client block - mod_security

client block - mod_security

by Alfredo Pineiro -
Number of replies: 1

Hi everyone

We're running Moodle 1.9.9 on a VPS on Knownhost.  This week the ips of a student's work laptop and home desktop got permanently blocked.  Here's the details of the block:

Time:     Wed Dec 15 12:06:52 2010 -0500
IP:       xxx
Failures: 5 (mod_security)
Interval: 300 seconds
Blocked:  Permanent Block

Log entries:

[Wed Dec 15 12:06:49 2010] [error] [client xxx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?sad?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "38"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.xxx.org"] [uri "/file.php/6/MDT303d_F10_CourseMaterials"] [unique_id "TQj1qc8HXHoAAC7ilXkAAAAL"]

I want to white list this student's ips but need to be sure first it's ok.  We've had maybe 5 permanent blocks with this same detail over the course of this semester.  This is the first one that happened to an actual enrolled student though.

Our hosting server tech support said this:

The specified IP address was blocked since it triggered the mod_security rule 960032. The purpose of Mod_security is to increase web application security, protecting web applications from known and unknown attacks. But some rules may block the valid working of the applications.

You can check the mod_security settings from WHM >>Plugins >>Mod Security

Please let us know whether we can disable the specified rule 960032 and whitelist the IP address.


+++++++++++++++
csf.deny: xxx # lfd: 5 (mod_security) rule triggers from xxx(US/United States/xxx.dhcp.embarqhsd.net) in the last 300 secs - Sat Dec 18 20:04:55 2010

[Sat Dec 18 20:04:50 2010] [error] [client xxx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?sad?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "38"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.xxx.org"] [uri "/file.php/6"] [unique_id "TQ1aMs8HXHoAAETsnn4AAAAH"]
++++++++++++++++

I would really appreciate any advice from my more talented tech brethren about this problem and whether you think it's ok for me to disable this rule and white  list the student's ips?

 

Thanks in advance for any help.

best wishes, megan

Average of ratings: -
In reply to Alfredo Pineiro

Re: client block - mod_security

by Matteo Scaramuccia -
Picture of Core developers Picture of Peer reviewers Picture of Plugin developers

Hi Megan,

960032 checks for "supposed legal" HTTP requests i.e. using just GET, POST, OPTIONS, HEAD methods which actually are a superset of the methods (GET) used to access file.php using a normal browser session.

IMHO it should not be disabled: it will be helpful to look at the logs to see what was the method(s) used to access to that URL in order of being able to identify the reason why your supposed users are triggering such rule e.g. really a legal request or e.g. sort of scanning.

HTH,

Matteo

Average of ratings: -