Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: ModSecurity: Access denied with code 400 (phase 2) |
|
Author |
|
Denny
Joined: 18 Oct 2007 Posts: 3 Location: Palm Desert CA
|
Posted: Thu 18 Oct '07 17:52 Post subject: ModSecurity: Access denied with code 400 (phase 2) |
|
|
I know very little about Apache and servers and I really need some help from someone that knows Apache, servers and ModSecurity.
We have a small Hosting reseller account at eNom.com. We have a new customer that moved his website from another hosting company to ours. The website is on a shared IP. Enom.com also uses a internal IP for internal use associated to the domain.
The problem we have is that AOL users can not see the website. As far as we can tell no other ISP's are having this problem. Everyone can see it except AOL users. AOL could see the site on the old server.
When AOL users go to the site they get "Page can not be found". After several calls to eNom support and them triple checking the DNS we still have the problem.
I found several errors in the error log. I looked up the IP's with the errors and they all pointed back to AOL.. See below for two examples of the errors....
Enom.com thinks it is a problem with AOL. I have googled the error and ModSecurity and I think it has something to do with the ModSecurity on the server...
Is this a server problem, Apache, DNS or AOL???
What do these errors mean and what do I do about it???
The domain is http://2hotlicks.com and it is on a Linux. They sell Hot Sauce.. Would AOL block it because of the keywords in the Domain name?
Thanks,
[Wed Oct 17 08:11:56 2007] [error] [client 207.200.116.7] ModSecurity: Access denied with code 400 (phase 2). Pattern match "(?:\\\\bhttp.(?:0\\\\.9|1\\\\.[01])|<(?:html|meta)\\\\b)" at REQUEST_HEADERS:Via. [id "950911"] [msg "HTTP Response Splitting Attack. Matched signature <http/1.1>"] [severity "ALERT"] [hostname "www.2hotlicks.com"] [uri "/"] [unique_id "uPWvAgoHAlYAAA25N5AAAAAI"]
[Tue Oct 16 13:11:20 2007] [error] [client 207.200.116.137] ModSecurity: Access denied with code 400 (phase 2). Pattern match "(?:\\\\bhttp.(?:0\\\\.9|1\\\\.[01])|<(?:html|meta)\\\\b)" at REQUEST_HEADERS:Via. [id "950911"] [msg "HTTP Response Splitting Attack. Matched signature <http/1.1>"] [severity "ALERT"] [hostname "www.2hotlicks.com"] [uri "/combos.htm"] [unique_id "yddhwAoHAlYAAEEfgyEAAAAi"]
Thank you for any help you can give me.
Denny |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Thu 18 Oct '07 20:45 Post subject: |
|
|
Indeed one of your mod_security rules is blocking the requests.
Find the rule with id "950911" in your mod_securty directives and remove it and see if the issues is solved.
Steffen |
|
Back to top |
|
Denny
Joined: 18 Oct 2007 Posts: 3 Location: Palm Desert CA
|
Posted: Thu 18 Oct '07 20:53 Post subject: |
|
|
Thank you..
I will pass this on the eNom.com and hopefully they can check it out.. eNom doesn't think there is a problem... |
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Thu 18 Oct '07 22:56 Post subject: |
|
|
The current rule #950911 in file modsecurity_crs_40_generic_attacks.conf looks like this: Code: | SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'HTTP Response Splitting Attack. Matched signature <%{TX.0}>',,id:'950911',severity:'1'" | It doesn't check REQUEST_HEADERS as your error message indicates.
Perhaps Enom has an old set of mod_security rules which need to be updated.
-tom-
p.s. This always gives me a chuckle! The response headers are obviously from an Apache site, but they have changed their Server ID to say IIS5. Code: | GET / HTTP/1.1
Host: www.2hotlicks.com
HTTP/1.1 200 OK
Date: Thu, 18 Oct 2007 20:07:03 GMT
Server: Microsoft-IIS/5.0
Last-Modified: Mon, 15 Oct 2007 17:46:51 GMT
ETag: "44c93d-3d02-a740b8c0"
Accept-Ranges: bytes
Content-Length: 15618
Connection: close
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Hot Licks - Hot Sauces, Salsas, Mustards, Snacks, Condiments and more!</title>
... | This security tactic can actually be counter-productive because it fools no one, and it marks the site admin as a bit of a "security-by-obscurity" amateur.
Just my tactless, opinionated, 2-cents worth...
-tom- |
|
Back to top |
|
Denny
Joined: 18 Oct 2007 Posts: 3 Location: Palm Desert CA
|
Posted: Sat 20 Oct '07 3:04 Post subject: |
|
|
I just wanted to say thanks for everyone's input.. I took all your suggestions and passed them on to eNom.com. I submitted the ticket for this problem 5 days ago and I have asked for updates everyday. Of course they just said "they" are working it. Who ever "they" is....
The bottom line is after waiting for 5 days I asked for a supervisor and told him what was going on. It was fixed in 10 minutes.. Below is there response to what they did to fix it..
"The AOL connection proxy was modifying the browser headers when attempting to connect to the web site. The modified headers appeared to be a malicious attack on the web hosting account and was blocked. Those security settings have been disabled for the domain name 2hotlicks.com, which should resolve the issue."
Thanks for your input on this...
Denny |
|
Back to top |
|
|
|
|
|
|