ModSecurity: Access denied with code 403??
Posted: 26 Mar 2017 15:08
It's not really a bug, but I hope someone can point me in the right direction.
I monitor the e.f.a server with xymon. In the xymon server hosts file I've got the entry
xx.xx.xx.xx efaserver.XXXXXX.XXX # NAME:TATA ssh ntp pop3 https://efaserver.XXXXXXXX.XXX/mailscanner/ COMMENT:"Spam Server"
Now on the e.f.a. server, I get these errors when xymon client is reporting every 5 min.
In /var/log/httpd/ssl_error_log
[Sun Mar 26 16:42:26 2017] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 2).
String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "399"] [id "960020"] [rev "1"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [ver "OWASP_CRS/2.2.6"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [hostname "efaserver"] [uri "/mailscanner/"] [unique_id "balbalbablabalb"]
and in /var/log/httpd/modsec_audit.log
--91bab259-H--
Message: Access denied with code 403 (phase 2). String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "399"] [id "960020"] [rev "1"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [ver "OWASP_CRS/2.2.6"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"]
Action: Intercepted (phase 2)
Stopwatch: 1490539647081135 1835 (- - -)
Stopwatch2: 1490539647081135 1835; combined=381, p1=255, p2=62, p3=0, p4=0, p5=63, sr=64, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.6.
Server: Apache
Engine-Mode: "ENABLED"
--91bab259-Z--
Disabling in /etc/httpd/conf.d/mod_security.conf
SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security
SecRuleRemoveById 960017
SecRuleRemoveById 950908
SecRuleRemoveById 960020 <================= disable
This does solve the issue, but I do not know if this is the way to go. Basically I'd like to whitelist the xymon server only ( by IP or fqdn)
I monitor the e.f.a server with xymon. In the xymon server hosts file I've got the entry
xx.xx.xx.xx efaserver.XXXXXX.XXX # NAME:TATA ssh ntp pop3 https://efaserver.XXXXXXXX.XXX/mailscanner/ COMMENT:"Spam Server"
Now on the e.f.a. server, I get these errors when xymon client is reporting every 5 min.
In /var/log/httpd/ssl_error_log
[Sun Mar 26 16:42:26 2017] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 2).
String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "399"] [id "960020"] [rev "1"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [ver "OWASP_CRS/2.2.6"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [hostname "efaserver"] [uri "/mailscanner/"] [unique_id "balbalbablabalb"]
and in /var/log/httpd/modsec_audit.log
--91bab259-H--
Message: Access denied with code 403 (phase 2). String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "399"] [id "960020"] [rev "1"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [ver "OWASP_CRS/2.2.6"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"]
Action: Intercepted (phase 2)
Stopwatch: 1490539647081135 1835 (- - -)
Stopwatch2: 1490539647081135 1835; combined=381, p1=255, p2=62, p3=0, p4=0, p5=63, sr=64, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.6.
Server: Apache
Engine-Mode: "ENABLED"
--91bab259-Z--
Disabling in /etc/httpd/conf.d/mod_security.conf
SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security
SecRuleRemoveById 960017
SecRuleRemoveById 950908
SecRuleRemoveById 960020 <================= disable
This does solve the issue, but I do not know if this is the way to go. Basically I'd like to whitelist the xymon server only ( by IP or fqdn)