I am noticing (after digging around) that the crontab that ispconfig run every minute generates a get request every five minutes ... These are the log entries: 127.0.0.1 - - [03/Jan/2012:14:25:01 -0500] "GET / HTTP/1.0" 403 389 "-" "-" 127.0.0.1 - - [03/Jan/2012:14:30:01 -0500] "GET / HTTP/1.0" 403 389 "-" "-" 127.0.0.1 - - [03/Jan/2012:14:35:01 -0500] "GET / HTTP/1.0" 403 389 "-" "-" 127.0.0.1 - - [03/Jan/2012:14:40:02 -0500] "GET / HTTP/1.0" 403 389 "-" "-" 127.0.0.1 - - [03/Jan/2012:14:45:01 -0500] "GET / HTTP/1.0" 403 389 "-" "-" These requests are cluttering my Modsecurity logs: Message: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/modsecurity_rules/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "29"] [id "960008"] [rev "2.2.3"] [msg "Request Missing a Host Header"] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] Action: Intercepted (phase 2) Is there a way to prevent Ispconfig from generating these type of requests ? M.A.
This is the piece of code generating those requests .... /usr/local/ispconfig/server/lib/classes/monitor_tools.inc.php /* Monitor Webserver */ $data['webserver'] = -1; // unknown - not needed if ($services['web_server'] == 1) { if ($this->_checkTcp('localhost', 80)) { $data['webserver'] = 1; } else { $data['webserver'] = 0; $state = 'error'; // because service is down } } ----------------- private function _checkTcp($host, $port) { /* Try to open a connection */ $fp = @fsockopen($host, $port, $errno, $errstr, 2); if ($fp) { /* * We got a connection, this means, everything is O.K. * But maybe we are able to do more deep testing? */ if ($port == 80) { /* * Port 80 means, testing APACHE * So we can do a deepter test and try to get data over this connection. * (if apache hangs, we get a connection but a timeout by trying to GET the data!) */ fwrite($fp, "GET / HTTP/1.0\r\n\r\n"); stream_set_timeout($fp, 5); // Timeout after 5 seconds $res = fread($fp, 10); // try to get 10 bytes (enough to test!) $info = stream_get_meta_data($fp); if ($info['timed_out']) { return false; // Apache was not able to send data over this connection } } /* The connection is no longer needed */ fclose($fp); ------------------
Replace line: Code: fwrite($fp, "GET / HTTP/1.0\r\n\r\n"); with: Code: $out = "GET / HTTP/1.1\r\n"; $out .= "Host: localhost\r\n"; $out .= "Connection: Close\r\n\r\n"; fwrite($fp, $out);
Till, Thanks for the suggestion (it Worked!) But To keep ModSEcurity happy, I had to add the User Agent Header too ... $out .= "Host: localhost\r\n"; $out .= "User-Agent: IspConfig Monitor\r\n"; $out .= "Connection: Close\r\n\r\n"; fwrite($fp, $out); M.A.
