Results 1 to 6 of 6

Thread: Modsecurity error 406 and "GET HTTP/1" in logs

  1. #1
    Join Date
    Nov 2016
    Location
    Apeldoorn, Netherlands
    Posts
    39

    Modsecurity error 406 and "GET HTTP/1" in logs

    Hi,

    Last week we installed a new server with the latest centos7/directadmin/CB2 with nginx-apache en php7.2.

    https, ssl, ipv6 everything works nice, except http\2.
    Modsecurity gives an 406 error because it wants http\2.

    We have format/reinstalled the server, but the error keeps coming back.
    We really dont know what is wrong or how to fix it.

    Error in log:
    Code:
    2017/12/06 23:41:37 [error] 15247#0: [client 178.84.29.178] ModSecurity: Access denied with code 406 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "37.97.216.114"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname ""] [uri "/squirrelmail/src/login.php"] [unique_id "AVAcAcAcAcJqAcQ0AsAcAcAc"]
    Access log from nginx/apache
    Code:
    178.84.29.178 - - [06/Dec/2017:23:41:37 +0100] "GET /squirrelmail/src/login.php HTTP/1.1" 406 574 "http://37.97.216.114/squirrelmail/src/redirect.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36 OPR/49.0.2725.47"
    178.84.29.178 - - [06/Dec/2017:23:11:41 +0100] "GET / HTTP/1.0" 200 2764 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36 OPR/49.0.2725.47"
    Why does it not say 'get http/2' in the logs?

    Directadmin.conf
    Code:
    SSL=1
    addip=/usr/local/directadmin/scripts/addip
    admin_helper=admin.site-helper.com
    admindir=./data/admin
    apache_public_html=0
    apache_ver=2.0
    apachecert=/etc/httpd/conf/ssl.crt/server.crt
    apacheconf=/etc/httpd/conf/extra/directadmin-vhosts.conf
    apacheips=/etc/httpd/conf/ips.conf
    apachekey=/etc/httpd/conf/ssl.key/server.key
    apachelogdir=/var/log/httpd/domains
    apachemimetypes=/etc/mime.types
    brute_force_log_scanner=1
    brute_force_scan_apache_logs=0
    brute_force_time_limit=12000
    brutecount=10
    bruteforce=1
    cacert=/usr/local/directadmin/conf/cacert.pem
    cakey=/usr/local/directadmin/conf/cakey.pem
    check_partitions=2
    check_subdomain_owner=0
    clear_blacklist_ip_time=0
    clear_brute_log_entry_time=4
    clear_brute_log_time=24
    cloud_cache=0
    demodocsroot=./data/skins/enhanced
    docsroot=./data/skins/enhanced
    dovecot=1
    emailspoolvirtual=/var/spool/virtual
    emailvirtual=/etc/virtual
    enforce_difficult_passwords=1
    ethernet_dev=eth0
    exempt_local_block=1
    frontpage_on=0
    ftpconfig=/etc/proftpd.conf
    ftppasswd=/etc/proftpd.passwd
    ftpvhosts=/etc/proftpd.vhosts.conf
    ip_brutecount=100
    ipv6=1
    license=/usr/local/directadmin/conf/license.key
    litespeed=0
    log_rotate_size=5
    logdir=/var/log/directadmin
    logger=/usr/local/directadmin/logger
    loghostname=0
    login_history=10
    logs_to_keep=9
    lost_password=0
    max_per_email_send_limit=-1
    max_username_length=10
    maxfilesize=10485760
    mysqlconf=/usr/local/directadmin/conf/mysql.conf
    namedconfig=/etc/named.conf
    nameddir=/var/named
    nginx=0
    nginx_proxy=1
    ns1=ns0.transip.nl
    ns2=ns1.transip.net
    numservers=5
    owsadm=/usr/local/frontpage/version5.0/bin/owsadm.exe
    partition_usage_threshold=95
    port=2222
    pureftp=1
    purge_spam_days=0
    quota_partition=/
    removeip=/usr/local/directadmin/scripts/removeip
    reseller_helper=reseller.site-helper.com
    secure_access_group=access
    servername=vps1.rhinestone77.nl
    serverpath=/usr/local/directadmin
    session_minutes=60
    skinsdir=./data/skins
    sshdconfig=/etc/ssh/sshd_config
    ssl_cipher=HIGH:!aNULL:!MD5
    taskqueue=/usr/local/directadmin/data/task.queue
    templates=/usr/local/directadmin/data/templates
    ticketsdir=/usr/local/directadmin/data/tickets
    timeout=60
    tmpdir=../../../home/tmp
    unified_ftp_password_file=1
    user_brutecount=100
    user_can_set_email_limit=0
    user_helper=www.site-helper.com
    userdata=./data/users
    user_can_select_skin=1
    fm_file_permissions=644
    fm_dir_permissons=755
    global_httpd_tokens=/usr/local/directadmin/data/admin/global_httpd_tokens.conf
    letsencrypt=1
    enable_ssl_sni=1
    default_private_html_link=1
    dkim=1
    dns_tlsa=1
    http2=1
    awstats=1
    webalizer=1
    hide_brute_force_notifications=1
    add_userdb_quota=1
    Custombuild options:
    Code:
    Executing /usr/local/directadmin/plugins/custombuild/admin/build options.
    Apache: 2.4.29
    Nginx (reverse proxy): 1.13.6
    mod_ruid2: no
    ModSecurity: 2.9.0
    ModSecurity Rule Set: owasp
    htscanner: no
    Dovecot: 2.2.33.2
    Dovecot configuration: yes
    AWstats: 7.6
    Exim: 4.89.1
    exim.conf update: yes, release 4.5
    BlockCracking: yes
    Easy Spam Fighter: yes
    SpamAssassin: 3.4.1
    SpamAssassin rule updates: daily
    ClamAV: 0.99.2
    MariaDB: 10.2.11
    MySQL backup: yes
    MySQL backup directory: /usr/local/directadmin/custombuild/mysql_backups
    MySQL compress backups: no
    PHP (default): 7.2 as php-fpm
    phpMyAdmin: 4.7.6-all-languages
    ProFTPD: no
    Pure-FTPd: 1.0.47
    RoundCube webmail: 1.3.3
    Replace "php.ini" with '/usr/local/directadmin/custombuild/build all' and '/usr/local/directadmin/custombuild/build php_ini': yes
    Replace "php.ini" using type: production
    Cron for notifications and (or) updates: yes
    Cron frequency: daily
    Auto notifications: yes
    Auto notifications email address: email@domain.com
    Auto updates: yes
    Run "clean" every time: yes
    Run "clean_old_webapps" every time: yes
    Run "clean_old_tarballs" every time: yes
    Show texts in bold: yes
    SquirrelMail: 1.4.23-20170731_0200
    Zend Guard Loader: no
    ionCube loader: no
    Suhosin: no
    Apache: 2.4.29
    Nginx (reverse proxy): 1.13.6
    mod_ruid2: no
    ModSecurity: 2.9.0
    ModSecurity Rule Set: owasp
    htscanner: no
    Dovecot: 2.2.33.2
    Dovecot configuration: yes
    AWstats: 7.6
    Exim: 4.89.1
    exim.conf update: yes, release 4.5
    BlockCracking: yes
    Easy Spam Fighter: yes
    SpamAssassin: 3.4.1
    SpamAssassin rule updates: daily
    ClamAV: 0.99.2
    MariaDB: 10.2.11
    MySQL backup: yes
    MySQL backup directory: /usr/local/directadmin/custombuild/mysql_backups
    MySQL compress backups: no
    PHP (default): 7.2 as php-fpm
    phpMyAdmin: 4.7.6-all-languages
    ProFTPD: no
    Pure-FTPd: 1.0.47
    RoundCube webmail: 1.3.3
    Replace "php.ini" with '/usr/local/directadmin/custombuild/build all' and '/usr/local/directadmin/custombuild/build php_ini': yes
    Replace "php.ini" using type: production
    Cron for notifications and (or) updates: yes
    Cron frequency: daily
    Auto notifications: yes
    Auto notifications email address: email@domain.com
    Auto updates: yes
    Run "clean" every time: yes
    Run "clean_old_webapps" every time: yes
    Run "clean_old_tarballs" every time: yes
    Show texts in bold: yes
    SquirrelMail: 1.4.23-20170731_0200
    Zend Guard Loader: no
    ionCube loader: no
    Suhosin: no
    How can we fix this?
    Else we have to disable modsecurity....


    Thanks in advance, Lydia

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,400
    Hello,

    It has nothing to do with HTTP/1 or HTTP/2 at all. It says:

    _Host header is a numeric IP address_
    So try and access SquirrelMail not as http://37.97.216.114/squirrelmail
    This way it opens without an error: http://vps1.rhinestone77.nl/squirrelmail/

  3. #3
    Join Date
    Nov 2016
    Location
    Apeldoorn, Netherlands
    Posts
    39
    oops then i posted the wrong line in the log.

    The error is:
    Code:
    Message: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/etc/modsecurity.d/modsecurity_crs_30_http_policy.conf"] [line "78"] [id "960034"] [rev "2"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/2.0"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"]
    But my boss gives me no time anymore at the moment to search for a fix
    So for now I have to shutdown modsecurity :-(

    But if anyone knows a quick fix, I would be very glad to hear it.

    Greetz, Lydia

  4. #4
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,400
    I guess you need to modify line 78 in /etc/modsecurity.d/modsecurity_crs_30_http_policy.conf and take care to protect your changes.

  5. #5
    Join Date
    Nov 2016
    Location
    Apeldoorn, Netherlands
    Posts
    39
    Hi,

    That would disable the error indeed, but then still we get 'http/1.0' in our logs instead of http2

    I cant find what i am doing wrong. Also https://http2.pro/ tells us, that our sites dont work on http2. It even cannot connect to our sites

    At the moment, i cannot test anything, because still busy on re-installing the server. Else i would try to give more details. And for now I am not allowed to dive into it anymore, but I do hope someone, has a solution. Else I will dive into it later. :-(

    Greetz, Lydia

  6. #6
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,400
    The test gives: https://http2.pro/check?url=https%3A...inestone77.nl/

    HTTP/2 supported!
    As far as I can see the test of REQUEST_PROTOCOL fails because of the fact that you use HTTP/2 and not vice versa:

    Code:
    [rev "2"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/2.0"] 


    I don't have mod_security on my own server so I won't test on my end.

    related: https://gist.github.com/pantaluna/8c...ad01e9b7e5712f

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •