0

I have a WordPress site on a VPC and I'm trying to tweak ModSecurity to reduce the false positives. I have Jetpack monitoring which is being denied when ModSecurity is active.
Log from Apache error.log

[Sun Jul 26 20:25:31.569393 2015] [:error] [pid 5544] [client 192.0.84.33] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/modsecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "www.randomhikes.com"] [uri "/"] [unique_id "VbWIi38AAAEAABWoVtoAAAAE"]

From modsec_audit.log

    --a5af5c33-A--
[26/Jul/2015:20:26:27 --0500] VbWIw38AAAEAABWngAIAAAAD 122.248.245.244 4366 172.31.41.204 80
--a5af5c33-B--
HEAD / HTTP/1.1
Host: www.randomhikes.com
User-Agent: jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)
Connection: Close

--a5af5c33-F--
HTTP/1.1 403 Forbidden
Connection: close
Content-Type: text/html; charset=iso-8859-1

--a5af5c33-E--

--a5af5c33-H--
Message: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/modsecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Action: Intercepted (phase 2)
Stopwatch: 1437960387776697 11287 (- - -)
Stopwatch2: 1437960387776697 11287; combined=11003, p1=10427, p2=458, p3=0, p4=0, p5=95, sr=31, sw=23, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache
Engine-Mode: "ENABLED"

--a5af5c33-Z--

From my research that I've done for the past few hours, it looks like ModSecurity is rejecting JetMon because it's not sending an Accept Header, and therefore is being flagged as a potential malicious attack.

I'm hoping I can write an override for the virtual host .conf file that will either allow the jetmon user agent to try to access '/' without an Accept Header, or will allow the Jetmon IP through without a valid Accept Header. But I haven't had much luck finding anything that would allow me to do that.

I found this rule elsewhere, but it looks like it will accept ALL request

SecRule REQUEST_URI "/" chain
SecRule &REQUEST_HEADERS:Accept-Language "@eq 0"
dangel
  • 69
  • 11

1 Answers1

2

You can whitelist the JetMon server itself if it is under your control. In your mod_security.conf file, add the following line

SecRule REMOTE_ADDR "^xxx\.xxx\.xxx\.xxx$" phase:1,nolog,allow,ctl:ruleEngine=Off

Replace xxx with your IP address octets. The other option is of course to turn off the rule which is causing problems, but that is not recommended practice at all.

Update: Perhaps even better, you can disable just a single rule for the JetMon host. Please note that I picked up the rule ID from your modsec_audit.log entry.

SecRule REMOTE_ADDR "^xxx\.xxx\.xxx\.xxx$" phase:1,nolog,allow,ctl:ruleRemoveById=960015

Hope this helps.

ngn
  • 333
  • 1
  • 10