Hi
Im currently deploying a Zabbix 4 server on Ubuntu 18.04 using Apache 2.4. In order to harden its defenses, im activating modsecurity Apache module already avaliable on ubuntu repo
So far, its working fine for the majority of browsing and utilization duties, but it looks like that there is something strange while trying to include new actions on configuration panel
Im getting access denied http messsage, and could not proceed further
While looking into apache error log, i could find the following errors. I could not determine yet further information, but i found those messages about protocol attack very suspicious. looks like some CR/LF extra chars have been found in the request headers in the http request
[Wed Apr 17 20:13:42.224214 2019] [:error] [pid 10459] [client xxx.xxx.xxx.xxx:52361] [client xxx.xxx.xxx.xxx] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=10,SESS =0): HTTP Header Injection Attack via payload (CR/LF and header-name detected)"] [tag "event-correlation"] [hostname "zabbix"] [uri "/actionconf.php"] [unique_id "XLeI9h2JhbRRR5zRhNVh0wAAAAA"], referer: https://zabbix/actionconf.php
[Wed Apr 17 20:13:54.526702 2019] [:error] [pid 10707] [client xxx.xxx.xxx.xxx:11901] [client xxx.xxx.xxx.xxx] ModSecurity: Warning. Pattern match "(?:\\\\n|\\\\r)+(?:\\\\s+|location|refresh|(? :set-)?cookie|(X-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\\\\s*:" at ARGS:def_longdata. [file "/usr/share/modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "241"] [id "921160"] [rev "1"] [msg "HTTP Header Injection Attack via payload (CR/LF and header-name detected)"] [data "Matched Data: \\x0d\\x0ahost: found within ARGS:def_longdata: problem started at {event.time} on {event.date}\\x0d\\x0aproblem name: {event.name}\\x0d\\x0ahost: {host.name}\\x0d\\x0aseverity: {event.severity}\\x0d\\x0a\\x0d\\x0aoriginal problem id: {event.id}\\x0d\\x0a{trigger.url}"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "5"] [accuracy "5"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [hostname "zabbix"] [uri "/actionconf.php"] [unique_id "XLeJAkhGbSrZt@7Crni1UAAAAAQ"], referer: https://zabbix/actionconf.php
[Wed Apr 17 20:13:54.526921 2019] [:error] [pid 10707] [client xxx.xxx.xxx.xxx:11901] [client xxx.xxx.xxx.xxx] ModSecurity: Warning. Pattern match "(?:\\\\n|\\\\r)+(?:\\\\s+|location|refresh|(? :set-)?cookie|(X-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\\\\s*:" at ARGS:r_longdata. [file "/usr/share/modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "241"] [id "921160"] [rev "1"] [msg "HTTP Header Injection Attack via payload (CR/LF and header-name detected)"] [data "Matched Data: \\x0d\\x0ahost: found within ARGS:r_longdata: problem has been resolved at {event.recovery.time} on {event.recovery.date}\\x0d\\x0aproblem name: {event.name}\\x0d\\x0ahost: {host.name}\\x0d\\x0aseverity: {event.severity}\\x0d\\x0a\\x0d\\x0aoriginal problem id: {event.id}\\x0d\\x0a{trigger.url}"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "5"] [accuracy "5"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [hostname "zabbix"] [uri "/actionconf.php"] [unique_id "XLeJAkhGbSrZt@7Crni1UAAAAAQ"], referer: https://zabbix/actionconf.php
"HTTP Header Injection Attack via payload (CR/LF and header-name detected)
Anyone with additional experience in Modsecurity would give me additional directions of what could be happening? This install is brand new
Comment