ModSecurity: Access denied with code 406 (phase 1)

ModSecurity: Access denied with code 406 (phase 1)

by jobe jobe -
Number of replies: 4
Hello.
I'm getting the following block on a couple of sites that use Moodle:

Sat Jul 31 13:03:16 2010] [error] [client 85.54.146.59] ModSecurity: Access
denied with code 406 (phase 1). Match of "rx
^((?sad?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [id
"960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [uri
""] [unique_id "8ZJS6ECDSyoAAD7JhSQAAAAK"]
[Sat Jul 31 13:03:20 2010] [error] [client 85.54.146.59] ModSecurity: Access
denied with code 406 (phase 1). Match of "rx
^((?sad?:POS|GE)T|OPTIONS|HEAD))$" against "

This is really causing a problem.
Any ideas on how to stop this happening would be appreciated.
I have very little idea about Mod Security.
Thanks.
Average of ratings: -
In reply to jobe jobe

Re: ModSecurity: Access denied with code 406 (phase 1)

by Emanuel Delgado -
Hello jobe,

Your modsecuriyy policies prevent your moodle from accepting some requests.

You can get more information about this configuration in
http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/modsecurity-manual.html

Modsecutiry has a debug mode that facilitates the debug procedure. It does not block, but it logs what it would be blocked if the current policies were active. This way you can have you Moodle working, analyze the operations that will be blocked and correct the setting for modsecurity, all before you actually activate the policies.

hth

ED
Average of ratings: -
In reply to Emanuel Delgado

Re: ModSecurity: Access denied with code 406 (phase 1)

by jobe jobe -
Thanks for getting back to me Emanuel.

I'm an absolute amateur with this so I asked ConfigServer to install the ConfigServer ModSec Control & I got rid of the specific rule & then, on finding this wasn't working, turned off Mod Security for the two sites that this block was happening. So far so good.

Is it really necessary to have Mod Security on a server?
I get the impression the main reason for Mod Security is to protect against vulnerable scripts - so if I have Moodle up to date - & there's nothing else installed on that site, there doesn't seem to be a need for Mod Security? Is that right?

I have the ConfigServer firewall installed as well.

Average of ratings: -
In reply to jobe jobe

Re: ModSecurity: Access denied with code 406 (phase 1)

by Emanuel Delgado -
Hello again,

In my opinion ModSecurity is an extra security measure that can be helpful protecting your Moodle.

It is not that hard to implement once you get the hang of it. Anyway you don't need to turn it off, you can always ser it to debug mode and analyze the logs to see what it is blocking. All you have to do after that is to set some rules according to that to allow what is Moodle related.

Of course that if you have your Moodle always up to date, it is pretty safe. But be aware because there a lot of updates!

hth

ED
Average of ratings: -
In reply to Emanuel Delgado

Re: ModSecurity: Access denied with code 406 (phase 1)

by alex sykes -

I've also experienced this - so much that my main client was denied access.

[Mon Oct 18 10:02:34 2010] [error] [client 212.11.173.106] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?sad?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "36"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "www.conti-student.net"] [uri "/file.php/86/database"] [unique_id "TLwNKtWvwRAAAAkJiQUAAAAN"]

Can you suggest the changes necessary to the config file to permit necessary activities, please? As far as I can tell, it was a legal user attempting to perform a legal action.

Thanks,

Average of ratings: -