Results 1 to 6 of 6

Thread: Modsecurity error 406 and "GET HTTP/1" in logs

  1. #1
    Join Date
    Nov 2016
    Location
    Apeldoorn, Netherlands
    Posts
    23

    Modsecurity error 406 and "GET HTTP/1" in logs

    Hi,

    Last week we installed a new server with the latest centos7/directadmin/CB2 with nginx-apache en php7.2.

    https, ssl, ipv6 everything works nice, except http\2.
    Modsecurity gives an 406 error because it wants http\2.

    We have format/reinstalled the server, but the error keeps coming back.
    We really dont know what is wrong or how to fix it.

    Error in log:
    Code:
    2017/12/06 23:41:37 [error] 15247#0: [client 178.84.29.178] ModSecurity: Access denied with code 406 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "37.97.216.114"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname ""] [uri "/squirrelmail/src/login.php"] [unique_id "AVAcAcAcAcJqAcQ0AsAcAcAc"]
    Access log from nginx/apache
    Code:
    178.84.29.178 - - [06/Dec/2017:23:41:37 +0100] "GET /squirrelmail/src/login.php HTTP/1.1" 406 574 "http://37.97.216.114/squirrelmail/src/redirect.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36 OPR/49.0.2725.47"
    178.84.29.178 - - [06/Dec/2017:23:11:41 +0100] "GET / HTTP/1.0" 200 2764 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36 OPR/49.0.2725.47"
    Why does it not say 'get http/2' in the logs?

    Directadmin.conf
    Code:
    SSL=1
    addip=/usr/local/directadmin/scripts/addip
    admin_helper=admin.site-helper.com
    admindir=./data/admin
    apache_public_html=0
    apache_ver=2.0
    apachecert=/etc/httpd/conf/ssl.crt/server.crt
    apacheconf=/etc/httpd/conf/extra/directadmin-vhosts.conf
    apacheips=/etc/httpd/conf/ips.conf
    apachekey=/etc/httpd/conf/ssl.key/server.key
    apachelogdir=/var/log/httpd/domains
    apachemimetypes=/etc/mime.types
    brute_force_log_scanner=1
    brute_force_scan_apache_logs=0
    brute_force_time_limit=12000
    brutecount=10
    bruteforce=1
    cacert=/usr/local/directadmin/conf/cacert.pem
    cakey=/usr/local/directadmin/conf/cakey.pem
    check_partitions=2
    check_subdomain_owner=0
    clear_blacklist_ip_time=0
    clear_brute_log_entry_time=4
    clear_brute_log_time=24
    cloud_cache=0
    demodocsroot=./data/skins/enhanced
    docsroot=./data/skins/enhanced
    dovecot=1
    emailspoolvirtual=/var/spool/virtual
    emailvirtual=/etc/virtual
    enforce_difficult_passwords=1
    ethernet_dev=eth0
    exempt_local_block=1
    frontpage_on=0
    ftpconfig=/etc/proftpd.conf
    ftppasswd=/etc/proftpd.passwd
    ftpvhosts=/etc/proftpd.vhosts.conf
    ip_brutecount=100
    ipv6=1
    license=/usr/local/directadmin/conf/license.key
    litespeed=0
    log_rotate_size=5
    logdir=/var/log/directadmin
    logger=/usr/local/directadmin/logger
    loghostname=0
    login_history=10
    logs_to_keep=9
    lost_password=0
    max_per_email_send_limit=-1
    max_username_length=10
    maxfilesize=10485760
    mysqlconf=/usr/local/directadmin/conf/mysql.conf
    namedconfig=/etc/named.conf
    nameddir=/var/named
    nginx=0
    nginx_proxy=1
    ns1=ns0.transip.nl
    ns2=ns1.transip.net
    numservers=5
    owsadm=/usr/local/frontpage/version5.0/bin/owsadm.exe
    partition_usage_threshold=95
    port=2222
    pureftp=1
    purge_spam_days=0
    quota_partition=/
    removeip=/usr/local/directadmin/scripts/removeip
    reseller_helper=reseller.site-helper.com
    secure_access_group=access
    servername=vps1.rhinestone77.nl
    serverpath=/usr/local/directadmin
    session_minutes=60
    skinsdir=./data/skins
    sshdconfig=/etc/ssh/sshd_config
    ssl_cipher=HIGH:!aNULL:!MD5
    taskqueue=/usr/local/directadmin/data/task.queue
    templates=/usr/local/directadmin/data/templates
    ticketsdir=/usr/local/directadmin/data/tickets
    timeout=60
    tmpdir=../../../home/tmp
    unified_ftp_password_file=1
    user_brutecount=100
    user_can_set_email_limit=0
    user_helper=www.site-helper.com
    userdata=./data/users
    user_can_select_skin=1
    fm_file_permissions=644
    fm_dir_permissons=755
    global_httpd_tokens=/usr/local/directadmin/data/admin/global_httpd_tokens.conf
    letsencrypt=1
    enable_ssl_sni=1
    default_private_html_link=1
    dkim=1
    dns_tlsa=1
    http2=1
    awstats=1
    webalizer=1
    hide_brute_force_notifications=1
    add_userdb_quota=1
    Custombuild options:
    Code:
    Executing /usr/local/directadmin/plugins/custombuild/admin/build options.
    Apache: 2.4.29
    Nginx (reverse proxy): 1.13.6
    mod_ruid2: no
    ModSecurity: 2.9.0
    ModSecurity Rule Set: owasp
    htscanner: no
    Dovecot: 2.2.33.2
    Dovecot configuration: yes
    AWstats: 7.6
    Exim: 4.89.1
    exim.conf update: yes, release 4.5
    BlockCracking: yes
    Easy Spam Fighter: yes
    SpamAssassin: 3.4.1
    SpamAssassin rule updates: daily
    ClamAV: 0.99.2
    MariaDB: 10.2.11
    MySQL backup: yes
    MySQL backup directory: /usr/local/directadmin/custombuild/mysql_backups
    MySQL compress backups: no
    PHP (default): 7.2 as php-fpm
    phpMyAdmin: 4.7.6-all-languages
    ProFTPD: no
    Pure-FTPd: 1.0.47
    RoundCube webmail: 1.3.3
    Replace "php.ini" with '/usr/local/directadmin/custombuild/build all' and '/usr/local/directadmin/custombuild/build php_ini': yes
    Replace "php.ini" using type: production
    Cron for notifications and (or) updates: yes
    Cron frequency: daily
    Auto notifications: yes
    Auto notifications email address: email@domain.com
    Auto updates: yes
    Run "clean" every time: yes
    Run "clean_old_webapps" every time: yes
    Run "clean_old_tarballs" every time: yes
    Show texts in bold: yes
    SquirrelMail: 1.4.23-20170731_0200
    Zend Guard Loader: no
    ionCube loader: no
    Suhosin: no
    Apache: 2.4.29
    Nginx (reverse proxy): 1.13.6
    mod_ruid2: no
    ModSecurity: 2.9.0
    ModSecurity Rule Set: owasp
    htscanner: no
    Dovecot: 2.2.33.2
    Dovecot configuration: yes
    AWstats: 7.6
    Exim: 4.89.1
    exim.conf update: yes, release 4.5
    BlockCracking: yes
    Easy Spam Fighter: yes
    SpamAssassin: 3.4.1
    SpamAssassin rule updates: daily
    ClamAV: 0.99.2
    MariaDB: 10.2.11
    MySQL backup: yes
    MySQL backup directory: /usr/local/directadmin/custombuild/mysql_backups
    MySQL compress backups: no
    PHP (default): 7.2 as php-fpm
    phpMyAdmin: 4.7.6-all-languages
    ProFTPD: no
    Pure-FTPd: 1.0.47
    RoundCube webmail: 1.3.3
    Replace "php.ini" with '/usr/local/directadmin/custombuild/build all' and '/usr/local/directadmin/custombuild/build php_ini': yes
    Replace "php.ini" using type: production
    Cron for notifications and (or) updates: yes
    Cron frequency: daily
    Auto notifications: yes
    Auto notifications email address: email@domain.com
    Auto updates: yes
    Run "clean" every time: yes
    Run "clean_old_webapps" every time: yes
    Run "clean_old_tarballs" every time: yes
    Show texts in bold: yes
    SquirrelMail: 1.4.23-20170731_0200
    Zend Guard Loader: no
    ionCube loader: no
    Suhosin: no
    How can we fix this?
    Else we have to disable modsecurity....


    Thanks in advance, Lydia

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,388
    Hello,

    It has nothing to do with HTTP/1 or HTTP/2 at all. It says:

    _Host header is a numeric IP address_
    So try and access SquirrelMail not as http://37.97.216.114/squirrelmail
    This way it opens without an error: http://vps1.rhinestone77.nl/squirrelmail/
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  3. #3
    Join Date
    Nov 2016
    Location
    Apeldoorn, Netherlands
    Posts
    23
    oops then i posted the wrong line in the log.

    The error is:
    Code:
    Message: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/etc/modsecurity.d/modsecurity_crs_30_http_policy.conf"] [line "78"] [id "960034"] [rev "2"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/2.0"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"]
    But my boss gives me no time anymore at the moment to search for a fix
    So for now I have to shutdown modsecurity :-(

    But if anyone knows a quick fix, I would be very glad to hear it.

    Greetz, Lydia

  4. #4
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,388
    I guess you need to modify line 78 in /etc/modsecurity.d/modsecurity_crs_30_http_policy.conf and take care to protect your changes.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  5. #5
    Join Date
    Nov 2016
    Location
    Apeldoorn, Netherlands
    Posts
    23
    Hi,

    That would disable the error indeed, but then still we get 'http/1.0' in our logs instead of http2

    I cant find what i am doing wrong. Also https://http2.pro/ tells us, that our sites dont work on http2. It even cannot connect to our sites

    At the moment, i cannot test anything, because still busy on re-installing the server. Else i would try to give more details. And for now I am not allowed to dive into it anymore, but I do hope someone, has a solution. Else I will dive into it later. :-(

    Greetz, Lydia

  6. #6
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,388
    The test gives: https://http2.pro/check?url=https%3A...inestone77.nl/

    HTTP/2 supported!
    As far as I can see the test of REQUEST_PROTOCOL fails because of the fact that you use HTTP/2 and not vice versa:

    Code:
    [rev "2"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/2.0"] 


    I don't have mod_security on my own server so I won't test on my end.

    related: https://gist.github.com/pantaluna/8c...ad01e9b7e5712f
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •