HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   ISPconfig heart beat and Modsecurity (http://www.howtoforge.com/forums/showthread.php?t=55619)

mario_antonio 3rd January 2012 21:46

ISPconfig heart beat and Modsecurity
 
I am noticing (after digging around) that the crontab that ispconfig run every minute generates a get request every five minutes ...

These are the log entries:
127.0.0.1 - - [03/Jan/2012:14:25:01 -0500] "GET / HTTP/1.0" 403 389 "-" "-"
127.0.0.1 - - [03/Jan/2012:14:30:01 -0500] "GET / HTTP/1.0" 403 389 "-" "-"
127.0.0.1 - - [03/Jan/2012:14:35:01 -0500] "GET / HTTP/1.0" 403 389 "-" "-"
127.0.0.1 - - [03/Jan/2012:14:40:02 -0500] "GET / HTTP/1.0" 403 389 "-" "-"
127.0.0.1 - - [03/Jan/2012:14:45:01 -0500] "GET / HTTP/1.0" 403 389 "-" "-"

These requests are cluttering my Modsecurity logs:
Message: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/modsecurity_rules/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "29"] [id "960008"] [rev "2.2.3"] [msg "Request Missing a Host Header"] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Action: Intercepted (phase 2)

Is there a way to prevent Ispconfig from generating these type of requests ?

M.A.

mario_antonio 4th January 2012 14:58

This is the piece of code generating those requests ....

/usr/local/ispconfig/server/lib/classes/monitor_tools.inc.php

/* Monitor Webserver */
$data['webserver'] = -1; // unknown - not needed
if ($services['web_server'] == 1) {
if ($this->_checkTcp('localhost', 80)) {
$data['webserver'] = 1;
} else {
$data['webserver'] = 0;
$state = 'error'; // because service is down
}
}

-----------------

private function _checkTcp($host, $port) {
/* Try to open a connection */
$fp = @fsockopen($host, $port, $errno, $errstr, 2);

if ($fp) {
/*
* We got a connection, this means, everything is O.K.
* But maybe we are able to do more deep testing?
*/
if ($port == 80) {
/*
* Port 80 means, testing APACHE
* So we can do a deepter test and try to get data over this connection.
* (if apache hangs, we get a connection but a timeout by trying to GET the data!)
*/
fwrite($fp, "GET / HTTP/1.0\r\n\r\n");
stream_set_timeout($fp, 5); // Timeout after 5 seconds
$res = fread($fp, 10); // try to get 10 bytes (enough to test!)
$info = stream_get_meta_data($fp);
if ($info['timed_out']) {
return false; // Apache was not able to send data over this connection
}
}

/* The connection is no longer needed */
fclose($fp);
------------------

till 4th January 2012 15:18

Replace line:

Code:

fwrite($fp, "GET / HTTP/1.0\r\n\r\n");
with:

Code:

$out = "GET / HTTP/1.1\r\n";
$out .= "Host: localhost\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);


mario_antonio 4th January 2012 15:52

Till,

Thanks for the suggestion (it Worked!)

But To keep ModSEcurity happy, I had to add the User Agent Header too ...

$out .= "Host: localhost\r\n";
$out .= "User-Agent: IspConfig Monitor\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);

M.A.


All times are GMT +2. The time now is 17:08.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.