mod_security blocks only internet explorer

StackOverflow https://stackoverflow.com/questions/10744832

  •  10-06-2021
  •  | 
  •  

Domanda

I installed mod_security with an apache server, and now it's blocking only ie7/8/9 browser. (I can browse the web with firefox/chromium/etc)

The logs say:

Message: String match within "Proxy-Connection Lock-Token Content-Range Translate via if" at REQUEST_HEADERS_NAMES:Connection. [file "/etc/apache2/mod_security/modsecurity_crs_30_http_policy.conf"] [line "99"] [id "960038"] [msg "HTTP header is restricted by policy"] [data "Connection"] [severity "WARNING"] [tag "POLICY/HEADER_RESTRICTED"] [tag "POLICY/FILES_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/12.1"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/12.1"]
Message: Access denied with code 403 (phase 2). [file "/etc/apache2/mod_security/modsecurity_crs_49_enforcement.conf"] [line "25"] [msg "Anomaly Score Exceeded (score 20): Common SPAM/Email Harvester crawler"]
Action: Intercepted (phase 2)
Stopwatch: 1337888078594451 2694 (918 2353 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.6.
Server: Apache

And the rule id "960038" is:

SecRule REQUEST_HEADERS_NAMES "@within %{tx.restricted_headers}""phase:2,t:none,pass,nolog,auditlog,msg:'HTTP header is restricted by policy',id:'960038',tag:'POLICY/HEADER_RESTRICTED',tag:'POLICY/FILES_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',severity:'4',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

I have one main question and two other derived from the first:

  • How do I know what this rule makes?
    • Is it safe to ignore this rule?
    • Is there any way to modify the rule in order to allow ie to navigate the web?
È stato utile?

Soluzione

  1. Answering Your First Question Mod-Security provide us a very detailed documentation about the syntax of its Rule Language and following is the link to its documentation. ModSecurity Rule Language

  2. TX is for user defined variable tx.restricted_headers it defines your HTTP policy like

    SecAction "phase:1,t:none,nolog,pass,setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'" for more detailed information refer this HTTP Policy

  3. The Rule you have mentioned above is not blocking but it is incrementing a numerial value maintained against suspicious header name as mentioned in the HTTP policy i explained above.

  4. The Rule that is blocking IE as seen from the logs mentioned

    Message: Access denied with code 403 (phase 2). [file "/etc/apache2/mod_security/modsecurity_crs_49_enforcement.conf"] [line "25"] [msg "Anomaly Score Exceeded (score 20): Common SPAM/Email Harvester crawler"]

You can modify the anomaly score threshold or can change your HTTP policy.The Rule you have mentioned is correct and don't need to be commented.I hope you get my point

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top