security2_module for apache is causing the “Forbidden You don't have permission to access / on this server” message

VaTo asked:

I installed the security2 module to my apache server by adding these following lines to my httpd.conf:

<IfModule security2_module>
    Include crs/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
    Include crs/owasp-modsecurity-crs/base_rules/*.conf

When I want to access my server via http I get the message: “Forbidden You don't have permission to access / on this server

Then I went to that module log and I see the following error:

GET / HTTP/1.1
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,es;q=0.6,da;q=0.4

HTTP/1.1 403 Forbidden
Strict-Transport-Security: max-age=63072000; includeSubDomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 202
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1


Message: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/crs/owasp-modsecurity-crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data ""] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag ""]
Action: Intercepted (phase 2)
Stopwatch: 1435777069259012 1803 (- - -)
Stopwatch2: 1435777069259012 1803; combined=768, p1=644, p2=93, p3=0, p4=0, p5=30, sr=382, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.3 (; OWASP_CRS/2.2.9.
Server: Apache
Engine-Mode: "ENABLED"

I’m assuming that there’s something that is not configured well with this module. Any help is appreciated.

My answer:

Looks like mod_security is working perfectly. It blocked the request because the Host header only contained an IP address, which is what this rule is meant to do.

You should be using an actual hostname to refer to your web site, in production. It’s also a good idea in development too, but if you need to use an IP address in development you can always disable that rule.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.