Thread: [mod-security-users] Modsec_audit.log contains regular 403-Errors
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: logo <lo...@kr...> - 2019-06-17 13:22:49
|
Hi, my first time in this mailing list. I see regular 403 denied messages in the modsec_audit-Log. Is there a way to prevent this? --d5087f62-A-- [17/Jun/2019:11:01:29 +0200] XQdW6W@ny6FqDbnEOUblnQAAAAQ 172.19.0.1 40528 172.19.0.2 443 --d5087f62-B-- GET /server-info HTTP/1.1 Host: <xxx> Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate, br Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 --d5087f62-F-- HTTP/1.1 403 Forbidden Content-Length: 9 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 --d5087f62-E-- --d5087f62-H-- Apache-Error: [file "mod_authz_core.c"] [line 884] [level 3] AH01630: client denied by server configuration: /var/www/html/xxx/server-info Stopwatch: 1560762089814529 28970 (- - -) Stopwatch2: 1560762089814529 28970; combined=1221, p1=700, p2=0, p3=137, p4=180, p5=204, sr=199, sw=0, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.1.0. Server: Apache Engine-Mode: "ENABLED" --d5087f62-Z-- Apparently there is no ruleid that I could exclude. Thanks Peter |
|
From: Ervin H. <ai...@gm...> - 2019-06-17 14:05:47
|
Hi Peter, On Mon, Jun 17, 2019 at 03:03:27PM +0200, logo wrote: > I see regular 403 denied messages in the modsec_audit-Log. Is there a way to > prevent this? > I think this is not the ModSecurity configuration issue, > --d5087f62-F-- > HTTP/1.1 403 Forbidden > Content-Length: 9 > Keep-Alive: timeout=5, max=100 > Connection: Keep-Alive > Content-Type: text/html; charset=iso-8859-1 this part of audit log (F) means the answer from the webserver is 403 > --d5087f62-E-- > > --d5087f62-H-- > Apache-Error: [file "mod_authz_core.c"] [line 884] [level 3] AH01630: client > denied by server configuration: /var/www/html/xxx/server-info and this (H) showed the detail - your apache configuration is not complete. Enable the server-info in that virtualhost, and the error will gone. a. |
|
From: Manuel S. <spa...@gm...> - 2019-06-17 15:10:38
|
Hi Peter, this is not a modsecurity issue, check your Apache configuration instead and grant the access to the URL *Apache-Error*: [file "mod_authz_core.c"] [line 884] [level 3] AH01630: *client denied by server configuration*: /var/www/html/xxx/server-info El lun., 17 jun. 2019 a las 9:25, logo (<lo...@kr...>) escribió: > Hi, > > my first time in this mailing list. > > I see regular 403 denied messages in the modsec_audit-Log. Is there a > way to prevent this? > > --d5087f62-A-- > [17/Jun/2019:11:01:29 +0200] XQdW6W@ny6FqDbnEOUblnQAAAAQ 172.19.0.1 > 40528 172.19.0.2 443 > --d5087f62-B-- > GET /server-info HTTP/1.1 > Host: <xxx> > Connection: keep-alive > Upgrade-Insecure-Requests: 1 > User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36 > Accept: > > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 > Accept-Encoding: gzip, deflate, br > Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 > > --d5087f62-F-- > HTTP/1.1 403 Forbidden > Content-Length: 9 > Keep-Alive: timeout=5, max=100 > Connection: Keep-Alive > Content-Type: text/html; charset=iso-8859-1 > > --d5087f62-E-- > > --d5087f62-H-- > Apache-Error: [file "mod_authz_core.c"] [line 884] [level 3] AH01630: > client denied by server configuration: /var/www/html/xxx/server-info > Stopwatch: 1560762089814529 28970 (- - -) > Stopwatch2: 1560762089814529 28970; combined=1221, p1=700, p2=0, p3=137, > p4=180, p5=204, sr=199, sw=0, l=0, gc=0 > Response-Body-Transformed: Dechunked > Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); > OWASP_CRS/3.1.0. > Server: Apache > Engine-Mode: "ENABLED" > > --d5087f62-Z-- > > Apparently there is no ruleid that I could exclude. > > Thanks > > Peter > > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Reindl H. <h.r...@th...> - 2019-06-17 17:16:30
|
Am 17.06.19 um 17:10 schrieb Manuel Spartan: > Hi Peter, this is not a modsecurity issue, check your Apache > configuration instead and grant the access to the URL how does access denied qualify anything to appear in the modsec logs when the 403 was not triggered by modsec itself? |
|
From: logo <lo...@kr...> - 2019-06-17 15:21:40
|
Hi all, apparently something goes wrong with the reply to... so this is my answer to Ervin's and also Manuel's private responses. No, it is not my apache config for the server-info-URI. I want it blocked for external IPs! Best regards Peter Am 2019-06-17 16:24, schrieb logo: > Hi Ervin, > > that's the point, I've limited that access to server-info to internal > IPs. External IPs will be blocked - as expected, but I don't need that > in the audit-log. > > Best regards > > Peter > > > Am 2019-06-17 16:05, schrieb Ervin Hegedüs: >> Hi Peter, >> >> On Mon, Jun 17, 2019 at 03:03:27PM +0200, logo wrote: >>> I see regular 403 denied messages in the modsec_audit-Log. Is there a >>> way to >>> prevent this? >>> >> >> I think this is not the ModSecurity configuration issue, >> >>> --d5087f62-F-- >>> HTTP/1.1 403 Forbidden >>> Content-Length: 9 >>> Keep-Alive: timeout=5, max=100 >>> Connection: Keep-Alive >>> Content-Type: text/html; charset=iso-8859-1 >> >> this part of audit log (F) means the answer from the webserver is 403 >> >>> --d5087f62-E-- >>> >>> --d5087f62-H-- >>> Apache-Error: [file "mod_authz_core.c"] [line 884] [level 3] AH01630: >>> client >>> denied by server configuration: /var/www/html/xxx/server-info >> >> and this (H) showed the detail - your apache configuration is not >> complete. >> >> Enable the server-info in that virtualhost, and the error will >> gone. >> >> >> a. |
Thanks for helping keep SourceForge clean.
X