On Monday, February 3, 2020, 7:29:47 PM GMT+1, Mike Jumper <[email protected]> wrote: >> I'm seeing this in my logs: >> >> [Mon Feb 03 15:41:38.279594 2020] [:error] [pid 9250] [client 1.2.3.4:2493] >> [client 1.2.3.4] ModSecurity: Warning. Match of "within >> %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file >> "/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] >> [line "45"] [id "911100"] [msg "Method is not allowed by policy"] [data >> "DELETE"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag >> "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag >> "attack-generic"] [tag "OWASP_CRS"] [tag >> "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag >> "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname >> "gw.mydomain.org"] [uri >> "/api/tokens/29306699FAB939B9531CD2E5C8525D4CC10C500E0CDBD965CFAF500880667237"] >> [unique_id "XjgxIiOWjFvp4Ckh-eibZgAAAAk"], referer: https://gw.mydomain.org/
> You can't block DELETE. Guacamole needs this method, as well as several > others, for its REST API. The request that is being blocked > above is an attempt to log out. Yes, I can see this in the log right when I log out. > If you are blocking requests based on method alone, things are likely > breaking. These are the "default" modsecurity rules. I need to tweak them I guess. They may be too paranoid. > A 403 response in itself is not worrisome and doesn't mean you are being > attacked. I believe it's ModSecurity itself which is giving out the 403 response triggered by its rule. In any case, I know I'm not under attack because the client IP address in the log is mine. I guess I'll need to tune this down a bit. Vieri --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
