0

I installed the security2 module to my apache server by adding these following lines to my httpd.conf:

<IfModule security2_module>
    Include crs/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
    Include crs/owasp-modsecurity-crs/base_rules/*.conf
</IfModule>

When I want to access my server via http I get the message: "Forbidden You don't have permission to access / on this server"

Then I went to that module log and I see the following error:

--72348f1e-B--
GET / HTTP/1.1
Host: 192.8.9.70
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,es;q=0.6,da;q=0.4

--72348f1e-F--
HTTP/1.1 403 Forbidden
Strict-Transport-Security: max-age=63072000; includeSubDomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 202
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--72348f1e-E--

--72348f1e-H--
Message: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/crs/owasp-modsecurity-crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "192.8.9.70"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"]
Action: Intercepted (phase 2)
Stopwatch: 1435777069259012 1803 (- - -)
Stopwatch2: 1435777069259012 1803; combined=768, p1=644, p2=93, p3=0, p4=0, p5=30, sr=382, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache
Engine-Mode: "ENABLED"

I'm assuming that there's something that is not configured well with this module. Any help is appreciated.

VaTo
  • 191
  • 4
  • 20

1 Answers1

2

Looks like mod_security is working perfectly. It blocked the request because the Host header only contained an IP address, which is what this rule is meant to do.

You should be using an actual hostname to refer to your web site, in production. It's also a good idea in development too, but if you need to use an IP address in development you can always disable that rule.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Thank you @Michael Hampton for your response. I have to use an IP because this is my testing server, after I see that everything looks good so I can install it on my production server. So, what's the point of having that rule that if your server has an IP it would block traffic and so, does that mean it will block ALL incoming traffic? And how can I disable that rule and enable it back when I put it on my production server? Thank you! – VaTo Jul 02 '15 at 04:09
  • 1
    The point of the rule is most people shouldn't connect to a server by IP address so someone who is using IP address may be someone iterating through all IPs testing for a known issue or vulnerability. You can disable using SecRuleRemoveById but personally I dislike running different rules in test and production as then not a true test env. Why can't you have a hostname for your dev server? – Barry Pollard Jul 02 '15 at 06:04
  • Thank you @BazzaDP, where does that rule go? Inside ? in that case I did SecRuleRemoveById Off and it didn't do it. Could you tell me where do I have to run it? Thanks! – VaTo Jul 02 '15 at 17:05
  • @SaulOrtega "Off" is clearly not the rule ID. That you can find in the log entry. – Michael Hampton Jul 02 '15 at 17:08
  • You should add "SecRuleRemoveById 960017" to your config anywhere AFTER you load the modsecurity_crs_21_protocol_anomalies.conf file which defines this rule. – Barry Pollard Jul 02 '15 at 17:51
  • However what if part of you app connects via IP address in the backend and you don't realise this? It will work in test but not when you go to prod. This is why I don't like having different rules in test and prod. Unless you disable the rule in prod too but the you lose the protection that rule gives you in prod. Personally I think easier to connect via a real host name or DNS alias to test and leave the rule there for both. – Barry Pollard Jul 02 '15 at 17:57