I installed the security2 module to my apache server by adding these following lines to my httpd.conf:
<IfModule security2_module> Include crs/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf Include crs/owasp-modsecurity-crs/base_rules/*.conf </IfModule>
When I want to access my server via http I get the message: “
Forbidden You don't have permission to access / on this server“
Then I went to that module log and I see the following error:
--72348f1e-B-- GET / HTTP/1.1 Host: 220.127.116.11 Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8,es;q=0.6,da;q=0.4 --72348f1e-F-- HTTP/1.1 403 Forbidden Strict-Transport-Security: max-age=63072000; includeSubDomains X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 202 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 --72348f1e-E-- --72348f1e-H-- Message: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/crs/owasp-modsecurity-crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "18.104.22.168"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] Action: Intercepted (phase 2) Stopwatch: 1435777069259012 1803 (- - -) Stopwatch2: 1435777069259012 1803; combined=768, p1=644, p2=93, p3=0, p4=0, p5=30, sr=382, sw=1, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.9. Server: Apache Engine-Mode: "ENABLED"
I’m assuming that there’s something that is not configured well with this module. Any help is appreciated.
Looks like mod_security is working perfectly. It blocked the request because the
Host header only contained an IP address, which is what this rule is meant to do.
You should be using an actual hostname to refer to your web site, in production. It’s also a good idea in development too, but if you need to use an IP address in development you can always disable that rule.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.