Hello to everybody, tonight I'm living a nightmare and i really would love someone give me a clue or an idea what i should do. I'm getting a brute force on my apache and I already try follow some tutorials for (mod_security and mod_evasive) they worked for now but when I activate the mod_security one of my software functions stop work (the patcher it look for a xml file) and get a 403 error. I have no idea what to do. Please someone help me with this trouble. This is the output i get on the error_log
Code: ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/crs-tecmint/owasp-modsecurity-crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "www.metin2essential.es"] [uri "/"] [unique_id "Vc6yLEDGQDdPjjP14qpHpAAAAIY"]
This is the line 47 from the modsecurity_crs_21_protocol_anomalies.conf
Code: "skipAfter:END_ACCEPT_CHECK,chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,block,msg:'Request Missing an Accept Header',severity:'5',id:'960015',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10'"
Hi all!
I've installed yesterday mod_security on my debian machine: libapache2-modsecurity 2.6.6-6+deb7u1 and rules tagged as 2.2.5
But there are tons of errors in Apache log:
[Sat Jun 29 06:10:04 2013] [error] [client 157.158.66.216] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/modsecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"]
[line "47"] [id "960015"] [rev "2.2.5"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "forum.mydomain"] [uri "/download/file.php"] [unique_id "Uc5eHJ2eQtgAAHbzG3sAAAFq"] (...) [Sat Jun 29 08:51:59 2013] [error] [client 83.10.190.85] ModSecurity: Rule 7fc4d6aab2b0 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line
"77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "redmine.mydomain"] [uri "/plugin_assets/redmine_lightbox/images/blank.gif"] [unique_id "Uc6ED52eQtgAAHbrGl0AAAD0"]
On google there are suggestions to increase pcre limit so I've set: SecPcreMatchLimit 150000 SecPcreMatchLimitRecursion 150000
but without any result (that logs are with increased limits). I want to get rid of this errors.
Regards Mikołaj
Hi. I have searched for pcre limits mod_security errors and setting up those limits through php.ini and mod_security limits didn't work it.I don't know where I read it but It seems a mod_security bugs in that version. I hope someone can confirm it.
Kind regards,
Hi all! libapache2-modsecurity 2.6.6-6+deb7u1 and rules tagged as 2.2.5 Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/modsecurity/activated_**rules/modsecurity_crs_21_**protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "2.2.5"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_**HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "forum.mydomain"] [uri "/download/file.php"] [unique_id "Uc5eHJ2eQtgAAHbzG3sAAAFq"] (...) Rule 7fc4d6aab2b0 [id "950901"][file "/etc/modsecurity/activated_**rules/modsecurity_crs_41_sql_**injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "redmine.mydomain"] [uri "/plugin_assets/redmine_**lightbox/images/blank.gif"] [unique_id "Uc6ED52eQtgAAHbrGl0AAAD0"] SecPcreMatchLimit 150000 SecPcreMatchLimitRecursion 150000 but without any result (that logs are with increased limits). I want to get rid of this errors. Regards MikoÅaj ______________________________**_________________ Owasp-modsecurity-core-rule-**set mailing list //lists.owasp.org/**mailman/listinfo/owasp-** modsecurity-core-rule-set<//lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set>
Describe the bug SSL certificate generation using Let's Encrypt result in 403 Forbidden error.
Logs and dumps Output of modsec_audit.log --dde07d07-A-- [18/May/2020:16:27:44 +0300] XsKNUBSLv@CtAoRchMQbWwAAAAU <<IP>> 54146 <<IP>> 80 --dde07d07-B-- GET /.well-known/acme-challenge/g0xtVr2JZjrCGgaXXH1xC8Fp-EXRRdiEAdL3Cm9B3QA HTTP/1.1 Accept-Encoding: identity Host: autoconfig.domain.tld Content-Type: application/jose+json Connection: close User-Agent: acme-tiny --dde07d07-F-- HTTP/1.1 403 Forbidden Content-Length: 272 Connection: close Content-Type: text/html; charset=iso-8859-1 --dde07d07-E-- --dde07d07-H-- Message: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client <<IP>>] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "autoconfig.domain.tld"] [uri "/.well-known/acme-challenge/g0xtVr2JZjrCGgaXXH1xC8Fp-EXRRdiEAdL3Cm9B3QA"] [unique_id "XsKNUBSLv@CtAoRchMQbWwAAAAU"] Action: Intercepted (phase 2) Stopwatch: 1589808464029236 20211 (- - -) Stopwatch2: 1589808464029236 20211; combined=2753, p1=1779, p2=877, p3=0, p4=0, p5=97, sr=484, sw=0, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.2 (//www.modsecurity.org/); OWASP_CRS/2.2.9. Server: Apache/2.4.6 Engine-Mode: "ENABLED" --dde07d07-Z--
Expected behavior SSL certificate generation should be successful as it is when disabling mod security.
Server (please complete the following information):
- ModSecurity 2.9.2
- Apache/2.4.6
- CentOS 7.8
Rule Set
- CRS ruleset only