ISPconfig heart beat and Modsecurity

Discussion in 'Installation/Configuration' started by mario_antonio, Jan 3, 2012.

  1. mario_antonio

    mario_antonio New Member

    I am noticing (after digging around) that the crontab that ispconfig run every minute generates a get request every five minutes ...

    These are the log entries:
    127.0.0.1 - - [03/Jan/2012:14:25:01 -0500] "GET / HTTP/1.0" 403 389 "-" "-"
    127.0.0.1 - - [03/Jan/2012:14:30:01 -0500] "GET / HTTP/1.0" 403 389 "-" "-"
    127.0.0.1 - - [03/Jan/2012:14:35:01 -0500] "GET / HTTP/1.0" 403 389 "-" "-"
    127.0.0.1 - - [03/Jan/2012:14:40:02 -0500] "GET / HTTP/1.0" 403 389 "-" "-"
    127.0.0.1 - - [03/Jan/2012:14:45:01 -0500] "GET / HTTP/1.0" 403 389 "-" "-"

    These requests are cluttering my Modsecurity logs:
    Message: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/modsecurity_rules/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "29"] [id "960008"] [rev "2.2.3"] [msg "Request Missing a Host Header"] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
    Action: Intercepted (phase 2)

    Is there a way to prevent Ispconfig from generating these type of requests ?

    M.A.
     
  2. mario_antonio

    mario_antonio New Member

    This is the piece of code generating those requests ....

    /usr/local/ispconfig/server/lib/classes/monitor_tools.inc.php

    /* Monitor Webserver */
    $data['webserver'] = -1; // unknown - not needed
    if ($services['web_server'] == 1) {
    if ($this->_checkTcp('localhost', 80)) {
    $data['webserver'] = 1;
    } else {
    $data['webserver'] = 0;
    $state = 'error'; // because service is down
    }
    }

    -----------------

    private function _checkTcp($host, $port) {
    /* Try to open a connection */
    $fp = @fsockopen($host, $port, $errno, $errstr, 2);

    if ($fp) {
    /*
    * We got a connection, this means, everything is O.K.
    * But maybe we are able to do more deep testing?
    */
    if ($port == 80) {
    /*
    * Port 80 means, testing APACHE
    * So we can do a deepter test and try to get data over this connection.
    * (if apache hangs, we get a connection but a timeout by trying to GET the data!)
    */
    fwrite($fp, "GET / HTTP/1.0\r\n\r\n");
    stream_set_timeout($fp, 5); // Timeout after 5 seconds
    $res = fread($fp, 10); // try to get 10 bytes (enough to test!)
    $info = stream_get_meta_data($fp);
    if ($info['timed_out']) {
    return false; // Apache was not able to send data over this connection
    }
    }

    /* The connection is no longer needed */
    fclose($fp);
    ------------------
     
  3. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Replace line:

    Code:
    fwrite($fp, "GET / HTTP/1.0\r\n\r\n");
    with:

    Code:
    $out = "GET / HTTP/1.1\r\n";
    $out .= "Host: localhost\r\n";
    $out .= "Connection: Close\r\n\r\n";
    fwrite($fp, $out);
     
  4. mario_antonio

    mario_antonio New Member

    Till,

    Thanks for the suggestion (it Worked!)

    But To keep ModSEcurity happy, I had to add the User Agent Header too ...

    $out .= "Host: localhost\r\n";
    $out .= "User-Agent: IspConfig Monitor\r\n";
    $out .= "Connection: Close\r\n\r\n";
    fwrite($fp, $out);

    M.A.
     

Share This Page