mod_evasive is triggering the below errors from SquirellMail on Apache 2.4.43-1 on Fedora 31. And since this causes a 403 Forbidden error, Fail2ban is also triggered and blocks the IP, as it appears that the IP tries to access the 403 page 14 times in one second.
--edcee57e-H--
Apache-Error: [file "mod_evasive24.c"] [line 246] [level 3] client denied by server configuration: /usr/share/squirrelmail/src/download.php
Stopwatch: 1589996607573590 807 (- - -)
Stopwatch2: 1589996607573590 807; combined=17, p1=14, p2=0, p3=1, p4=0, p5=2, sr=0, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"
--2e27f75e-A--
[20/May/2020:13:43:27 --0400] XsVsPwEF4uYj6YmmONPmNQAAAA0 100.2.59.191 61033 192.168.1.150 443
--2e27f75e-B--
GET /webmail/src/download.php?absolute_dl=true&passed_id=88182&mailbox=INBOX&ent_id=21 HTTP/1.1
Host: ourserver
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: webmail/src/view_text.php?mailbox=INBOX&passed_id=88182&startMessage=1&override_type0=text
&override_type1=html&ent_id=1.2
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: SQMSESSID=b02f9leiqrnb57oruqn1q4rg2n; key=iPK2%2F5VcJZTy; squirrelmail_language=deleted; _gcl_au=1.1.1696595094.158384684
8; _ga=GA1.2.90971774.1583846849; _fbp=fb.1.1583846848988.158985109; notice_preferences=2:; notice_gdpr_prefs=0,1,2:; __utma=2396
34460.90971774.1583846849.1585679900.1585679900.1; __utmz=239634460.1585679900.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|
utmctr=(not%20provided)
--2e27f75e-F--
HTTP/1.1 403 Forbidden
Content-Length: 199
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--2e27f75e-E--
--2e27f75e-H--
Apache-Error: [file "mod_evasive24.c"] [line 246] [level 3] client denied by server configuration: /usr/share/squirrelmail/src/download.php
Stopwatch: 1589996607580104 474 (- - -)
Stopwatch2: 1589996607580104 474; combined=14, p1=12, p2=0, p3=1, p4=0, p5=1, sr=0, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"
Here are the contents of the download.php file:
cat /usr/share/squirrelmail/src/download.php
<?php
/**
* download.php
*
* Handles attachment downloads to the users computer.
* Also allows displaying of attachments when possible.
*
* @copyright 1999-2019 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id: download.php 14800 2019-01-08 04:27:15Z pdontthink $
* @package squirrelmail
*/
/** This is the download page */
define('PAGE_NAME', 'download');
/**
* Path for SquirrelMail required files.
* @ignore
*/
define('SM_PATH','../');
/* SquirrelMail required files. */
require_once(SM_PATH . 'include/validate.php');
require_once(SM_PATH . 'functions/imap.php');
require_once(SM_PATH . 'functions/mime.php');
header('Pragma: ');
header('Cache-Control: cache');
/* globals */
sqgetGlobalVar('key', $key, SQ_COOKIE);
sqgetGlobalVar('username', $username, SQ_SESSION);
sqgetGlobalVar('onetimepad', $onetimepad, SQ_SESSION);
sqgetGlobalVar('messages', $messages, SQ_SESSION);
sqgetGlobalVar('mailbox', $mailbox, SQ_GET);
sqgetGlobalVar('ent_id', $ent_id, SQ_GET);
sqgetGlobalVar('absolute_dl',$absolute_dl, SQ_GET);
if ( sqgetGlobalVar('passed_id', $temp, SQ_GET) ) {
$passed_id = sqrestrict_to_num($temp);
}
global $default_charset;
set_my_charset();
/* end globals */
global $uid_support;
global $imap_stream_options; // in case not defined in config
$imapConnection = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0, $imap_stream_options);
$mbx_response = sqimap_mailbox_select($imapConnection, $mailbox);
$message = '';
if (isset($messages[$mbx_response['UIDVALIDITY']]["$passed_id"])) {
$message = $messages[$mbx_response['UIDVALIDITY']]["$passed_id"];
}
if (!is_object($message)) {
$message = sqimap_get_message($imapConnection,$passed_id, $mailbox);
}
$subject = $message->rfc822_header->subject;
if ($ent_id) {
$message = $message->getEntity($ent_id);
$header = $message->header;
if ($message->rfc822_header) {
$subject = $message->rfc822_header->subject;
} else {
$header = $message->header;
}
$type0 = $header->type0;
$type1 = $header->type1;
$encoding = strtolower($header->encoding);
} else {
/* raw message */
$type0 = 'message';
$type1 = 'rfc822';
$encoding = '7bit';
$header = $message->header;
}
/*
* lets redefine message as this particular entity that we wish to display.
* it should hold only the header for this entity. We need to fetch the body
* yet before we can display anything.
*/
if (isset($override_type0)) {
$type0 = $override_type0;
}
if (isset($override_type1)) {
$type1 = $override_type1;
}
$filename = '';
if (is_object($message->header->disposition)) {
$filename = $header->disposition->getProperty('filename');
if (!$filename) {
$filename = $header->disposition->getProperty('name');
}
if (!$filename) {
$filename = $header->getParameter('name');
}
} else {
$filename = $header->getParameter('name');
}
$filename = decodeHeader($filename,true,false);
$filename = charset_encode($filename,$default_charset,false);
// If name is not set, use subject of email
if (strlen($filename) < 1) {
$filename = decodeHeader($subject, true, true);
$filename = charset_encode($filename,$default_charset,false);
if ($type1 == 'plain' && $type0 == 'text')
$suffix = 'txt';
else if ($type1 == 'richtext' && $type0 == 'text')
$suffix = 'rtf';
else if ($type1 == 'postscript' && $type0 == 'application')
$suffix = 'ps';
else if ($type1 == 'rfc822' && $type0 == 'message')
$suffix = 'msg';
else
$suffix = $type1;
if ($filename == '')
$filename = 'untitled' . strip_tags($ent_id);
$filename = $filename . '.' . $suffix;
}
/**
* Close session in order to prevent script locking on larger
* downloads. SendDownloadHeaders() and mime_print_body_lines()
* don't write information to session. mime_print_body_lines()
* call duration depends on size of attachment and script can
* cause interface lockups, if session is not closed.
*/
session_write_close();
/*
* Note:
* The following sections display the attachment in different
* ways depending on how they choose. The first way will download
* under any circumstance. This sets the Content-type to be
* applicatin/octet-stream, which should be interpreted by the
* browser as "download me".
* The second method (view) is used for images or other formats
* that should be able to be handled by the browser. It will
* most likely display the attachment inline inside the browser.
* And finally, the third one will be used by default. If it
* is displayable (text or html), it will load them up in a text
* viewer (built in to squirrelmail). Otherwise, it sets the
* content-type as application/octet-stream
*/
if (isset($absolute_dl) && $absolute_dl) {
SendDownloadHeaders($type0, $type1, $filename, 1);
} else {
SendDownloadHeaders($type0, $type1, $filename, 0);
}
/* be aware that any warning caused by download.php will corrupt the
* attachment in case of ERROR reporting = E_ALL and the output is the screen */
mime_print_body_lines ($imapConnection, $passed_id, $ent_id, $encoding);
Can this be whitelisted from mod_evasive? Or is there a setting in httpd.conf or the download.php file that can be adjusted?
