Modsecurity error 406 and "GET HTTP/1" in logs

flexjoly

Verified User
Joined
Nov 2, 2016
Messages
89
Location
Apeldoorn, Netherlands
Hi,

Last week we installed a new server with the latest centos7/directadmin/CB2 with nginx-apache en php7.2.

https, ssl, ipv6 everything works nice, except http\2.
Modsecurity gives an 406 error because it wants http\2.

We have format/reinstalled the server, but the error keeps coming back.
We really dont know what is wrong or how to fix it.

Error in log:
Code:
2017/12/06 23:41:37 [error] 15247#0: [client 178.84.29.178] ModSecurity: Access denied with code 406 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "37.97.216.114"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname ""] [uri "/squirrelmail/src/login.php"] [unique_id "AVAcAcAcAcJqAcQ0AsAcAcAc"]

Access log from nginx/apache
Code:
178.84.29.178 - - [06/Dec/2017:23:41:37 +0100] "GET /squirrelmail/src/login.php HTTP/1.1" 406 574 "http://37.97.216.114/squirrelmail/src/redirect.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36 OPR/49.0.2725.47"
178.84.29.178 - - [06/Dec/2017:23:11:41 +0100] "GET / HTTP/1.0" 200 2764 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36 OPR/49.0.2725.47"

Why does it not say 'get http/2' in the logs?

Directadmin.conf
Code:
SSL=1
addip=/usr/local/directadmin/scripts/addip
admin_helper=admin.site-helper.com
admindir=./data/admin
apache_public_html=0
apache_ver=2.0
apachecert=/etc/httpd/conf/ssl.crt/server.crt
apacheconf=/etc/httpd/conf/extra/directadmin-vhosts.conf
apacheips=/etc/httpd/conf/ips.conf
apachekey=/etc/httpd/conf/ssl.key/server.key
apachelogdir=/var/log/httpd/domains
apachemimetypes=/etc/mime.types
brute_force_log_scanner=1
brute_force_scan_apache_logs=0
brute_force_time_limit=12000
brutecount=10
bruteforce=1
cacert=/usr/local/directadmin/conf/cacert.pem
cakey=/usr/local/directadmin/conf/cakey.pem
check_partitions=2
check_subdomain_owner=0
clear_blacklist_ip_time=0
clear_brute_log_entry_time=4
clear_brute_log_time=24
cloud_cache=0
demodocsroot=./data/skins/enhanced
docsroot=./data/skins/enhanced
dovecot=1
emailspoolvirtual=/var/spool/virtual
emailvirtual=/etc/virtual
enforce_difficult_passwords=1
ethernet_dev=eth0
exempt_local_block=1
frontpage_on=0
ftpconfig=/etc/proftpd.conf
ftppasswd=/etc/proftpd.passwd
ftpvhosts=/etc/proftpd.vhosts.conf
ip_brutecount=100
ipv6=1
license=/usr/local/directadmin/conf/license.key
litespeed=0
log_rotate_size=5
logdir=/var/log/directadmin
logger=/usr/local/directadmin/logger
loghostname=0
login_history=10
logs_to_keep=9
lost_password=0
max_per_email_send_limit=-1
max_username_length=10
maxfilesize=10485760
mysqlconf=/usr/local/directadmin/conf/mysql.conf
namedconfig=/etc/named.conf
nameddir=/var/named
nginx=0
nginx_proxy=1
ns1=ns0.transip.nl
ns2=ns1.transip.net
numservers=5
owsadm=/usr/local/frontpage/version5.0/bin/owsadm.exe
partition_usage_threshold=95
port=2222
pureftp=1
purge_spam_days=0
quota_partition=/
removeip=/usr/local/directadmin/scripts/removeip
reseller_helper=reseller.site-helper.com
secure_access_group=access
servername=vps1.rhinestone77.nl
serverpath=/usr/local/directadmin
session_minutes=60
skinsdir=./data/skins
sshdconfig=/etc/ssh/sshd_config
ssl_cipher=HIGH:!aNULL:!MD5
taskqueue=/usr/local/directadmin/data/task.queue
templates=/usr/local/directadmin/data/templates
ticketsdir=/usr/local/directadmin/data/tickets
timeout=60
tmpdir=../../../home/tmp
unified_ftp_password_file=1
user_brutecount=100
user_can_set_email_limit=0
user_helper=www.site-helper.com
userdata=./data/users
user_can_select_skin=1
fm_file_permissions=644
fm_dir_permissons=755
global_httpd_tokens=/usr/local/directadmin/data/admin/global_httpd_tokens.conf
letsencrypt=1
enable_ssl_sni=1
default_private_html_link=1
dkim=1
dns_tlsa=1
http2=1
awstats=1
webalizer=1
hide_brute_force_notifications=1
add_userdb_quota=1

Custombuild options:
Code:
Executing /usr/local/directadmin/plugins/custombuild/admin/build options.
Apache: 2.4.29
Nginx (reverse proxy): 1.13.6
mod_ruid2: no
ModSecurity: 2.9.0
ModSecurity Rule Set: owasp
htscanner: no
Dovecot: 2.2.33.2
Dovecot configuration: yes
AWstats: 7.6
Exim: 4.89.1
exim.conf update: yes, release 4.5
BlockCracking: yes
Easy Spam Fighter: yes
SpamAssassin: 3.4.1
SpamAssassin rule updates: daily
ClamAV: 0.99.2
MariaDB: 10.2.11
MySQL backup: yes
MySQL backup directory: /usr/local/directadmin/custombuild/mysql_backups
MySQL compress backups: no
PHP (default): 7.2 as php-fpm
phpMyAdmin: 4.7.6-all-languages
ProFTPD: no
Pure-FTPd: 1.0.47
RoundCube webmail: 1.3.3
Replace "php.ini" with '/usr/local/directadmin/custombuild/build all' and '/usr/local/directadmin/custombuild/build php_ini': yes
Replace "php.ini" using type: production
Cron for notifications and (or) updates: yes
Cron frequency: daily
Auto notifications: yes
Auto notifications email address: [email protected]
Auto updates: yes
Run "clean" every time: yes
Run "clean_old_webapps" every time: yes
Run "clean_old_tarballs" every time: yes
Show texts in bold: yes
SquirrelMail: 1.4.23-20170731_0200
Zend Guard Loader: no
ionCube loader: no
Suhosin: no
Apache: 2.4.29
Nginx (reverse proxy): 1.13.6
mod_ruid2: no
ModSecurity: 2.9.0
ModSecurity Rule Set: owasp
htscanner: no
Dovecot: 2.2.33.2
Dovecot configuration: yes
AWstats: 7.6
Exim: 4.89.1
exim.conf update: yes, release 4.5
BlockCracking: yes
Easy Spam Fighter: yes
SpamAssassin: 3.4.1
SpamAssassin rule updates: daily
ClamAV: 0.99.2
MariaDB: 10.2.11
MySQL backup: yes
MySQL backup directory: /usr/local/directadmin/custombuild/mysql_backups
MySQL compress backups: no
PHP (default): 7.2 as php-fpm
phpMyAdmin: 4.7.6-all-languages
ProFTPD: no
Pure-FTPd: 1.0.47
RoundCube webmail: 1.3.3
Replace "php.ini" with '/usr/local/directadmin/custombuild/build all' and '/usr/local/directadmin/custombuild/build php_ini': yes
Replace "php.ini" using type: production
Cron for notifications and (or) updates: yes
Cron frequency: daily
Auto notifications: yes
Auto notifications email address: [email protected]
Auto updates: yes
Run "clean" every time: yes
Run "clean_old_webapps" every time: yes
Run "clean_old_tarballs" every time: yes
Show texts in bold: yes
SquirrelMail: 1.4.23-20170731_0200
Zend Guard Loader: no
ionCube loader: no
Suhosin: no

How can we fix this?
Else we have to disable modsecurity....


Thanks in advance, Lydia
 
oops then i posted the wrong line in the log.

The error is:
Code:
Message: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/etc/modsecurity.d/modsecurity_crs_30_http_policy.conf"] [line "78"] [id "960034"] [rev "2"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/2.0"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"]

But my boss gives me no time anymore at the moment to search for a fix :(
So for now I have to shutdown modsecurity :-(

But if anyone knows a quick fix, I would be very glad to hear it.

Greetz, Lydia
 
I guess you need to modify line 78 in /etc/modsecurity.d/modsecurity_crs_30_http_policy.conf and take care to protect your changes.
 
Hi,

That would disable the error indeed, but then still we get 'http/1.0' in our logs instead of http2

I cant find what i am doing wrong. Also https://http2.pro/ tells us, that our sites dont work on http2. It even cannot connect to our sites :(

At the moment, i cannot test anything, because still busy on re-installing the server. Else i would try to give more details. And for now I am not allowed to dive into it anymore, but I do hope someone, has a solution. Else I will dive into it later. :-(

Greetz, Lydia
 
Back
Top