Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- As we can see blocking IP-address was caused by OWASP rule with identificator 949110
- # grep 156.213.8.2 /var/log/lfd.log
- Nov 9 09:34:58 hosting1 lfd[1449]: (mod_security) mod_security (id:949110) triggered by 156.213.8.2 (EG/Egypt/host-156.213.2.8-static.tedata.net): 5 in the last 3600 secs - *Blocked in csf* [LF_MODSEC]
- Rule/Access leads to ip-address block
- # grep 156.213.8.2 /usr/local/apache/logs/modsec_audit.log | grep 949110
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2tzxVOFdJSF0jADjRY-lgAAAAU"]
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0CsjLWHjz3YKYgGA6vQAAAAk"]
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0JMjLWHjz3YKYgGA6vgAAAAk"]
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0MUV5Gbd0TMN3oXtVegAAAA0"]
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0PcSWlv27gYwZWPWu9wAAAAc"]
- CSF(configure server firewall) is confgiured to use mod-security and block ip-address whether 5 mod-security block in 1 hour
- 5 mod-security block it isn't the same as score mode-security (which in our case equal 5 as well)
- But blocking ip-adress (with rule id: 949110) it is only a result that user requests exceeded score(it is above mentined mode-security score)
- Each matching rule increases an 'anomaly score'.
- At the conclusion of the inbound rules, and again at the conclusion of the
- outbound rules, the anomaly score is checked, and the blocking evaluation rules apply a disruptive action, by default returning an error 403
- All logs in mod_security audit concerning blocked ip-address(including rule with id "949110")
- In mod-security logs we can see what exactly check add score to total score
- "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=5
- So we can see total score = 5 and it consists only from score SESS=5
- What about SESS:
- 2022-11-09 09:34:53 languageversion.easy-trademarks.com 156.213.8.2 500
- Request: GET /en/stripe-success?aa=222&session_id=cs_test_a19WkMENn3sVcKaa4CiI9SK8BRIzKxzyt9DYFzpX3t0tHmadUNOsnDab1Y
- Action Description: Warning.
- Justification: Operator GE matched 5 at TX:inbound_anomaly_score.
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity:
- Warning. Operator GE matched 5 at TX:inbound_anomaly_score.
- [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"]
- [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=5):
- Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [tag "event-correlation"]
- [hostname "languageversion.easy-trademarks.com"] [uri "/index.php"] [unique_id "Y2tzxVOFdJSF0jADjRY-lgAAAAU"]
- SQLI SQL injection
- XSS cross-site scripting
- RFI remote file inclusion
- LFI local file inclusion
- RCE remote code execution
- PHPI PHP injection
- HTTP HTTP violation
- SESS session fixation
- Possible Session Fixation Attack: SessionID Parameter Name with No Referer
- So it looks like this is the reason of score SESS=5 and as result Total Score=5 and as result block mod-security
- and after 5 such blocks mod-securuty CSF(configure server firewall) blocks ip-address
- # grep 156.213.8.2 /usr/local/apache/logs/modsec_audit.log
- [09/Nov/2022:09:32:54 +0000] Y2tzxVOFdJSF0jADjRY-lgAAAAU 156.213.8.2 58862 176.9.70.216 80
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"] [line "38"] [id "943120"] [rev "2"] [msg "Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [data "Matched Data: session_id found within REQUEST_HEADERS: 0"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "2"] [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-fixation"] [tag "OWASP_CRS/WEB_ATTACK/SESSION_FIXATION"] [tag "WASCTC/WASC-37"] [tag "CAPEC-61"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2tzxVOFdJSF0jADjRY-lgAAAAU"]
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2tzxVOFdJSF0jADjRY-lgAAAAU"]
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=5): Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [tag "event-correlation"] [hostname "languageversion.easy-trademarks.com"] [uri "/index.php"] [unique_id "Y2tzxVOFdJSF0jADjRY-lgAAAAU"]
- [09/Nov/2022:09:34:03 +0000] Y2t0CsjLWHjz3YKYgGA6vQAAAAk 156.213.8.2 58940 176.9.70.216 80
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"] [line "38"] [id "943120"] [rev "2"] [msg "Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [data "Matched Data: session_id found within REQUEST_HEADERS: 0"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "2"] [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-fixation"] [tag "OWASP_CRS/WEB_ATTACK/SESSION_FIXATION"] [tag "WASCTC/WASC-37"] [tag "CAPEC-61"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0CsjLWHjz3YKYgGA6vQAAAAk"]
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0CsjLWHjz3YKYgGA6vQAAAAk"]
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=5): Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [tag "event-correlation"] [hostname "languageversion.easy-trademarks.com"] [uri "/index.php"] [unique_id "Y2t0CsjLWHjz3YKYgGA6vQAAAAk"]
- [09/Nov/2022:09:34:28 +0000] Y2t0JMjLWHjz3YKYgGA6vgAAAAk 156.213.8.2 58939 176.9.70.216 80
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"] [line "38"] [id "943120"] [rev "2"] [msg "Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [data "Matched Data: session_id found within REQUEST_HEADERS: 0"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "2"] [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-fixation"] [tag "OWASP_CRS/WEB_ATTACK/SESSION_FIXATION"] [tag "WASCTC/WASC-37"] [tag "CAPEC-61"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0JMjLWHjz3YKYgGA6vgAAAAk"]
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0JMjLWHjz3YKYgGA6vgAAAAk"]
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=5): Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [tag "event-correlation"] [hostname "languageversion.easy-trademarks.com"] [uri "/index.php"] [unique_id "Y2t0JMjLWHjz3YKYgGA6vgAAAAk"]
- [09/Nov/2022:09:34:42 +0000] Y2t0MUV5Gbd0TMN3oXtVegAAAA0 156.213.8.2 58965 176.9.70.216 80
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"] [line "38"] [id "943120"] [rev "2"] [msg "Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [data "Matched Data: session_id found within REQUEST_HEADERS: 0"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "2"] [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-fixation"] [tag "OWASP_CRS/WEB_ATTACK/SESSION_FIXATION"] [tag "WASCTC/WASC-37"] [tag "CAPEC-61"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0MUV5Gbd0TMN3oXtVegAAAA0"]
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0MUV5Gbd0TMN3oXtVegAAAA0"]
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=5): Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [tag "event-correlation"] [hostname "languageversion.easy-trademarks.com"] [uri "/index.php"] [unique_id "Y2t0MUV5Gbd0TMN3oXtVegAAAA0"]
- [09/Nov/2022:09:34:53 +0000] Y2t0PcSWlv27gYwZWPWu9wAAAAc 156.213.8.2 58982 176.9.70.216 443
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"] [line "38"] [id "943120"] [rev "2"] [msg "Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [data "Matched Data: session_id found within REQUEST_HEADERS: 0"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "2"] [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-fixation"] [tag "OWASP_CRS/WEB_ATTACK/SESSION_FIXATION"] [tag "WASCTC/WASC-37"] [tag "CAPEC-61"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0PcSWlv27gYwZWPWu9wAAAAc"]
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0PcSWlv27gYwZWPWu9wAAAAc"]
- Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=5): Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [tag "event-correlation"] [hostname "languageversion.easy-trademarks.com"] [uri "/index.php"] [unique_id "Y2t0PcSWlv27gYwZWPWu9wAAAAc"]
- I have changed blocking time caused by mod_security rules from permanent(forever) to 3 hours
- So after 3 hours IP-address will be unblocked automatically
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement