDir /usr/local/apache/logs/modsec_audit SecAuditLogType Concurrent SecAuditLogStorageDir /usr/local/apache/logs/modsec_audit SecAuditLogType Concurrent SecAuditLog logs/modsec_audit.log SecDebugLog logs/modsec_debug_log SecDebugLogLevel 0 SecDefaultAction "phase:2,deny,log,status:406" Include "/usr/local/apache/conf/modsec2.user.conf" Include "/usr/local/apache/conf/modsec2.cpanel.conf"0 -
That's really odd, that rule is on all my updated cPanel boxes. Go ahead and add it to your modsec2.user.conf if you need to. I'd recommend randomizing the rule ID number. 0 -
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow,id:10011234 also placing it at the top of all my other rules seemed to fix the issue... as having the ID lower then all the others also helped... i am not getting any more hits in the log. 0 -
Yep...that is nuts. I have just installed modsecurity on my VPS and it is reporting hits on localhost/127.0.0.1. Certainly this should be whitelisted from the getgo. 0 -
Yep...that is nuts. I have just installed modsecurity on my VPS and it is reporting hits on localhost/127.0.0.1. Certainly this should be whitelisted from the getgo.
Hello, Did you install a particular rule set? Thank you.0
Please sign in to leave a comment.
Comments
10 comments