Knowledgebase

Banning ModSecurity Offenders?

Posted by AcheronMedia-VK, 10-29-2014, 06:23 AM
I have a rather unusual problem on my hands. This client's cPanel server we're managing is configured to ban for a while any IP that appears in the ModSecurity log for requests denied with 4xx or 5xx. This showed particularly useful lately with increasing probes for Shellshock, and pretty much every such request until today has been some kind of hacking attempt or security "probe". The banhammer constantly keeps some 10-20 IPs blocked daily. Today the client complained that some of the legit users got banned and upon checking the logs it seems they copied something from their site into an OpenOffice document which caused a PROPFIND http request from OpenOffice which in turn made ModSecurity complain and ban the IP. I say it seems because this is the first time I see something like this, and quick search shows this: http://webmasters.stackexchange.com/...pfind-used-for Also, the UA in the logs says OpenOffice, but that, of course, could be faked. My first guess was their computer got infected and the malware is scanning sites they're visiting... Now, I'm undecided as to what to do and would like some advice. Do I ease the ModSecurity rules and allow non-standard HTTP verbs? I think MS Office also sends a flurry of WebDav and other such requests when a downloading document is being opened in Office directly. Then again, the Office software, or any other, shouldn't be doing all those non-standard and WebDAV specific request, not in this age of websec paranoia. This is not a specialized server, it's "just" a web server, all the use cases should be confined to regular browsing and email exchange. So this, yet again, becomes the question of whether do we cater to broken and dumb software... Edit: The PROPFIND request was against a CSS file which additionally looks weird, one would guess people are copying images, not CSS files... Can't tell if additional reqs were made because the IP got banned at the firewall level immediately. Last edited by AcheronMedia-VK; 10-29-2014 at 06:27 AM.
Posted by SHALB, 10-29-2014, 07:20 AM
Do not be a paranoiac. Just allow non-standard HTTP verbs if you saw to many such kind request in you logs from regular users.
Posted by XViD, 10-29-2014, 08:34 AM
Find a way to disable mod_security rules per account. One possible solution here: http://www.configserver.com/cp/cmc.html
Posted by AcheronMedia-VK, 10-29-2014, 08:44 AM
Thanks for your answers guys, but I'm not asking how to fix it. I'm asking whether I should drop HTTP verb checking and banning IPs for invalid verbs. I was wondering if someone does the same and wishes to share their experience?


Was this answer helpful?

Add to Favourites Add to Favourites

Print this Article Print this Article
Also Read
Ossec & cPanel? (Views: 572)
Basic Beginner Question (Views: 627)
Sago Networks Down (Views: 597)
UBERHOST anyone? (Views: 647)
***** .... help please? (Views: 660)


Language:

Client Menu

 

Client Login

Email

Password

Remember Me

Search



  
 

Clients

Hosting

VPS Hosting

About Us

Contact Us

Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.