Author Topic: Email forwards blocked by Mod security  (Read 8481 times)

0 Members and 1 Guest are viewing this topic.

Offline
**
Email forwards blocked by Mod security
« on: September 01, 2020, 09:26:14 AM »
Tue Sep 01 11:19:15.874034 2020] [:error] [pid 9479:tid 140529090119424] [client 103.254.128.138:44756] [client 103.254.128.138] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 30)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "hosting.siteurl.in"] [uri "/roundcube/"] [unique_id "X04SE88kQmL3N7OFlphB2wAAANA"], referer: https://hosting.siteurl.in/roundcube/?_task=mail&_action=compose&_id=12342351165f4e1207b5e66


When I forward few html emails, I get the above error.

I have even deactivated the mod security for the client account.

Please help fixing this.

Re: Email forwards blocked by Mod security
« Reply #1 on: September 01, 2020, 10:28:13 AM »
Mod_security is used for a very good reason: WAF! Disable at your own peril.
Actually read the error message; it does help.
Just use the GUI to disable the rule identified by  [id "949110"]  - easy.

Offline
**
Re: Email forwards blocked by Mod security
« Reply #2 on: September 01, 2020, 12:18:06 PM »
Thank you. But the momemt I add and save this id in disabled rules apache is crashing

Sep 01 14:15:46 hosting.siteurl.in apachectl[13000]: AH00526: Syntax error on line 2 of /usr/local/apache/modsecurity-owasp-latest/global_disabled_rules.conf:
Sep 01 14:15:46 hosting.siteurl.in apachectl[13000]: Invalid command '949110', perhaps misspelled or defined by a module not included in the server configuration
Sep 01 14:15:46 hosting.siteurl.in systemd[1]: httpd.service: control process exited, code=exited status=1
Sep 01 14:15:46 hosting.siteurl.in systemd[1]: Failed to start Web server Apache.

Offline
**
Re: Email forwards blocked by Mod security
« Reply #3 on: September 01, 2020, 12:26:13 PM »
Resolved. Thank you

I added

    SecRuleRemoveById 949110