-1

This question is an extension of another here (Symfony framework install 406 Not Acceptable Error w/CPanel & WHM), please read my answer there to see how I solved the issue.

I was able to solve the issue I had with the 406 errors but at a cost.., I had to disable mod security in WHM which is a huge security vulnerability I'm sure. My question is how can I keep mod security enabled and still have it work with the default Symfony installation so that I do not receive 406 errors anymore?

EDIT

ModSecurity Logs

Request: GET / Action Description: Access denied with code 406 (phase 4). Justification: Pattern match "^5\d{2}$" at RESPONSE_STATUS

Community
  • 1
  • 1
Joseph Astrahan
  • 8,659
  • 12
  • 83
  • 154
  • What's the ModSecurity rule that caused the blocking as shown in the Apache error log? – Barry Pollard Dec 27 '15 at 06:21
  • I'm not entirely sure, but when I looked at the modSecurity logs, the most recent log said this, Request: GET / Action Description: Access denied with code 406 (phase 4). Justification: Pattern match "^5\\d{2}$" at RESPONSE_STATUS. – Joseph Astrahan Dec 27 '15 at 08:27
  • I'm not sure what the pattern match means though (except that is regex), but not sure what its purpose was for? – Joseph Astrahan Dec 27 '15 at 08:28
  • Your application returned a 5XX status which usually means server error. There appears to be a ModSecurity rule to prevent these errors returning all the way back to the client. This is usually done as server errors can contain useful information to hackers (e.g. stack traces and/or database error codes). So question should not be "why is ModSecurity blocking this request?" but "why is my request returning a 5xx status?" – Barry Pollard Dec 27 '15 at 08:53
  • What do you mean 5XX status code, its only return 4XX codes? Also if the question is downvoted please provide me a reason why so I can fix my question, I feel this is a legitimate question and problem. – Joseph Astrahan Dec 27 '15 at 09:16
  • No it returned 5XX - which ModSecurity intercepted and replaced with a 406. At least according to the logs you gave. – Barry Pollard Dec 27 '15 at 09:24
  • 1
    I also did not downvote your question, though can understand why it was downvoted since: 1) it is a continuation of a previous question (and required reading that to fully understand it) whereas questions should contain all information required to answer them, 2) it not really related to programming but server administration and stackoverflow is for programming (serverfault.com is a sister site for SAs but only for professional SAs), and 3) because it's apparent you don't fully understand your infrastructure nor the issue so question is vague and having to entice info out of you. – Barry Pollard Dec 27 '15 at 09:28
  • I guess I don't understand how that works yet, is that what the pattern match part is saying? Didn't mean to offend you if I did, just sucks when you get downvoted and have no idea why, especially since downvoting hurts the person who downvoted owns reputation everytime they do it also. I was not aware of serverfault.com as the sister site for Server Adminitration, I will look into that for these questions in the future. I agree with points #1, #2 you made, was not aware of those as issues here. As for #3, I don't understand the infrastructure which is why I need help... what do I do? – Joseph Astrahan Dec 27 '15 at 19:17
  • Added a detailed answer to hopefully set you on the right track and also explain why it's no such an easy question to answer given the limited information you've given. Add a comment if you've any questions or expand your question with more detail to see if we can get it solved for you. – Barry Pollard Dec 27 '15 at 20:26

1 Answers1

2

Background

ModSecurity is a Web Application Firewall (or WAF). You can define rules to attempt to identify and block illegitimate requests. WAFs are not perfect though, and often generic rules are used that work in "most sites", but do sometimes block legitimate requests (known as false positives).

The first thing to understand is that no one will know what ModSecurity rules you have installed except you. ModSecurity does not come with any rules at all, though there are rules available to download, from free ones (like the OWASP CRS) to paid for ones from the likes of Atomic) or you can write your own. So the first thing to explain to you is that no one will be able to tell you how to solve this problem as it's likely to be specific to you depending on your installation. Saying that we can guide you on the way to finding your own solution.

Running a WAF does give extra protection but does require a lot of maintenance. While I personally like it and can see the merit, most sites live without it to be honest and it's rare (though not unheard of) that hackers make it in anyway if you keep your software up to date and don't install software that is high target (WordPress for example). It's up to you whether to keep it depending on how critical and security minded your website needs to be but, if do want to use it, then you will need to understand how it works to deal with issues like this.

Your problem.

I am not familiar with Symfony but from what I can understand when ModSecurity is turned on, your application fails and at least one ModSecurity rule fires. When ModSecurity is switched off it all works fine.

So first of all you need to find out ALL the rules that are stopping your applications from working. You have given one rule but I suspect that is not the only one blocking.

That rule is, as I discussed in the comments to your original question, a fairly standard rule in most rulesets to try to prevent information leakage. All web servers respond with a 3 digit status code for each request. The most well known is 404 or "page not found". The ones in the 500 range mean server error. So this rule says that if the server responds (RESPONSE_STATUS) with a pattern matching "^5\d{2}$" (i.e. 5XX were X is a digit so 0-9) then something has gone wrong, and ModSecurity steps in to prevent any error messages going back to the user and instead sends it's own 406 error message instead.

ModSecurity has 5 phases:

  1. Rules that scan Request headers (REQUEST_HEADERS)
  2. Rules that scan Request body (REQUEST_BODY)
  3. Rules that scan Response headers (RESPONSE_HEADERS)
  4. Rules that scan Response body (RESPONSE_BODY)
  5. Rules that affect Logging (LOGGING)

This rule fires in phase 4 - which is when the request is being sent back to the client. So at this stage something has already gone wrong for your application to have returned a 5XX status.

I suspect that another ModSecurity rule fired earlier (a phase 1 or phase 2 rule) which caused the error and you have only shown the last rule that fired.

Before I could help you further with your problem I would need to know:

  • ALL ModSecurity error messages from the Apache Error logs.
  • Additionally it would be helpful to know what version of ModSecurity you are running (this should be in the Apache error logs at start up).
  • It would also be helpful to know what ruleset you are running. Are they some of the standard ones discussed above, or ones that have been written especially for your site? Most rules have a rule id (in fact this is mandatory from ModSecurity 2.7 onwards) so surprised this is not listed in the error log snippet you gave earlier.

With that I, or someone else, might be able to help point you in the right direction.

How you can self-diagnose this problem (and future problems!)

If I were you I would take the following steps to identify the problem:

  1. Read all your Apache config filesand find out where the ModSecurity config and rules are defined. ModSecurity rules are just text config using the ModSecurity language added to standard Apache config - often by including external files were the rules are defined. Get to understand what those rules do and mean.
  2. Find the "SecRuleEngine On" line on your config and change this to "SecRuleEngine DetectionOnly" then restart Apache. This will flag rules in the log files but NOT block attempts. Then do what you want to do and take not of the rules that fire.
  3. Also turn on the additional Audit engine to capture full details of requests which block ("SecAuditEngine RelevantOnly").
  4. Decide if you need those rules tat are causing you problems, and then either comment them out of your config, or there are ways to tune them to stop blocking legitimate requests.
  5. Once all the rules are tuned, then turn ModSecurity on again.

The ModSecurity Reference Manual is a very useful resource to understand ModSecurity.

I can also recommend the ModSecurity handbook for further reading. It was written by the original author of ModSecurity and while it hasn't been updated since version 2.7 it's still a great intro.

Hope that helps, Barry

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92
  • Thank you for writing this all and explaining it to me, I didn't have a good grasp on how it worked. I will work on getting the full log information as well as doing some other tests regarding ModSecurity and see if I can't get the website working with this if I determine I even need it active. Will get the info to post back here ASAP. – Joseph Astrahan Dec 28 '15 at 04:18
  • Ok so you were right the 406 error was caused by a 500 error BECAUSE the file had incorrect permissions on it. In my case changing from root to the actual user. Once I fixed the permissions the 406 error disappeared. So I still have more reading to do on ModSecurity, but what you said about it intercepting the response (perhaps so error messages from debug stuff don't show for example) is what happened. So instead of showing a 500 error and maybe some paths to locations, it showed the 406. Pretty interesting feature in retrospect. I still have more to learn, thanks for all the info. – Joseph Astrahan Dec 28 '15 at 20:38