Hi everyone
We're running Moodle 1.9.9 on a VPS on Knownhost. This week the ips of a student's work laptop and home desktop got permanently blocked. Here's the details of the block:
Time: Wed Dec 15 12:06:52 2010 -0500
IP: xxx
Failures: 5 (mod_security)
Interval: 300 seconds
Blocked: Permanent Block
Log entries:
[Wed Dec 15 12:06:49 2010] [error] [client xxx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((??:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "38"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.xxx.org"] [uri "/file.php/6/MDT303d_F10_CourseMaterials"] [unique_id "TQj1qc8HXHoAAC7ilXkAAAAL"]
I want to white list this student's ips but need to be sure first it's ok. We've had maybe 5 permanent blocks with this same detail over the course of this semester. This is the first one that happened to an actual enrolled student though.
Our hosting server tech support said this:
The specified IP address was blocked since it triggered the mod_security rule 960032. The purpose of Mod_security is to increase web application security, protecting web applications from known and unknown attacks. But some rules may block the valid working of the applications.
You can check the mod_security settings from WHM >>Plugins >>Mod Security
Please let us know whether we can disable the specified rule 960032 and whitelist the IP address.
+++++++++++++++
csf.deny: xxx # lfd: 5 (mod_security) rule triggers from xxx(US/United States/xxx.dhcp.embarqhsd.net) in the last 300 secs - Sat Dec 18 20:04:55 2010
[Sat Dec 18 20:04:50 2010] [error] [client xxx] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((??:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "38"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "www.xxx.org"] [uri "/file.php/6"] [unique_id "TQ1aMs8HXHoAAETsnn4AAAAH"]
++++++++++++++++
I would really appreciate any advice from my more talented tech brethren about this problem and whether you think it's ok for me to disable this rule and white list the student's ips?
Thanks in advance for any help.
best wishes, megan