Hello MSCRS project,
First some particulars:
ModSecurity for Apache/2.9.3 (
http://www.modsecurity.org/) configured.
Apache/2.4.54 (Debian) OpenSSL/1.1.1n configured
OWASP ModSecurity Core Rule Set ver.3.3.0
---
Is it possible to block this request without eliminating POST in the
REQUEST_METHOD as there is a contact form on the website that I would
like to re-enable if I can get this issue resolved?
Rule currently in use:
SecRule REQUEST_METHOD "!@within GET PUT HEAD"\
"id:20000,\
phase:1,\
deny,\
msg:'Method is not allowed by policy',\
logdata:'%{MATCHED_VAR}'"
The Host: 178.128.49.167 =
digitalocean.com
(The Host: 178.128.49.167 is not my domain.)
I tried using crs rule "HOST is a numeric ipaddress" but that didn't
work either for this either.
User-Agent: Go-http-client/1.1 I tried blocking User-Agent:
Go-http-client/1.1 or contains "User-Agent: Go-http-client/1.1" to no
avail.
It's probably not a good idea to block User-Agent: Go-http-client/1.1
From modsec_audit.log:
--0bd08e63-A--
[03/Jan/2023:05:22:02 --0500] Y7QBylFoG80HkkPDqIPWiAAAAAM 94.130.75.179
26872 xxx.xxx.xxx.xxx 443
--0bd08e63-B--
POST / HTTP/1.1
Host: 178.128.49.167
User-Agent: Go-http-client/1.1
Content-Length: 1069
Content-Type: image/jpeg
Cookie:
fr=zdpB50+8ojXA7QXzsGX37HUiQUr8PQK/KcTWAlzK1L4R2jShzH/wHfymaHOTVNK/uxR+WAhUZl7a7nP+yCPvE7aIg4iohISk2CNHmRE4BMltoeLIn7+MamqM5TXScmXIOIhg31EOQulG+JMQ4kj5BmbQoh3JEx3IfiqfqgSsHEJAwmScRc9gFK2ct00HiDJUloe7MRfg6+ZLxLcgQygCL3zhrJ2xrhrZnLcRSrzbhdKDWx2E6Gf5KMrBHlmufQ8DMlRFwkzxVX//JnlZRzLJLmG0rSP05jkvmsj6Sb8ukK8JGqottxThvJdYEZepo1jckybTdQfOjSJESGHFWDECh2fh+YQygANMQB0tQNmogewU44ODMzcL5C7/tn9esi9GxmS2tJDSxz0ovsrRGqFQZT/F86Z8qBUXPaQ=
X-Psiphon-Fronting-Address: 178.128.49.167
Accept-Encoding: gzip
^ Addtionally posts with payload application-octet-stream, mpeg and
image/jpeg
--0bd08e63-F--
HTTP/1.1 403 Forbidden
Content-Length: 280
Content-Type: text/html; charset=iso-8859-1
--0bd08e63-H--
Message: Access denied with code 403 (phase 1). Match of "within GET PUT
HEAD" against "REQUEST_METHOD" required.
Thank you in advance for any and all help with this.
Steve King