ModSecurity: Access denied with code 403??

Report bugs and workarounds
Post Reply
henk
Posts: 465
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

ModSecurity: Access denied with code 403??

Post by henk » 26 Mar 2017 15:08

It's not really a bug, but I hope someone can point me in the right direction.

I monitor the e.f.a server with xymon. In the xymon server hosts file I've got the entry

xx.xx.xx.xx efaserver.XXXXXX.XXX # NAME:TATA ssh ntp pop3 https://efaserver.XXXXXXXX.XXX/mailscanner/ COMMENT:"Spam Server"

Now on the e.f.a. server, I get these errors when xymon client is reporting every 5 min.
In /var/log/httpd/ssl_error_log

[Sun Mar 26 16:42:26 2017] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 2).
String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "399"] [id "960020"] [rev "1"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [ver "OWASP_CRS/2.2.6"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [hostname "efaserver"] [uri "/mailscanner/"] [unique_id "balbalbablabalb"]

and in /var/log/httpd/modsec_audit.log

--91bab259-H--
Message: Access denied with code 403 (phase 2). String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "399"] [id "960020"] [rev "1"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [ver "OWASP_CRS/2.2.6"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"]
Action: Intercepted (phase 2)
Stopwatch: 1490539647081135 1835 (- - -)
Stopwatch2: 1490539647081135 1835; combined=381, p1=255, p2=62, p3=0, p4=0, p5=63, sr=64, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.6.
Server: Apache
Engine-Mode: "ENABLED"

--91bab259-Z--


Disabling in /etc/httpd/conf.d/mod_security.conf

SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security

SecRuleRemoveById 960017
SecRuleRemoveById 950908

SecRuleRemoveById 960020 <================= disable

This does solve the issue, but I do not know if this is the way to go. Basically I'd like to whitelist the xymon server only ( by IP or fqdn)

User avatar
shawniverson
Posts: 3147
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: ModSecurity: Access denied with code 403??

Post by shawniverson » 26 Mar 2017 15:13

That should be sufficient to resolve your issue, unless you can get xymon to pass a Cache-Control header as requested.
Version eFa 4.0.2 now available!

User avatar
darky83
Site Admin
Posts: 540
Joined: 30 Sep 2012 11:03
Location: eFa
Contact:

Re: ModSecurity: Access denied with code 403??

Post by darky83 » 26 Mar 2017 17:13

What version of xymon are you using for monitoring?

I use the same setup with Xymon 4.3.27 and don't have any of the mod security warnings you see.
Version eFa 4.x now available!

henk
Posts: 465
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: ModSecurity: Access denied with code 403??

Post by henk » 26 Mar 2017 17:46

My current xymon server running on ubuntu 14.04 :
dpkg -l | grep xymon
ii xymon 4.3.7-1ubuntu2 amd64 monitoring system for systems, networks and applications
ii xymon-client 4.3.7-1ubuntu2 amd64 client for the Xymon network monitor

In the xymon server hosts,cfg I've got the entry

xx.xx.xx.xx efaserver.XXXXXX.XXX # NAME:TATA ssh ntp pop3 https://efaserver.XXXXXXXX.XXX/mailscanner/ COMMENT:"Spam Server"

I will change this to Centos7 this week, with the terabithia.org/rpms . This will also bump the version to: 4.3.28-1.terabithia

henk
Posts: 465
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: ModSecurity: Access denied with code 403??

Post by henk » 31 Mar 2017 17:46

I can confirm that Xymon running on centos7 with version to: 4.3.28-1.terabithia solved my issue. The ModSecurity works fine without the extra disable line in /etc/httpd/conf.d/mod_security.conf

Post Reply