3

I get this error from web server - is this known issue. There is plenty of questions on google -- but not clear solution.

[error] [client ] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 5, SQLi=, XSS=): Host header is a numeric IP address"] [hostname ""]
Joshua Enfield
  • 3,454
  • 8
  • 42
  • 59
webminal.org
  • 273
  • 1
  • 5
  • 19
  • 1
    Are you accessing the machine via IP instead of DNS? This is designed behavior if so, as mod_security is outputting this message in response to the machine being accessed via IP. If you don't want the error you could comment out the rule in the file listed in your error. – Joshua Enfield Sep 15 '10 at 16:02
  • yes,i'm using ipaddressto access the machine..thanks,dude,I'll try and comment out that line and post the results here. – webminal.org Sep 16 '10 at 05:33
  • 1
    For some background info, the reason the rule exists in the default configuration is because in most web sites you have a DNS associated name. So your customer base should be using that name. Lots of malicious bots like to "attack" or find vulnerable machines, by simply incrementing through IP ranges. By blocking these requests by IP at the outset you arguably lower risk. Make sure to remember to *restart Apache* after the change. – Joshua Enfield Sep 16 '10 at 16:03
  • I'll keep security risk details in mind,thanks,it worked. – webminal.org Sep 17 '10 at 05:49
  • I'll move my comments into an answer. So you can accept the question. Glad it worked :) – Joshua Enfield Sep 17 '10 at 13:55

3 Answers3

5

Are you accessing the machine via IP instead of DNS? This is designed behavior if so, as mod_security is outputting this message in response to the machine being accessed via IP. If you don't want the error you could comment out the rule in the file listed in your error.

For some background info, the reason the rule exists in the default configuration is because in most web sites you have a DNS associated name. So your customer base should be using that name. Lots of malicious bots like to "attack" or find vulnerable machines, by simply incrementing through IP ranges. By blocking these requests by IP at the outset you arguably lower risk. Make sure to remember to restart Apache after the change.

Joshua Enfield
  • 3,454
  • 8
  • 42
  • 59
0

One more scenario is when you have LYNX performing some crontab jobs. lynx is considered a "website crawler" in the default included rules, just disable it.

Good luck

Ruslan Abuzant
  • 123
  • 5
0

Joshua Enfield gave a good explanation of the issue, and if you want to give access to your server with a direct IP address, you can disable the rule creating a new .conf file in the folder with the rules of mod_security2:

modsecurity_crs_21_protocol_anomalies_customrules.conf

SecRuleRemoveById 960017

You can use SecRuleRemoveById to remove the rule or comment it in the original file:

[file "C:/Program Files/Apache Software Foundation/Apache2.2/conf/modsecurity_crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"]

The first option should be better since you will know what rules are disabled and have more control at the end.

The example I gave above, works with the lastest OWASP rules 2.2.7.

*Also have in mind that disabling a rule is not probably the best way to solve the problem, and the rule should be enabled again once you understand and test it. Another way to solve it could be to get a free dns redirector service for your IP and access your server from internet with the new domain name:

Community
  • 1
xtrm
  • 113
  • 1
  • 6
  • Is it possible/practical/how would I modify this rule to allow LAN IP (behind firewall/router) addresses to access the webserver without triggering this rule, yet still block WAN (outside firewall/router) attempts? – JS. Oct 11 '14 at 21:34