-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
None
-
False
-
False
-
-
-
-
-
-
When mod_security is installed we get the following the log and it prevents any form of communication with mod_proxy_cluster!
[Wed Sep 01 10:20:11.741498 2021] [:error] [pid 3716:tid 3884] [client 10.0.137.62:34546] [client 10.0.137.62] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "43"] [id "911100"] [msg "Method is not allowed by policy"] [data "INFO"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "10.0.137.62"] [uri "/"] [unique_id "YS-MG6cz_QGO1Q2DlrY6dQAAAEI"] [Wed Sep 01 10:20:11.741617 2021] [:error] [pid 3716:tid 3884] [client 10.0.137.62:34546] [client 10.0.137.62] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "10.0.137.62:8747"] [severity "WARNING"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "10.0.137.62"] [uri "/"] [unique_id "YS-MG6cz_QGO1Q2DlrY6dQAAAEI"] [Wed Sep 01 10:20:11.741948 2021] [:error] [pid 3716:tid 3884] [client 10.0.137.62:34546] [client 10.0.137.62] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.0.137.62"] [uri "/"] [unique_id "YS-MG6cz_QGO1Q2DlrY6dQAAAEI"]
in mod_security2 the default was to allow all, but it look like that has changed.